Skip to content

Commit 796b456

Browse files
autumnjolitzautumnjolitz
committed
build: add sbom/provenance options
1 parent 07b362f commit 796b456

File tree

2 files changed

+66
-49
lines changed

2 files changed

+66
-49
lines changed

.github/workflows/development.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,8 @@ jobs:
9393
platforms: ${{ env.TARGET_PLATFORMS }}
9494
context: "."
9595
file: Dockerfile.alpine
96+
sbom: true
97+
provenance: mode=max
9698
target: buildroot
9799
cache-to: |
98100
type=gha,mode=max
@@ -137,6 +139,7 @@ jobs:
137139
outputs: type=oci,dest=${{ steps.image_env.outputs.IMAGE_HOME }}/image-${{ steps.image_env.outputs.IMAGE_TAG_SAFE }}.tar
138140
labels: ${{steps.image_env.outputs.IMAGE_LABELS}}
139141
sbom: true
142+
provenance: mode=max
140143
annotations: |
141144
index,manifest:org.opencontainers.image.authors=distroless-python image developers <[email protected]>
142145
index,manifest:org.opencontainers.image.source=https://github.com/autumnjolitz/distroless-python

.github/workflows/main.yml

Lines changed: 63 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -6,19 +6,25 @@ on:
66
# https://crontab.guru/once-a-week
77
- cron: "0 0 * * 0"
88
push:
9-
branches: main
9+
branches:
10+
- 'main'
11+
1012

