Nicolas-Peiffer
diff --git a/‎.github/workflows/base-container-build.yaml‎
Lines changed: 242 additions & 0 deletions b/‎.github/workflows/base-container-build.yaml‎
Lines changed: 242 additions & 0 deletions
diff --git a/‎Containerfile‎ ‎Containerfile.base‎Containerfile renamed to Containerfile.base b/‎Containerfile‎ ‎Containerfile.base‎Containerfile renamed to Containerfile.base
@@ -0,0 +1,242 @@
+# Using https://github.com/redhat-actions/buildah-build
+# doc https://github.com/marketplace/actions/buildah-build
+
+name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)"
+
+on:
+    pull_request:
+      branches:
+        - main
+        - release/*
+    push:
+      branches:
+        - main
+        - buildah-redhat-ga # TODO: remove after testing
+
+# Variables:
+#  - BUILDAH_BUILD_CONTEXT is the path to the location of the Containerfile.
+#  - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint.
+#  - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ]
+env:
+    BUILDAH_BUILD_CONTEXT: "${{ github.workspace }}"
+    BASE_CONTAINERFILE_NAME: "Containerfile.base"
+    OCI_REGISTRY: "ghcr.io" # must be lowercase
+
+jobs:
+  set-lowercase-repository:
+    runs-on: ubuntu-latest
+    outputs:
+      lowercase-github-repository: ${{ steps.convert.outputs.lowercase }}
+    steps:
+      - name: Convert GitHub repository name to lowercase for OCI registry
+        id: convert
+        run: |
+          echo "lowercase=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+        shell: bash
+
+  show-lowercase-repository:
+    needs: set-lowercase-repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Access lowercase GitHub repository name
+        run: |
+          echo "Original Repository: ${{ github.repository }}"
+          echo "Lowercase Repository: ${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}"
+
+  # buildah job with oci = true
+  build-oci-true:
+    needs: set-lowercase-repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v5
+
+      - name: Extract Tools Versions from Containerfile as we use this in tags names
+        id: extract
+        run: |
+          # Extract values from the Containerfile
+          A_PARTICULAR_TAG_NAME=$(grep -m1 'ARG A_PARTICULAR_TAG_NAME=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "A_PARTICULAR_TAG_NAME=${A_PARTICULAR_TAG_NAME}" >> $GITHUB_OUTPUT
+
+          A_PARTICULAR_TAG_SEMVER=$(grep -m1 'ARG A_PARTICULAR_TAG_SEMVER=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "A_PARTICULAR_TAG_SEMVER=${A_PARTICULAR_TAG_SEMVER}" >> $GITHUB_OUTPUT
+
+          ALPINE_VERSION=$(grep -m1 'ARG ALPINE_VERSION=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "ALPINE_VERSION=${ALPINE_VERSION}" >> $GITHUB_OUTPUT
+
+      - uses: docker/login-action@v3
+        id: docker-login
+        with:
+          registry: ${{ env.OCI_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set OCI container image URL to Github output
+        id: set-oci-image-url
+        run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base" >> $GITHUB_OUTPUT
+
+      - name: Container metadata and tags with docker/metadata-action
+        id: docker-metadata
+        uses: docker/metadata-action@v5
+        with:
+          # image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
+          images: ${{ steps.set-oci-image-url.outputs.oci_image_url }}
+          tags: |
+            type=ref,event=branch
+            # use tools version as tags
+            type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-oci
+            type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-oci
+            type=raw,value=alpine-${{ steps.extract.outputs.alpine_version }}-oci
+
+            type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-oci-alpine-${{ steps.extract.outputs.alpine_version }}
+            type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-oci-alpine-${{ steps.extract.outputs.alpine_version }}
+
+            # minimal (short sha)
+            type=sha
+            # full length sha
+            type=sha,format=long
+
+      - name: Build the OCI image buildah oci true
+        id: buildah
+        uses: redhat-actions/buildah-build@v2
+        with:
+          #context: ${{ env.BUILDAH_BUILD_CONTEXT }}
+          containerfiles: |
+            ${{ env.BASE_CONTAINERFILE_NAME }}
+          layers: true
+          oci: true
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          #labels: ${{ steps.docker-metadata.outputs.labels }}
+      
+      - name: Check images created by buildah
+        run: buildah images
+
+      - name: push to ghcr registry with redhat-actions/push-to-registry
