Merge pull request #2478 from dexidp/distroless
Publish official distroless images
This commit is contained in:
commit
c8ff7ed40a
3 changed files with 39 additions and 10 deletions
32
.github/workflows/artifacts.yaml
vendored
32
.github/workflows/artifacts.yaml
vendored
|
@ -18,6 +18,9 @@ jobs:
|
|||
- linux/amd64
|
||||
- linux/arm/v7
|
||||
- linux/arm64
|
||||
variant:
|
||||
- alpine
|
||||
- distroless
|
||||
outputs:
|
||||
version: ${{ steps.details.outputs.version }}
|
||||
|
||||
|
@ -37,12 +40,17 @@ jobs:
|
|||
*) VERSION=sha-${GITHUB_SHA::8};;
|
||||
esac
|
||||
|
||||
VERSION_SUFFIX=""
|
||||
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||
VERSION_SUFFIX="-${{ matrix.variant }}"
|
||||
fi
|
||||
|
||||
TAGS=()
|
||||
for image in $CONTAINER_IMAGES; do
|
||||
TAGS+=("${image}:${VERSION}")
|
||||
TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
|
||||
|
||||
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
|
||||
TAGS+=("${image}:latest")
|
||||
TAGS+=("${image}:latest${VERSION_SUFFIX}")
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -84,6 +92,7 @@ jobs:
|
|||
push: ${{ github.event_name == 'push' }}
|
||||
tags: ${{ steps.details.outputs.tags }}
|
||||
build-args: |
|
||||
BASE_IMAGE=${{ matrix.variant }}
|
||||
VERSION=${{ steps.details.outputs.version }}
|
||||
COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
|
||||
BUILD_DATE=${{ steps.details.outputs.build_date }}
|
||||
|
@ -103,12 +112,29 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
needs: container-images
|
||||
if: github.event_name == 'push'
|
||||
strategy:
|
||||
matrix:
|
||||
variant:
|
||||
- alpine
|
||||
- distroless
|
||||
|
||||
steps:
|
||||
# Workaround for lack of matrix output support
|
||||
- name: Calculate container image details
|
||||
id: details
|
||||
run: |
|
||||
VERSION="${{ needs.container-images.outputs.version }}"
|
||||
|
||||
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||
VERSION="${VERSION}-${{ matrix.variant }}"
|
||||
fi
|
||||
|
||||
echo ::set-output name=version::${VERSION}
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.2.4
|
||||
with:
|
||||
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
|
||||
image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
|
||||
format: "sarif"
|
||||
output: "trivy-results.sarif"
|
||||
|
||||
|
|
10
.github/workflows/docker.yaml
vendored
10
.github/workflows/docker.yaml
vendored
|
@ -1,11 +1,11 @@
|
|||
name: Docker
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
tags:
|
||||
- v[0-9]+.[0-9]+.[0-9]+
|
||||
# push:
|
||||
# branches:
|
||||
# - master
|
||||
# tags:
|
||||
# - v[0-9]+.[0-9]+.[0-9]+
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
ARG BASEIMAGE=alpine:3.15.4
|
||||
ARG BASE_IMAGE=alpine
|
||||
|
||||
FROM golang:1.17.8-alpine3.14 AS builder
|
||||
|
||||
|
@ -40,8 +40,11 @@ RUN wget -O /usr/local/bin/gomplate \
|
|||
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
|
||||
&& chmod +x /usr/local/bin/gomplate
|
||||
|
||||
# For Dependabot to detect base image versions
|
||||
FROM alpine:3.15.4 AS alpine
|
||||
FROM gcr.io/distroless/static:latest AS distroless
|
||||
|
||||
FROM $BASEIMAGE
|
||||
FROM $BASE_IMAGE
|
||||
|
||||
# Dex connectors, such as GitHub and Google logins require root certificates.
|
||||
# Proper installations should manage those certificates, but it's a bad user
|
||||
|
|
Reference in a new issue