Merge pull request #2478 from dexidp/distroless

Publish official distroless images

Merge pull request #2478 from dexidp/distroless
c8ff7ed4 · Márk Sági-Kazár · GitHub · 95e81a92 · 3702525c · c8ff7ed4
Unverified Commit c8ff7ed4 authored 3 years ago by Márk Sági-Kazár Committed by GitHub 3 years ago
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -18,6 +18,9 @@ jobs:
          - linux/amd64
          - linux/arm/v7
          - linux/arm64
+        variant:
+          - alpine
+          - distroless
    outputs:
      version: ${{ steps.details.outputs.version }}

@@ -37,12 +40,17 @@ jobs:
            *)            VERSION=sha-${GITHUB_SHA::8};;
          esac

+          VERSION_SUFFIX=""
+          if [[ "${{ matrix.variant }}" != "alpine" ]]; then
+            VERSION_SUFFIX="-${{ matrix.variant }}"
+          fi
+
          TAGS=()
          for image in $CONTAINER_IMAGES; do
-            TAGS+=("${image}:${VERSION}")
+            TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")

            if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
-              TAGS+=("${image}:latest")
+              TAGS+=("${image}:latest${VERSION_SUFFIX}")
            fi
          done

@@ -84,6 +92,7 @@ jobs:
          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.details.outputs.tags }}
          build-args: |
+            BASE_IMAGE=${{ matrix.variant }}
            VERSION=${{ steps.details.outputs.version }}
            COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
            BUILD_DATE=${{ steps.details.outputs.build_date }}
@@ -103,12 +112,29 @@ jobs:
    runs-on: ubuntu-latest
    needs: container-images
    if: github.event_name == 'push'
+    strategy:
+      matrix:
+        variant:
+          - alpine
+          - distroless

    steps:
+      # Workaround for lack of matrix output support
+      - name: Calculate container image details
+        id: details
+        run: |
+          VERSION="${{ needs.container-images.outputs.version }}"
+
+          if [[ "${{ matrix.variant }}" != "alpine" ]]; then
+            VERSION="${VERSION}-${{ matrix.variant }}"
+          fi
+
+          echo ::set-output name=version::${VERSION}
+
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.2.4
        with:
-          image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
+          image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
          format: "sarif"
          output: "trivy-results.sarif"


--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
 name: Docker

 on:
-  push:
-    branches:
-      - master
-    tags:
-      - v[0-9]+.[0-9]+.[0-9]+
+  # push:
+  #   branches:
+  #     - master
+  #   tags:
+  #     - v[0-9]+.[0-9]+.[0-9]+
  pull_request:

 jobs:

--- a/Dockerfile
+++ b/Dockerfile
-ARG BASEIMAGE=alpine:3.15.4
+ARG BASE_IMAGE=alpine

 FROM golang:1.17.8-alpine3.14 AS builder

@@ -40,8 +40,11 @@ RUN wget -O /usr/local/bin/gomplate \
    "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
    && chmod +x /usr/local/bin/gomplate

+# For Dependabot to detect base image versions
+FROM alpine:3.15.4 AS alpine
+FROM gcr.io/distroless/static:latest AS distroless

-FROM $BASEIMAGE
+FROM $BASE_IMAGE

 # Dex connectors, such as GitHub and Google logins require root certificates.
 # Proper installations should manage those certificates, but it's a bad user