1113
env:
1214
TARGET_PLATFORMS: linux/amd64,linux/arm64
1315

1416
jobs:
1517
docker:
18+
services:
19+
registry:
20+
image: registry:3
21+
ports:
22+
- 5000:5000
1623
strategy:
17-
fail-fast: false
24+
fail-fast: true
1825
matrix:
1926
repository:
20-
- 'ghcr.io'
21-
- 'docker.io'
27+
- 'localhost:5000'
2228
python:
2329
- '3.14'
2430
- '3.13'
@@ -82,22 +88,6 @@ jobs:
8288
echo REPOSITORY_SAFE="$(echo "${REPOSITORY}" | base64 -w 0 )" >> "$GITHUB_OUTPUT"
8389
echo BASE_IMAGE_DIGEST="$(digest_of "$SOURCE_IMAGE")" >> "$GITHUB_OUTPUT"
8490
echo 'IMAGE_DESCRIPTION=${{ github.event.repository.description }}. See ${{ github.server_url }}/${{ github.repository }} for more info.' >> "$GITHUB_OUTPUT"
85-
-
86-
name: Login to GitHub Container Registry
87-
if: ${{ matrix.repository == 'ghcr.io' }}
88-
uses: docker/login-action@v3
89-
with:
90-
registry: 'ghcr.io'
91-
username: ${{ github.repository_owner }}
92-
password: ${{ secrets.GITHUB_TOKEN }}
93-
-
94-
name: Login to DockerHub
95-
if: ${{ matrix.repository == 'docker.io' }}
96-
uses: docker/login-action@v3
97-
with:
98-
registry: 'docker.io'
99-
username: ${{ github.repository_owner }}
100-
password: ${{ secrets.DOCKERHUB_TOKEN }}
10191
10292
-
10393
name: Create Buildroot
@@ -108,6 +98,8 @@ jobs:
10898
platforms: ${{ env.TARGET_PLATFORMS }}
10999
context: "."
110100
file: Dockerfile.alpine
101+
sbom: true
102+
provenance: mode=max
111103
target: buildroot
112104
cache-to: |
113105
type=gha,mode=max
@@ -152,6 +144,7 @@ jobs:
152144
outputs: type=oci,dest=${{ steps.image_env.outputs.IMAGE_HOME }}/image-${{ steps.image_env.outputs.IMAGE_TAG_SAFE }}.tar
153145
labels: ${{steps.image_env.outputs.IMAGE_LABELS}}
154146
sbom: true
147+
provenance: mode=max
155148
annotations: |
156149
index,manifest:org.opencontainers.image.authors=distroless-python image developers <[email protected]>
157150
index,manifest:org.opencontainers.image.source=https://github.com/autumnjolitz/distroless-python
@@ -188,19 +181,6 @@ jobs:
188181
echo '${{ steps.image_env.outputs.IMAGE_TAG }}@'"$IMAGE_DIGEST" | tee -a ${{ steps.image_env.outputs.IMAGE_HOME }}/manifest.txt
189182
echo '${{ steps.image_env.outputs.IMAGE_BUILDROOT_TAG }}@'"$IMAGE_BUILDROOT_DIGEST" | tee -a ${{ steps.image_env.outputs.IMAGE_HOME }}/manifest.txt
190183
ls ${{ steps.image_env.outputs.IMAGE_HOME }}
191-
- name: Fetch packages version ID
192-
if: ${{ matrix.repository == 'ghcr.io' }}
193-
id: fetch_version_ids
194-
run: |
195-
tag=$(echo ${{ steps.image_env.outputs.IMAGE_TAG }} | rev | cut -d: -f1 | rev)
196-
package_name=$(echo ${{ steps.image_env.outputs.IMAGE_TAG }} | rev | cut -d: -f2- | cut -d/ -f1 | rev)
197-
repo_name=${{ github.repository }}
198-
owner=${{ github.repository_owner }}
199-
version_id=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
200-
"https://api.github.com/orgs/${owner}/packages/container/${package_name}/versions" | \
201-
jq -r --arg tag "$tag" '.[] | select(.metadata.container.tags[] == $tag) | .id')
202-
package_url="https://github.com/${repo_name}/pkgs/container/${package_name}/${version_id}?tag=${tag}"
203-
echo "${{steps.image_env.outputs.IMAGE_TAG}}@$package_url" | tee -a ${{ steps.image_env.outputs.IMAGE_HOME }}/packages.txt
204184
205185
- name: upload build
206186
uses: actions/upload-artifact@v4
@@ -221,7 +201,6 @@ jobs:
221201
path: |
222202
${{ steps.image_env.outputs.IMAGE_HOME }}/*.txt
223203
224-
225204
update-dockerhub-desc:
226205
needs: [docker]
227206
runs-on: "ubuntu-latest"
@@ -235,19 +214,62 @@ jobs:
235214
-
236215
name: install dependencies
237216
run: |
217+
apt-get -y install skopeo
238218
python -m pip install jinplate
219+
220+
239221
-
240-
name: fetch metadata
222+
name: fetch images
241223
uses: actions/download-artifact@v5
242224
with:
243-
pattern: metadata-*
225+
pattern: images-*
244226
path: dist-images
227+
merge-multiple: true
228+
229+
-
230+
name: prep files
231+
run: |
232+
printf "Images:\n\n" >> "$GITHUB_STEP_SUMMARY"
233+
for filename in $(find dist-images -type f -name "*.tar" -print)
234+
do
235+
image_uri="$(basename -s .tar $filename | sed 's/image-//g' | base64 -d)"
236+
for repository in docker.io ghcr.io
237+
do
238+
new_image_uri=$(echo $image_uri | sed 's|localhost:5000|'"$repository"'|g')
239+
new_filename="dist-images/image-$(echo $new_image_uri | base64 -w 0).tar"
240+
cp ${filename} ${new_filename}
241+
echo '* `'${new_filename}'` (`'${new_image_uri}'`)' >> "$GITHUB_STEP_SUMMARY"
242+
done
243+
rm $filename
244+
done
245+
246+
- name: login to registry
247+
env:
248+
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
249+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
250+
run: |
251+
printf "${GITHUB_TOKEN}\n" | skopeo login --password-stdin --username ${{ github.repository_owner }} ghcr.io
252+
printf "${DOCKERHUB_TOKEN}\n" | skopeo login --password-stdin --username ${{ github.repository_owner }} docker.io
253+
254+
-
255+
name: upload to registry
256+
run: |
257+
printf '#Upload to registry\n\n' >> "$GITHUB_STEP_SUMMARY"
258+
for filename in $(find dist-images -type f -name "*.tar" -print)
259+
do
260+
IMAGE_URI="$(basename -s .tar $filename | sed 's/image-//g' | base64 -d)"
261+
echo "uploading $IMAGE_URI"
262+
T="$(mktemp)"
263+
skopeo copy --multi-arch all --digestfile $T oci-archive://$PWD/$filename "docker://$IMAGE_URI"
264+
IMAGE_DIGEST="$(cat $T)"
265+
rm -f $T
266+
>>./manifest.txt echo "${IMAGE_URI}@${IMAGE_DIGEST}"
267+
printf '* '"${IMAGE_URI}@${IMAGE_DIGEST}"'\n' >> "$GITHUB_STEP_SUMMARY"
268+
done
269+
245270
-
246271
name: aggregate metadata
247272
run: |
248-
cat $(find dist-images -type f -name manifest.txt -print) > manifest.txt
249-
cat $(find dist-images -type f -name packages.txt -print) > packages.txt
250-
find dist-images -type f \( -name manifest.txt -o -name packages.txt \) -delete
251273
{
252274
printf '### manifest.txt\n\n'
253275
printf '```\n'
@@ -260,14 +282,6 @@ jobs:
260282
cat packages.txt
261283
printf '```\n'
262284
} >>"$GITHUB_STEP_SUMMARY"
263-
264-
-
265-
name: fetch images
266-
uses: actions/download-artifact@v5
267-
with:
268-
pattern: images-*
269-
path: dist-images
270-
merge-multiple: true
271285
-
272286
name: parse metadata for README
273287
run: |
@@ -308,8 +322,8 @@ jobs:
308322
name: Print out markdown
309323
run: |
310324
cat README.md >>"$GITHUB_STEP_SUMMARY"
311-
312-
- name: Update repo description
325+
-
326+
name: Update repo description
313327
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
314328
with:
315329
username: ${{ github.repository_owner }}

0 commit comments

Comments
 (0)