k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

ci: build distroless images

Browse Source 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
Mark Sagi-Kazar
2022-04-14 15:35:32 +02:00
parent 6038af5044
commit 8b2ce6252d
2 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/artifacts.yaml vendored
View File

@@ -18,6 +18,9 @@ jobs:
- linux/amd64 - linux/amd64
- linux/arm/v7 - linux/arm/v7
- linux/arm64 - linux/arm64
variant:
- alpine
- distroless
outputs: outputs:
version: ${{ steps.details.outputs.version }} version: ${{ steps.details.outputs.version }}
@@ -37,12 +40,17 @@ jobs:
*) VERSION=sha-${GITHUB_SHA::8};; *) VERSION=sha-${GITHUB_SHA::8};;
esac esac
VERSION_SUFFIX=""
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION_SUFFIX="-${{ matrix.variant }}"
fi
TAGS=() TAGS=()
for image in $CONTAINER_IMAGES; do for image in $CONTAINER_IMAGES; do
TAGS+=("${image}:${VERSION}") TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
TAGS+=("${image}:latest") TAGS+=("${image}:latest${VERSION_SUFFIX}")
fi fi
done done
@@ -84,6 +92,7 @@ jobs:
push: ${{ github.event_name == 'push' }} push: ${{ github.event_name == 'push' }}
tags: ${{ steps.details.outputs.tags }} tags: ${{ steps.details.outputs.tags }}
build-args: | build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ steps.details.outputs.version }} VERSION=${{ steps.details.outputs.version }}
COMMIT_HASH=${{ steps.details.outputs.commit_hash }} COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
BUILD_DATE=${{ steps.details.outputs.build_date }} BUILD_DATE=${{ steps.details.outputs.build_date }}
@@ -103,12 +112,29 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: container-images needs: container-images
if: github.event_name == 'push' if: github.event_name == 'push'
strategy:
matrix:
variant:
- alpine
- distroless
steps: steps:
# Workaround for lack of matrix output support
- name: Calculate container image details
id: details
run: |
VERSION="${{ needs.container-images.outputs.version }}"
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION="${VERSION}-${{ matrix.variant }}"
fi
echo ::set-output name=version::${VERSION}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.2.4 uses: aquasecurity/trivy-action@0.2.4
with: with:
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}" image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
format: "sarif" format: "sarif"
output: "trivy-results.sarif" output: "trivy-results.sarif"

4
Dockerfile
View File

@@ -1,4 +1,4 @@
ARG BASEIMAGE=alpine ARG BASE_IMAGE=alpine
FROM golang:1.17.8-alpine3.14 AS builder FROM golang:1.17.8-alpine3.14 AS builder
@@ -44,7 +44,7 @@ RUN wget -O /usr/local/bin/gomplate \
FROM alpine:3.15.4 AS alpine FROM alpine:3.15.4 AS alpine
FROM gcr.io/distroless/static:latest AS distroless FROM gcr.io/distroless/static:latest AS distroless
FROM $BASEIMAGE FROM $BASE_IMAGE
# Dex connectors, such as GitHub and Google logins require root certificates. # Dex connectors, such as GitHub and Google logins require root certificates.
# Proper installations should manage those certificates, but it's a bad user # Proper installations should manage those certificates, but it's a bad user