Add Syft installation and SBOM generation to Docker workflow; update README for version 5.4.7

Author: EvanDarwin

.github/workflows/dockerimage.yml

@@ -37,6 +37,10 @@ jobs:
         echo "full_version=$FULL_VERSION" >> $GITHUB_OUTPUT
         echo "major_version=$MAJOR_VERSION" >> $GITHUB_OUTPUT
         echo "major_minor_version=$MAJOR_MINOR_VERSION" >> $GITHUB_OUTPUT
+
+    - name: Install Syft for SBOM generation
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
         
     - name: Build and push
       uses: docker/build-push-action@v4
@@ -49,7 +53,29 @@ jobs:
           evandarwin/lua:${{ steps.version.outputs.major_version }}
           evandarwin/lua:latest
         provenance: true
+        outputs: type=image,name=evandarwin/lua
         build-args: |
           BUILD_DATE=${{ github.event.repository.updated_at }}
           VCS_REF=${{ github.sha }}
           VERSION=${{ steps.version.outputs.full_version }}
+          
+    - name: Generate SBOM
+      if: github.event_name != 'pull_request'
+      run: |
+        # Create output directory
+        mkdir -p sbom
+        
+        # Generate SBOM in multiple formats
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o spdx-json=sbom/spdx.json
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o cyclonedx-json=sbom/cyclonedx.json
+        
+        # Optional: Generate human-readable text version
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o text=sbom/sbom.txt
+        
+    - name: Upload SBOM as artifact
+      if: github.event_name != 'pull_request'
+      uses: actions/upload-artifact@v3
+      with:
+        name: sbom-files
+        path: sbom/
+        retention-days: 7

README.md

@@ -6,11 +6,22 @@ A simple `alpine` docker image that includes the Lua runtime as well as [LuaRock
 
 ## Features
 
-- Lua 5.4.6 runtime
+- Lua 5.4.7 runtime
 - LuaRocks 3.9.2 package manager
 - Based on Alpine Linux for a minimal footprint
 - Container attestation and SBOM support
 
+## Available Tags
+
+Several version tags are available for flexibility:
+
+- `evandarwin/lua:5.4.7` - Specific version (e.g., 5.4.7)
+- `evandarwin/lua:5.4` - Major.Minor version (e.g., 5.4)
+- `evandarwin/lua:5` - Major version only (e.g., 5)
+- `evandarwin/lua:latest` - Latest stable release
+
+We recommend using the specific version tag for production environments to ensure stability, while the less specific tags can be used for development or when you want to automatically get updates.
+
 ## Docker Image Security
 
 This image includes supply chain security features:
@@ -20,25 +31,18 @@ This image includes supply chain security features:
 The image build process includes:
 - Docker provenance attestation
 - Software Bill of Materials (SBOM)
-- Container signing with Cosign
-
-### Verification
 
-You can verify the image attestations using [Cosign](https://github.com/sigstore/cosign):
+## Usage
 
 ```bash
-# Verify the signature
-cosign verify ghcr.io/evandarwin/lua:5.4.6
+# Pull a specific version
+docker pull evandarwin/lua:5.4.7
 
-# Download and view the SBOM
-cosign download sbom ghcr.io/evandarwin/lua:5.4.6 > sbom.spdx.json
-```
+# Or use the major.minor version
+docker pull evandarwin/lua:5.4
 
-## Usage
-
-```bash
-docker pull evandarwin/lua:5.4.6
-docker run -it evandarwin/lua:5.4.6 lua -e "print('Hello from Lua!')"
+# Run a Lua command
+docker run -it evandarwin/lua:5.4.7 lua -e "print('Hello from Lua!')"
 ```
 
 Have fun!