ci: build distroless images
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
Mark Sagi-Kazar
parent
6038af5044
commit
8b2ce6252d
2 changed files with 31 additions and 5 deletions
32
.github/workflows/artifacts.yaml
vendored
32
.github/workflows/artifacts.yaml
vendored
|
|
@ -18,6 +18,9 @@ jobs:
|
|||
- linux/amd64
|
||||
- linux/arm/v7
|
||||
- linux/arm64
|
||||
variant:
|
||||
- alpine
|
||||
- distroless
|
||||
outputs:
|
||||
version: ${{ steps.details.outputs.version }}
|
||||
|
||||
|
|
@ -37,12 +40,17 @@ jobs:
|
|||
*) VERSION=sha-${GITHUB_SHA::8};;
|
||||
esac
|
||||
|
||||
VERSION_SUFFIX=""
|
||||
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||
VERSION_SUFFIX="-${{ matrix.variant }}"
|
||||
fi
|
||||
|
||||
TAGS=()
|
||||
for image in $CONTAINER_IMAGES; do
|
||||
TAGS+=("${image}:${VERSION}")
|
||||
TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
|
||||
|
||||
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
|
||||
TAGS+=("${image}:latest")
|
||||
TAGS+=("${image}:latest${VERSION_SUFFIX}")
|
||||
fi
|
||||
done
|
||||
|
||||
|
|
@ -84,6 +92,7 @@ jobs:
|
|||
push: ${{ github.event_name == 'push' }}
|
||||
tags: ${{ steps.details.outputs.tags }}
|
||||
build-args: |
|
||||
BASE_IMAGE=${{ matrix.variant }}
|
||||
VERSION=${{ steps.details.outputs.version }}
|
||||
COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
|
||||
BUILD_DATE=${{ steps.details.outputs.build_date }}
|
||||
|
|
@ -103,12 +112,29 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
needs: container-images
|
||||
if: github.event_name == 'push'
|
||||
strategy:
|
||||
matrix:
|
||||
variant:
|
||||
- alpine
|
||||
- distroless
|
||||
|
||||
steps:
|
||||
# Workaround for lack of matrix output support
|
||||
- name: Calculate container image details
|
||||
id: details
|
||||
run: |
|
||||
VERSION="${{ needs.container-images.outputs.version }}"
|
||||
|
||||
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||
VERSION="${VERSION}-${{ matrix.variant }}"
|
||||
fi
|
||||
|
||||
echo ::set-output name=version::${VERSION}
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.2.4
|
||||
with:
|
||||
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
|
||||
image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
|
||||
format: "sarif"
|
||||
output: "trivy-results.sarif"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
ARG BASEIMAGE=alpine
|
||||
ARG BASE_IMAGE=alpine
|
||||
|
||||
FROM golang:1.17.8-alpine3.14 AS builder
|
||||
|
||||
|
|
@ -44,7 +44,7 @@ RUN wget -O /usr/local/bin/gomplate \
|
|||
FROM alpine:3.15.4 AS alpine
|
||||
FROM gcr.io/distroless/static:latest AS distroless
|
||||
|
||||
FROM $BASEIMAGE
|
||||
FROM $BASE_IMAGE
|
||||
|
||||
# Dex connectors, such as GitHub and Google logins require root certificates.
|
||||
# Proper installations should manage those certificates, but it's a bad user
|
||||
|
|
|
|||
Reference in a new issue