From a0d7867395696734e564d86331b0dcec5cfdfb25 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 17:40:09 +0200 Subject: [PATCH 1/8] ci: build docker images for amd64+arm64 --- .github/workflows/test_build_push.yml | 64 ++++++++++++++++++++++++--- bin/docker-push | 6 --- 2 files changed, 58 insertions(+), 12 deletions(-) delete mode 100755 bin/docker-push diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 49d3ae13..45314d49 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -50,11 +50,63 @@ jobs: - hadolint - ruby runs-on: ubuntu-latest + permissions: + contents: read + packages: write + env: + IMAGE_NAME: gilcreator/html2rss-web steps: - - uses: actions/checkout@v4 - - run: bin/docker-build + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # - name: Log in to DockerHub + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} + + # - name: Log in to GitHub Container Registry (GHCR) + # uses: docker/login-action@v3 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + # tags: | + # gilcreator/html2rss-web:latest + # ghcr.io/${{ github.repository_owner }}/html2rss-web:latest + platforms: linux/amd64,linux/arm64 + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + + - name: Scan Docker image for vulnerabilities + uses: aquasecurity/trivy-action@v0.18.0 + with: + image-ref: gilcreator/html2rss-web:latest + format: table + exit-code: 0 + ignore-unfixed: true - - run: bin/docker-push - env: - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + - name: Move updated cache into place + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/bin/docker-push b/bin/docker-push deleted file mode 100755 index b3cf5631..00000000 --- a/bin/docker-push +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -set -euo pipefail - -echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - -docker push gilcreator/html2rss-web From e4a9c2772976024c3b5766f6001a342155233d8a Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 17:43:46 +0200 Subject: [PATCH 2/8] comment out if / skip condition --- .github/workflows/test_build_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 45314d49..b237baad 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -44,7 +44,7 @@ jobs: bundle exec rake docker-push: - if: ${{ github.ref == 'refs/heads/master' }} + # if: ${{ github.ref == 'refs/heads/master' }} needs: - docker-test - hadolint From 7abfc93f1278f2da5eab4990b07f247443a9c93c Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 17:46:18 +0200 Subject: [PATCH 3/8] use recent version of aquasecurity/trivy-action --- .github/workflows/test_build_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index b237baad..42a10477 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -99,7 +99,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Scan Docker image for vulnerabilities - uses: aquasecurity/trivy-action@v0.18.0 + uses: aquasecurity/trivy-action@0.28.0 with: image-ref: gilcreator/html2rss-web:latest format: table From 26825d07d79428b992211bb13a1e74f178b8ab5d Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 18:04:14 +0200 Subject: [PATCH 4/8] generate sbom and upload+inline Signed-off-by: Gil Desmarais --- .github/workflows/test_build_push.yml | 46 +++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 42a10477..ab4d78f9 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -86,25 +86,57 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- + - name: Generate SBOM + uses: anchore/sbom-action@v0.15.3 + with: + image: gilcreator/html2rss-web:latest + output-file: sbom.spdx.json + + - name: Upload SBOM Artifact + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.spdx.json + + # - name: Publish SBOM to Docker Hub Description + # env: + # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + # DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + # run: | + # curl -s -X PATCH "https://hub.docker.com/v2/repositories/${IMAGE_NAME}/" \ + # -H "Content-Type: application/json" \ + # -u "$DOCKERHUB_USERNAME:$DOCKERHUB_TOKEN" \ + # -d '{"full_description": "Auto-generated SBOM: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts"}' + - name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . push: false - # tags: | - # gilcreator/html2rss-web:latest - # ghcr.io/${{ github.repository_owner }}/html2rss-web:latest + tags: | + gilcreator/html2rss-web:latest + ghcr.io/${{ github.repository_owner }}/html2rss-web:latest platforms: linux/amd64,linux/arm64 cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new - - - name: Scan Docker image for vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 + provenance: true + labels: | + org.opencontainers.image.source=https://github.com/${{ github.repository }} + org.opencontainers.image.created=${{ github.event.head_commit.timestamp }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.title=html2rss-web + org.opencontainers.image.description=Generates RSS feeds of any website & serves to the web! + org.opencontainers.image.sbom=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts + + - name: Scan Docker image for vulnerabilities (Trivy) + uses: aquasecurity/trivy-action@0.31.0 with: image-ref: gilcreator/html2rss-web:latest format: table - exit-code: 0 + exit-code: 1 ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH - name: