From 6038af5044b746d672b49dacc4a52c54ea6591c6 Mon Sep 17 00:00:00 2001
From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Date: Thu, 14 Apr 2022 15:18:28 +0200
Subject: [PATCH 1/3] build: help dependabot detect base image versions

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a5a4c548..7e66b25f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASEIMAGE=alpine:3.15.4
+ARG BASEIMAGE=alpine
 
 FROM golang:1.17.8-alpine3.14 AS builder
 
@@ -40,6 +40,9 @@ RUN wget -O /usr/local/bin/gomplate \
     "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
     && chmod +x /usr/local/bin/gomplate
 
+# For Dependabot to detect base image versions
+FROM alpine:3.15.4 AS alpine
+FROM gcr.io/distroless/static:latest AS distroless
 
 FROM $BASEIMAGE
 

From 8b2ce6252db9e8e68e783affd3424be9b353ff1b Mon Sep 17 00:00:00 2001
From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Date: Thu, 14 Apr 2022 15:35:32 +0200
Subject: [PATCH 2/3] ci: build distroless images

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---
 .github/workflows/artifacts.yaml | 32 +++++++++++++++++++++++++++++---
 Dockerfile                       |  4 ++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 63c3e840..6dd0e799 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -18,6 +18,9 @@ jobs:
           - linux/amd64
           - linux/arm/v7
           - linux/arm64
+        variant:
+          - alpine
+          - distroless
     outputs:
       version: ${{ steps.details.outputs.version }}
 
@@ -37,12 +40,17 @@ jobs:
             *)            VERSION=sha-${GITHUB_SHA::8};;
           esac
 
+          VERSION_SUFFIX=""
+          if [[ "${{ matrix.variant }}" != "alpine" ]]; then
+            VERSION_SUFFIX="-${{ matrix.variant }}"
+          fi
+
           TAGS=()
           for image in $CONTAINER_IMAGES; do
-            TAGS+=("${image}:${VERSION}")
+            TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
 
             if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
-              TAGS+=("${image}:latest")
+              TAGS+=("${image}:latest${VERSION_SUFFIX}")
             fi
           done
 
@@ -84,6 +92,7 @@ jobs:
           push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.details.outputs.tags }}
           build-args: |
+            BASE_IMAGE=${{ matrix.variant }}
             VERSION=${{ steps.details.outputs.version }}
             COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
             BUILD_DATE=${{ steps.details.outputs.build_date }}
@@ -103,12 +112,29 @@ jobs:
     runs-on: ubuntu-latest
     needs: container-images
     if: github.event_name == 'push'
+    strategy:
+      matrix:
+        variant:
+          - alpine
+          - distroless
 
     steps:
+      # Workaround for lack of matrix output support
+      - name: Calculate container image details
+        id: details
+        run: |
+          VERSION="${{ needs.container-images.outputs.version }}"
+
+          if [[ "${{ matrix.variant }}" != "alpine" ]]; then
+            VERSION="${VERSION}-${{ matrix.variant }}"
+          fi
+
+          echo ::set-output name=version::${VERSION}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.2.4
         with:
-          image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
+          image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
           format: "sarif"
           output: "trivy-results.sarif"
 
diff --git a/Dockerfile b/Dockerfile
index 7e66b25f..ada04ae1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASEIMAGE=alpine
+ARG BASE_IMAGE=alpine
 
 FROM golang:1.17.8-alpine3.14 AS builder
 
@@ -44,7 +44,7 @@ RUN wget -O /usr/local/bin/gomplate \
 FROM alpine:3.15.4 AS alpine
 FROM gcr.io/distroless/static:latest AS distroless
 
-FROM $BASEIMAGE
+FROM $BASE_IMAGE
 
 # Dex connectors, such as GitHub and Google logins require root certificates.
 # Proper installations should manage those certificates, but it's a bad user

From 3702525c8627e810297e864bde5c38231a107c72 Mon Sep 17 00:00:00 2001
From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Date: Thu, 14 Apr 2022 16:08:39 +0200
Subject: [PATCH 3/3] ci: disable Docker job on push

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---
 .github/workflows/docker.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 213a8350..0617ea38 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -1,11 +1,11 @@
 name: Docker
 
 on:
-  push:
-    branches:
-      - master
-    tags:
-      - v[0-9]+.[0-9]+.[0-9]+
+  # push:
+  #   branches:
+  #     - master
+  #   tags:
+  #     - v[0-9]+.[0-9]+.[0-9]+
   pull_request:
 
 jobs: