Multi-platform build with GitHub Actions, semantic versioning, and cosign signing

Author: fontebasso

.github/workflows/docker-monitor.yaml

@@ -13,4 +13,4 @@ jobs:
         with:
           token: ${{ secrets.TOKEN }}
           image: 'library/php'
-          tag: '8.1-fpm-alpine3.16'
+          tag: '8.2-fpm-alpine3.16'

.github/workflows/docker.yaml

@@ -5,43 +5,168 @@ on:
     types: [published]
 
 jobs:
-  build-push-image:
+  build:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    env:
+      REGISTRY: index.docker.io
+      REGISTRY_NAME: fontebasso/php-nginx
+
+    outputs:
+      VERSION: ${{ steps.vars.outputs.VERSION }}
+      MAJOR: ${{ steps.vars.outputs.MAJOR }}
+      MINOR: ${{ steps.vars.outputs.MINOR }}
+
     steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
       - name: Publish version env var
         run: echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
-      - name: checkout code
-        uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v4
 
       - name: Login to Docker Hub
         uses: docker/login-action@v1
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: fontebasso
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+      - name: Extract version parts
+        id: vars
+        run: |
+          IFS='.' read -r MAJOR MINOR PATCH <<< "${{ env.VERSION }}"
+          echo "MAJOR=$MAJOR" >> $GITHUB_ENV
+          echo "MINOR=$MINOR" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_OUTPUT
+          echo "MAJOR=$MAJOR" >> $GITHUB_OUTPUT
+          echo "MINOR=$MINOR" >> $GITHUB_OUTPUT
 
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: build and push the image
-        run: |
-          docker buildx build . \
-            --build-arg BUILD_ID=${{ github.run_id }} \
-            --build-arg COMMIT_ID=$(git rev-parse --short "$GITHUB_SHA") \
-            --tag ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPO }}:${{ env.VERSION }} \
-            --tag ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPO }}:latest \
-            --platform linux/amd64,linux/arm64 \
-            --push
-
-      - name: Push readme
-        uses: actionhippie/pushrm@v1
-        with:
-          provider: dockerhub
-          target: fontebasso/php-nginx
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          readme: README.md
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_NAME }}
+          tags: |
+            ${{ env.VERSION }}
+            ${{ env.MAJOR }}.${{ env.MINOR }}
+            ${{ env.MAJOR }}
+            latest
+          annotations: |
+            org.opencontainers.image.title=${{ env.REGISTRY_NAME }}
+            org.opencontainers.image.description=$(cat README.md)
+
+      - name: Build and push
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          push: true
+          provenance: mode=max
+          sbom: true
+          build-args: |
+            BUILD_ID=${{ github.run_id }}
+            COMMIT_ID=$(git rev-parse --short "$GITHUB_SHA")
+            
+      - name: Extract provenance
+        shell: bash
+        run: |
+          echo $(jq -r '.provenance[]' < $GITHUB_WORKSPACE/.github/actions/buildx/output.json) > provenance.json        
+
+      - name: Upload provenance
+        uses: actions/upload-artifact@v4
+        with:
+          name: provenance
+          path: provenance.json
+
+      - name: Generate SBOM
+        id: sbom
+        shell: bash
+        run: |
+          for tag in $(echo "${{ steps.meta.outputs.tags }}" | grep -Ev '^$' | tr ',' '\n'); do
+            for platform in linux/amd64 linux/arm64; do
+              digest=$(docker buildx imagetools inspect "${tag}" --raw | jq -r ".manifests[] | select(.platform.architecture==\"${platform##*/}\") | .digest")
+              if [ -n "$digest" ]; then
+                normalized_tag=$(echo "${tag}_${platform}" | tr ':' '_' | tr '.' '_' | tr '/' '_' | tr '-' '_')
+                echo "${normalized_tag}=${digest}" >> digest_mapping.txt
+                mkdir -p sbom
+                syft "${tag}" -o spdx-json > "sbom/${normalized_tag}.sbom.spdx.json"
+              fi
+            done
+          done
+
+      - name: Upload digest mapping file
+        uses: actions/upload-artifact@v4
+        with:
+          name: digest_mapping
+          path: digest_mapping.txt
+
+      - name: Upload SBOM files
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom
+
+  sign:
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      REGISTRY_NAME: fontebasso/php-nginx
+
+    strategy:
+      matrix:
+        platform: ["linux/amd64", "linux/arm64"]
+        tags: ["latest", "${{ needs.build.outputs.VERSION }}", "${{ needs.build.outputs.MAJOR }}.${{ needs.build.outputs.MINOR }}", "${{ needs.build.outputs.MAJOR }}"]
+
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: fontebasso
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Download digest mapping file
+        uses: actions/download-artifact@v4
+        with:
+          name: digest_mapping
+
+      - name: Prepare
+        run: |
+          normalized_tag=$(echo "${{ env.REGISTRY_NAME }}:${{ matrix.tags }}_${{ matrix.platform }}" | tr ':' '_' | tr '.' '_' | tr '/' '_' | tr '-' '_')
+          TAG_DIGEST=$(grep "^${normalized_tag}=" digest_mapping.txt | cut -d '=' -f 2)
+          echo "TAG_DIGEST=${TAG_DIGEST}" >> $GITHUB_ENV
+          echo "TAG_NORMALIZED=${normalized_tag}" >> $GITHUB_ENV
+
+      - name: Cosign install
+        run: |
+          curl -LO https://github.com/sigstore/cosign/releases/download/v2.2.4/cosign-linux-amd64
+          chmod +x cosign-linux-amd64
+          mv cosign-linux-amd64 cosign
+
+      - name: Load Cosign key
+        run: |
+          echo "${{ secrets.B64_COSIGN_KEY }}" | base64 -d > cosign.key
+          echo "${{ secrets.B64_COSIGN_PUB }}" | base64 -d > cosign.pub
+
+      - name: Sign image with Cosign
+        run: |
+          ./cosign sign --yes --key cosign.key ${{ env.REGISTRY_NAME }}@${{ env.TAG_DIGEST }}
+          ./cosign verify --key cosign.pub ${{ env.REGISTRY_NAME }}@${{ env.TAG_DIGEST }}
+
+      - name: Publish signature Rekor
+        run: |
+          ./cosign sign --yes --key cosign.key --rekor-url https://rekor.sigstore.dev ${{ env.REGISTRY_NAME }}@${{ env.TAG_DIGEST }}