Move updated cache into place run: | From 5bd6d7ca4a6113c70921bc7f23fa1a1ff98abc89 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 18:18:32 +0200 Subject: [PATCH 5/8] fix order --- .github/workflows/test_build_push.yml | 40 +++++++-------------------- 1 file changed, 10 insertions(+), 30 deletions(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index ab4d78f9..40f4a9a8 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -86,28 +86,6 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- - - name: Generate SBOM - uses: anchore/sbom-action@v0.15.3 - with: - image: gilcreator/html2rss-web:latest - output-file: sbom.spdx.json - - - name: Upload SBOM Artifact - uses: actions/upload-artifact@v4 - with: - name: sbom - path: sbom.spdx.json - - # - name: Publish SBOM to Docker Hub Description - # env: - # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - # DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - # run: | - # curl -s -X PATCH "https://hub.docker.com/v2/repositories/${IMAGE_NAME}/" \ - # -H "Content-Type: application/json" \ - # -u "$DOCKERHUB_USERNAME:$DOCKERHUB_TOKEN" \ - # -d '{"full_description": "Auto-generated SBOM: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts"}' - - name: Build and push Docker image uses: docker/build-push-action@v5 with: @@ -128,15 +106,17 @@ jobs: org.opencontainers.image.description=Generates RSS feeds of any website & serves to the web! org.opencontainers.image.sbom=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts - - name: Scan Docker image for vulnerabilities (Trivy) - uses: aquasecurity/trivy-action@0.31.0 + - name: Generate SBOM + uses: anchore/sbom-action@v0.20.1 + with: + image: gilcreator/html2rss-web:latest + output-file: sbom.spdx.json + + - name: Upload SBOM Artifact + uses: actions/upload-artifact@v4 with: - image-ref: gilcreator/html2rss-web:latest - format: table - exit-code: 1 - ignore-unfixed: true - vuln-type: os,library - severity: CRITICAL,HIGH + name: sbom + path: sbom.spdx.json - name: Move updated cache into place run: | From 6e740a18f8d8e63b35db2c270a792a5f3c06e664 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 18:22:46 +0200 Subject: [PATCH 6/8] tag images with sha Signed-off-by: Gil Desmarais --- .github/workflows/test_build_push.yml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 40f4a9a8..0fdfa553 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -55,6 +55,7 @@ jobs: packages: write env: IMAGE_NAME: gilcreator/html2rss-web + TAG_SHA: ${{ github.sha }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -65,18 +66,11 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - # - name: Log in to DockerHub - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} - - # - name: Log in to GitHub Container Registry (GHCR) - # uses: docker/login-action@v3 - # with: - # registry: ghcr.io - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} - name: Cache Docker layers uses: actions/cache@v4 @@ -93,7 +87,7 @@ jobs: push: false tags: | gilcreator/html2rss-web:latest - ghcr.io/${{ github.repository_owner }}/html2rss-web:latest + gilcreator/html2rss-web:${{ github.sha }} platforms: linux/amd64,linux/arm64 cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new @@ -109,7 +103,7 @@ jobs: - name: Generate SBOM uses: anchore/sbom-action@v0.20.1 with: - image: gilcreator/html2rss-web:latest + image: gilcreator/html2rss-web:${{ github.sha }} output-file: sbom.spdx.json - name: Upload SBOM Artifact From e121ff1a003eed052bf4495d86248fe21f72259e Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 18:29:54 +0200 Subject: [PATCH 7/8] let's go. comment in if and push. --- .github/workflows/test_build_push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 0fdfa553..590863f4 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -44,7 +44,7 @@ jobs: bundle exec rake docker-push: - # if: ${{ github.ref == 'refs/heads/master' }} + if: ${{ github.ref == 'refs/heads/master' }} needs: - docker-test - hadolint @@ -84,7 +84,7 @@ jobs: uses: docker/build-push-action@v5 with: context: . - push: false + push: true tags: | gilcreator/html2rss-web:latest gilcreator/html2rss-web:${{ github.sha }} From b61f8a7ccf73fa94149e37100e17f5848606be03 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Mon, 30 Jun 2025 18:33:28 +0200 Subject: [PATCH 8/8] add note on sbom --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 785329eb..be81611d 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ Please refer to [html2rss' README for a description of _the feed config and its This web application is distributed in a [rolling release](https://en.wikipedia.org/wiki/Rolling_release) fashion from the `master` branch. For the latest commit passing GitHub CI/CD on the master branch, an updated Docker image will be pushed to [Docker Hub: `gilcreator/html2rss-web`](https://hub.docker.com/r/gilcreator/html2rss-web). +The [SBOM](https://en.wikipedia.org/wiki/Software_supply_chain) is embedded as an OCI label in the Docker image and is [also available as a build artifact](https://github.com/html2rss/html2rss-web/actions/workflows/test_build_push.yml?query=branch%3Amaster). GitHub's @dependabot is enabled for dependency updates and they are automatically merged to the `master` branch when the CI gives the green light.