name: Artifacts on: workflow_call: inputs: publish: description: Publish artifacts to the artifact store default: false required: false type: boolean secrets: DOCKER_USERNAME: required: true DOCKER_PASSWORD: required: true outputs: container-image-name: description: Container image name value: ${{ jobs.container-images.outputs.name }} container-image-digest: description: Container image digest value: ${{ jobs.container-images.outputs.digest }} container-image-ref: description: Container image ref value: ${{ jobs.container-images.outputs.ref }} permissions: contents: read jobs: container-images: name: Container images runs-on: ubuntu-latest strategy: matrix: variant: - alpine - distroless permissions: attestations: write contents: read packages: write id-token: write security-events: write outputs: name: ${{ steps.image-name.outputs.value }} digest: ${{ steps.build.outputs.digest }} ref: ${{ steps.image-ref.outputs.value }} steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-tags: true - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Set up Syft uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 - name: Install cosign uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Set image name id: image-name run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" - name: Gather build metadata id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | ${{ steps.image-name.outputs.value }} ${{ github.repository == 'dexidp/dex' && 'dexidp/dex' || '' }} flavor: | latest = false tags: | type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }} type=ref,event=branch,suffix=-${{ matrix.variant }} type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} labels: | org.opencontainers.image.documentation=https://dexidp.io/docs/ # Multiple exporters are not supported yet # See https://github.com/moby/buildkit/pull/2760 - name: Get version from git-version script id: version run: echo "value=$(bash ./scripts/git-version)" >> "$GITHUB_OUTPUT" # Multiple exporters are not supported yet # See https://github.com/moby/buildkit/pull/2760 - name: Determine build output uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1 id: build-output with: cond: ${{ inputs.publish }} if_true: type=image,push=true if_false: type=oci,dest=image.tar - name: Login to GitHub Container Registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} if: inputs.publish - name: Login to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: inputs.publish - name: Build and push image id: build uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x tags: ${{ steps.meta.outputs.tags }} build-args: | BASE_IMAGE=${{ matrix.variant }} VERSION=${{ steps.version.outputs.value }} COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} labels: | ${{ steps.meta.outputs.labels }} # cache-from: type=gha # cache-to: type=gha,mode=max outputs: ${{ steps.build-output.outputs.value }} # push: ${{ inputs.publish }} - name: Sign the images with GitHub OIDC Token run: | cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }} if: inputs.publish - name: Set image ref id: image-ref run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - name: Fetch image run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar if: inputs.publish # Uncomment the following lines for debugging: # - name: Upload image as artifact # uses: actions/upload-artifact@v3 # with: # name: "[${{ github.job }}] OCI tarball" # path: image.tar - name: Extract OCI tarball id: extract-oci run: | mkdir -p image tar -xf image.tar -C image image_name=$(jq -r '.manifests[0].annotations["io.containerd.image.name"]' image/index.json) image_tag=$(jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]' image/index.json) echo "Copying $image_tag -> $image_name" skopeo copy "oci:image:$image_tag" "docker-daemon:$image_name" echo "value=$image_name" >> "$GITHUB_OUTPUT" if: ${{ !inputs.publish }} # - name: List tags # run: skopeo --insecure-policy list-tags oci:image # # # See https://github.com/anchore/syft/issues/1545 # - name: Extract image from multi-arch image # run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar # # - name: Generate SBOM # run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar # # - name: Upload SBOM as artifact # uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 # with: # name: "[${{ github.job }}] SBOM" # path: sbom-spdx.json # retention-days: 5 # TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80 # - name: Generate build provenance attestation # uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 # with: # subject-name: dexidp/dex # subject-digest: ${{ steps.build.outputs.digest }} # push-to-registry: true - name: Generate build provenance attestation uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true if: inputs.publish - name: Prepare image fs for scanning run: | image_ref=${{ steps.extract-oci.outputs.value != '' && steps.extract-oci.outputs.value || steps.image-ref.outputs.value }} docker export $(docker create --rm $image_ref) -o docker-image.tar mkdir -p docker-image tar -xf docker-image.tar -C docker-image ## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397 ## To avoid the trivy-db becoming outdated, we save the cache for one day - name: Get data id: date run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - name: Restore trivy cache uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: cache/db key: trivy-cache-${{ steps.date.outputs.date }} restore-keys: trivy-cache- - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: input: docker-image format: sarif output: trivy-results.sarif scan-type: "rootfs" scan-ref: "." cache-dir: "./cache" # Disable skipping trivy cache for now env: TRIVY_SKIP_DB_UPDATE: true TRIVY_SKIP_JAVA_DB_UPDATE: true ## Trivy-db uses `0600` permissions. ## But `action/cache` use `runner` user by default ## So we need to change the permissions before caching the database. - name: change permissions for trivy.db run: sudo chmod 0644 ./cache/db/trivy.db - name: Check Trivy sarif run: cat trivy-results.sarif - name: Upload Trivy scan results as artifact uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: "[${{ github.job }}] Trivy scan results" path: trivy-results.sarif retention-days: 5 overwrite: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 with: sarif_file: trivy-results.sarif