Dockerfile

@@ -13,29 +13,32 @@ LABEL \
 
 RUN set -ex; \
     \
-    apk add --no-cache --upgrade git \
-        bzip2-dev \
-        ca-certificates \
-        curl \
-        curl-dev \
-        freetype-dev \
-        ghostscript \
-        icu-dev \
-        imagemagick \
-        imagemagick-dev \
-        imagemagick-libs \
-        jpeg-dev \
-        libjpeg-turbo-dev \
-        libmcrypt-dev \
-        libpng-dev \
-        libressl-dev \
-        libxml2-dev \
-        libzip-dev \
-        nginx \
-        nginx-mod-http-headers-more \
-        oniguruma-dev \
-        postgresql-dev \
-        runit; \
+    apk update; \
+    apk add --no-cache --upgrade bzip2-dev \
+       ca-certificates \
+       curl \
+       curl-dev \
+       freetype-dev \
+       ghostscript \
+       git \
+       icu-dev \
+       imagemagick \
+       imagemagick-dev \
+       imagemagick-libs \
+       jpeg-dev \
+       libjpeg-turbo-dev \
+       libmcrypt-dev \
+       libpng-dev \
+       libressl-dev \
+       libxml2-dev \
+       libzip-dev \
+       ncurses \
+       nginx \
+       nginx-mod-http-headers-more \
+       oniguruma-dev \
+       openssl \
+       runit \
+       sqlite; \
     apk add --no-cache --virtual build-dependencies build-base gcc wget autoconf linux-headers; \
     docker-php-ext-configure gd \
       --with-freetype \
@@ -49,30 +52,40 @@ RUN set -ex; \
         exif \
         gd \
         opcache \
+        pcntl \
         pdo_mysql \
         shmop \
         sockets \
         sysvmsg \
         sysvsem \
         sysvshm \
-        pcntl \
         zip; \
     pecl install imagick; \
     docker-php-ext-enable --ini-name docker-php-ext-x-01-imagick.ini imagick; \
     ln -sf /dev/stdout /var/log/nginx/access.log; \
     ln -sf /dev/stderr /var/log/nginx/error.log; \
-    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \
-    apk upgrade --no-cache;
+    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini";
 
 COPY ./src /
 COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-02-custom-params.ini
 
+RUN touch /env  \
+    && chown -R www-data:www-data /env \
+    && chown -R www-data:www-data /app \
+    && chown -R www-data:www-data /var/log/nginx \
+    && chown -R www-data:www-data /etc/service \
+    && chown -R www-data:www-data /var/run \
+    && chown -R www-data:www-data /var/lib/nginx \
+    && chown -R www-data:www-data /run/nginx
+
 RUN chmod +x \
    /sbin/runit-wrapper \
    /sbin/runsvdir-start \
    /etc/service/nginx/run \
    /etc/service/php-fpm/run
 
+USER www-data
+
 WORKDIR /app
 EXPOSE 80/tcp