+        id: push-to-ghcr
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
+          tags: ${{ steps.buildah.outputs.tags }}
+          registry: ${{ env.OCI_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+    outputs:
+      oci-image-digest: ${{ steps.buildah.outputs.digest }}
+      oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
+
+  # buildah job with oci = false
+  build-oci-false:
+    needs: set-lowercase-repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v5
+
+      - name: Extract Tools Versions from Containerfile as we use this in tags names
+        id: extract
+        run: |
+          # Extract values from the Containerfile
+          A_PARTICULAR_TAG_NAME=$(grep -m1 'ARG A_PARTICULAR_TAG_NAME=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "A_PARTICULAR_TAG_NAME=${A_PARTICULAR_TAG_NAME}" >> $GITHUB_OUTPUT
+
+          A_PARTICULAR_TAG_SEMVER=$(grep -m1 'ARG A_PARTICULAR_TAG_SEMVER=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "A_PARTICULAR_TAG_SEMVER=${A_PARTICULAR_TAG_SEMVER}" >> $GITHUB_OUTPUT
+
+          ALPINE_VERSION=$(grep -m1 'ARG ALPINE_VERSION=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "ALPINE_VERSION=${ALPINE_VERSION}" >> $GITHUB_OUTPUT
+
+      - uses: docker/login-action@v3
+        id: docker-login
+        with:
+          registry: ${{ env.OCI_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set OCI container image URL to Github output
+        id: set-oci-image-url
+        run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base" >> $GITHUB_OUTPUT
+
+      - name: Container metadata and tags with docker/metadata-action
+        id: docker-metadata
+        uses: docker/metadata-action@v5
+        with:
+          # image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
+          images: ${{ steps.set-oci-image-url.outputs.oci_image_url }}
+          tags: |
+            type=ref,event=branch
+            # use tools version as tags
+            type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-dockerv2
+            type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-dockerv2
+            type=raw,value=alpine-${{ steps.extract.outputs.alpine_version }}-dockerv2
+
+            type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-dockerv2-alpine-${{ steps.extract.outputs.alpine_version }}
+            type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-dockerv2-alpine-${{ steps.extract.outputs.alpine_version }}
+
+            # minimal (short sha)
+            type=sha
+            # full length sha
+            type=sha,format=long
+
+      - name: Build the OCI image buildah oci false
+        id: buildah
+        uses: redhat-actions/buildah-build@v2
+        with:
+          #context: ${{ env.BUILDAH_BUILD_CONTEXT }}
+          containerfiles: |
+            ${{ env.BASE_CONTAINERFILE_NAME }}
+          layers: true
+          oci: false
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          #labels: ${{ steps.docker-metadata.outputs.labels }}
+      
+      - name: Check images created by buildah
+        run: buildah images
+
+      - name: push to ghcr registry with redhat-actions/push-to-registry
+        id: push-to-ghcr
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
+          tags: ${{ steps.buildah.outputs.tags }}
+          registry: ${{ env.OCI_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+    outputs:
+      oci-image-digest: ${{ steps.buildah.outputs.digest }}
+      oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
+
+
+  # Job to build a SLSA provenance attestation
+  base-image-provenance:
+    name: Generate SLSA provenance attestation for OCI (base image entrypoint /bin/bash)
+    needs: [build-oci-true, set-lowercase-repository]  # Ensure this job runs after build-oci-true
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-oci-true.outputs.oci-image-url }} # needs to be lowercase
+      digest: ${{ needs.build-oci-true.outputs.oci-image-digest }}
+    secrets:
+      registry-username: ${{ github.actor }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  goreleaser-entryp-image-provenance:
+    name: Generate SLSA provenance attestation for OCI (entrypoint goreleaser)
+    needs: [build-oci-false]  # Ensure this job runs after build-oci-true
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-oci-false.outputs.oci-image-url }} # needs to be lowercase
+      digest: ${{ needs.build-oci-false.outputs.oci-image-digest }}
+    secrets:
+      registry-username: ${{ github.actor }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}