Build chainguard/busybox based images for use with GitHub Actions

We would like the option of running AllStar as a GitHub Action. The current container image uses `cgr.dev/chainguard/static` which is an excellent minimal base with very little surface area. Unfortunately, GitHub Actions requires `tail` to be available for use as a container: ~~~sh /usr/bin/docker create --name ... --label ... --workdir /__w/.allstar/.allstar --network ... -e "HOME=/github/home" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work":"/__w" -v "/home/runner/runners/2.306.0/externals":"/__e":ro -v "/home/runner/work/_temp":"/__w/_temp" -v "/home/runner/work/_actions":"/__w/_actions" -v "/opt/hostedtoolcache":"/__t" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflo→ ~~~ This change updates the build workflow to build a second image based on `cgr.dev/chainguard/busybox` with the tag `VERSION-busybox`. Combining this image with use of the `-once` flag makes it possible to run AllStar in GitHub Actions. Example GitHub Actions jobs YAML: ~~~ name: "Scheduled AllStar Enforcement" on: schedule: - cron: "0 * * * *" jobs: deployment: runs-on: ubuntu-latest container: ghcr.io/ossf/allstar:v3.1-busybox environment: prod steps: - name: "AllStar Enforce" env: APP_ID: ${{ vars.APP_ID }} KEY_SECRET: ${{ vars.KEY_SECRET }} PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} run: /ko-app/allstar -once ~~~ The standard minimal `cgr.dev/chainguard/stable` images are still built. Signed-off-by: Paul Hirsch <paul.hirsch@gsa.gov>
ossf · Jul 31, 2023 · 7abad14 · 7abad14
1 parent d2772b7
commit 7abad14
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,11 +30,19 @@ jobs:
       - run: ko publish -B ./cmd/allstar --tags ${{ github.ref_name }} --image-refs allstar.ref
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}
-
+      - run: ko publish -B ./cmd/allstar --tags ${{ github.ref_name }}-busybox --image-refs allstar-busybox.ref
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}
+          KO_DEFAULTBASEIMAGE: cgr.dev/chainguard/busybox
       - run: |
           echo "signing $(cat allstar.ref)"
           cosign sign --yes -a git_sha="$GITHUB_SHA" "$(cat allstar.ref)"
+          echo "signing $(cat allstar-busybox.ref)"
+          cosign sign --yes -a git_sha="$GITHUB_SHA" "$(cat allstar-busybox.ref)"
 
-      - run: gh release create ${{ github.ref_name }} --notes "ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}"
+      - run: |
+          gh release create ${{ github.ref_name }} --notes "Images:
+          * ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}
+          * ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}-busybox"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}