From 1071368ea85452cd2fd64af4420549bd5fadce58 Mon Sep 17 00:00:00 2001
From: Luca Comellini <luca.com@gmail.com>
Date: Wed, 5 Feb 2025 19:30:29 -0800
Subject: [PATCH] Build packages for s390x

---
 .github/workflows/docker.yml | 56 +++++++++++++++++++++++-------------
 1 file changed, 36 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 9586699..17e8469 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -17,10 +17,6 @@ on:
     types: [update]
   workflow_dispatch:
 
-env:
-  PLATFORMS: "linux/amd64, linux/arm64, linux/s390x"
-  BUILD_PLATFORMS: "linux/ppc64le"
-
 concurrency:
   group: ${{ github.ref_name }}-ci
   cancel-in-progress: true
@@ -36,6 +32,11 @@ jobs:
       contents: read
       security-events: write
       packages: write
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -81,8 +82,9 @@ jobs:
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: |
-            nginxcontrib/nginx-ubi
-            ghcr.io/lucacome/nginx-ubi
+            name=nginxcontrib/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
+            name=ghcr.io/lucacome/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
+            name=localhost:5000/nginx-ubi/local-ubi
           tags: |
             type=raw,value=${{ steps.var.outputs.nginx_version }}
 
@@ -91,16 +93,15 @@ jobs:
         id: build
         with:
           pull: true
-          load: ${{ github.event_name == 'pull_request' }}
-          push: ${{ github.event_name != 'pull_request' }}
-          platforms: ${{ github.event_name != 'pull_request' && env.BUILD_PLATFORMS || '' }}
+          push: true
+          platforms: "linux/ppc64le, linux/s390x"
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=source
           cache-to: type=gha,scope=source,mode=max
           target: final
-          provenance: ${{ github.event_name != 'pull_request' && 'mode=max' || 'false' }}
-          sbom: ${{ github.event_name != 'pull_request' }}
+          provenance: mode=max
+          sbom: true
           build-args: |
             NGINX=${{ steps.var.outputs.nginx_version }}
             NJS=${{ steps.var.outputs.njs_version }}
@@ -110,17 +111,16 @@ jobs:
         id: build-prebuilt
         with:
           pull: true
-          load: ${{ github.event_name == 'pull_request' }}
-          push: ${{ github.event_name != 'pull_request' }}
-          platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
+          push: true
+          platforms: "linux/amd64, linux/arm64"
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=prebuilt
           cache-to: type=gha,scope=prebuilt,mode=max
           target: final
           file: Dockerfile.prebuilt
-          provenance: ${{ github.event_name != 'pull_request' }}
-          sbom: ${{ github.event_name != 'pull_request' }}
+          provenance: mode=max
+          sbom: true
           build-args: |
             NGINX=${{ steps.var.outputs.nginx_version }}
             NJS=${{ steps.var.outputs.njs_version }}
@@ -138,17 +138,33 @@ jobs:
           docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:${{ steps.meta.outputs.version }}-ubi
         if: github.event_name != 'pull_request'
 
-      - name: Scan image
-        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
+      - name: Inspect SBOM and output manifest
+        run: |
+          docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json
+          docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --raw
+
+      - name: Scan SBOM
         id: scan
-        continue-on-error: true
+        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
         with:
-          image: nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }}
+          sbom: "sbom.json"
           only-fixed: true
           add-cpes-if-none: true
+          fail-build: false
 
       - name: Upload scan result to GitHub Security tab
         uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+        if: always()
+
+      - name: Upload Scan Results
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        continue-on-error: true
+        with:
+          name: scan-results
+          path: |
+            ${{ steps.scan.outputs.sarif }}
+            *.json
+        if: always()