diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c87ca51..ddaddb5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,13 +16,14 @@ env: jobs: build: runs-on: ubuntu-latest + strategy: + matrix: + image: ["3.17", "3.19", "3.20"] + openssl_version: ["3.0.9"] + fail-fast: false steps: - name: Checkout Repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - - name: Get Alpine version - id: alpine - run: echo "version=$(grep -m1 'FROM alpine' > $GITHUB_OUTPUT + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -34,7 +35,7 @@ jobs: if: github.event_name != 'pull_request' - name: Login to GitHub Container Registry - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -49,29 +50,33 @@ jobs: name=ghcr.io/nginxinc/alpine-fips tags: | type=edge - type=ref,event=pr + type=ref,event=pr,suffix=-alpine${{ matrix.image }} type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{version}},suffix=-alpine${{ steps.alpine.outputs.version }} + type=semver,pattern={{version}},suffix=-alpine${{ matrix.image }} env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build Docker image - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 id: build-push with: file: Dockerfile context: "." - cache-from: type=gha,scope=alpine - cache-to: type=gha,scope=alpine,mode=max + cache-from: type=gha,scope=alpine${{ matrix.image }} + cache-to: type=gha,scope=alpine${{ matrix.image }},mode=max tags: ${{ steps.meta.outputs.tags }} load: ${{ github.event_name == 'pull_request' }} push: ${{ github.event_name != 'pull_request' }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} + target: alpine pull: true sbom: ${{ github.event_name != 'pull_request' }} provenance: ${{ github.event_name != 'pull_request' }} + build-args: | + BUILD_OS=alpine:${{ matrix.image }} + OPENSSL_VERSION=${{ matrix.openssl_version }} - name: Run Grype vulnerability scanner uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 @@ -83,12 +88,12 @@ jobs: add-cpes-if-none: true - name: Upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Create/Update Draft - uses: lucacome/draft-release@e076259ceb036bc5f2c2a76559784c12cf8d2e74 # v1.0.4 + uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0 with: minor-label: "enhancement" major-label: "change" diff --git a/Dockerfile b/Dockerfile index a319296..ed7e063 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,10 @@ -FROM alpine:3.19 - +# syntax=docker/dockerfile:1.6 +ARG BUILD_OS=alpine:3.19 ARG OPENSSL_VERSION=3.0.9 +FROM ${BUILD_OS} as alpine +ARG OPENSSL_VERSION + RUN apk add --no-cache --virtual .build-deps \ make gcc libgcc musl-dev linux-headers perl vim \ && wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \ @@ -11,6 +14,7 @@ RUN apk add --no-cache --virtual .build-deps \ && make \ && make install_fips \ && apk del .build-deps \ - && cd .. && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} + && cd .. && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} \ + && apk upgrade --no-cache -U COPY openssl.cnf /etc/ssl/openssl.cnf