Skip to content
# Using Kaniko: refer to the following documentations:
# * https://github.com/marketplace/actions/kaniko-action
# * https://github.com/int128/kaniko-action#inputs
name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)"
on:
pull_request:
branches:
- main
- release/*
push:
branches:
- main
- containerfiles # TODO: remove after testing
- cosign-slsa # TODO: remove after testing
# Global KANIKO Variables:
# See: https://github.com/int128/kaniko-action
# - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile.
# - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint.
# - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ]
env:
KANIKO_BUILD_CONTEXT: "${{ github.workspace }}"
BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base"
GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr"
OCI_REGISTRY: "ghcr.io"
jobs:
set-lowercase-repository:
runs-on: ubuntu-latest
outputs:
lowercase-github-repository: ${{ steps.convert.outputs.lowercase }}
steps:
- name: Convert repository name to lowercase
id: convert
run: |
echo "::set-output name=lowercase::$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
use-lowercase-repo:
needs: set-lowercase-repository
runs-on: ubuntu-latest
steps:
- name: Access lowercase repository name
run: |
echo "Original Repository: ${{ github.repository }}"
echo "Lowercase Repository: ${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}"
# Kaniko job to build a container image "goreleaser-glibc-image-base" has a /bin/bash entrypoint
build-base-image:
needs: set-lowercase-repository
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- uses: docker/login-action@v3
id: login
with:
registry: ${{ env.OCI_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Container metadata and tags
id: metadata
uses: docker/metadata-action@v5
with:
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
images: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- name: Build the OCI image (base image entrytoint /bin/bash)
id: kaniko
uses: int128/kaniko-action@v1
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache
file: ${{ env.BASE_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
oci-image-url: ${{ steps.metadata.outputs.images }} # needs to be lowercase
# Job to build a SLSA provenance attestation
base-image-provenance:
name: Generate SLSA provenance attestation for OCI
needs: build-base-image # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build-base-image.outputs.oci-image-url }} # needs to be lowercase
digest: ${{ needs.build-base-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
# Kaniko job to build a container image "goreleaser-glibc-image" that has a goreleaser entrypoint
build-goreleaser-entryp-image:
needs: build-base-image # Ensure this job runs after build-base-image
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- uses: docker/login-action@v3
id: login
with:
registry: ${{ env.OCI_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Container metadata and tags
id: metadata
uses: docker/metadata-action@v5
with:
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
images: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- name: Build the OCI image
id: kaniko
uses: int128/kaniko-action@v1
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache
file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
oci-image-url: ${{ steps.metadata.outputs.images }} # needs to be lowercase
goreleaser-entryp-image-provenance:
name: Generate SLSA provenance attestation for OCI
needs: build-goreleaser-entryp-image # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-url }} # needs to be lowercase
digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}