From 9513b932b9987f148f2052358749785a67a0494d Mon Sep 17 00:00:00 2001
From: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
Date: Wed, 13 Nov 2024 16:36:52 +0100
Subject: [PATCH] Adding a second job to create a second container image with a
 different entrypoint which is goreleaser itself

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
---
 .github/workflows/base-container-build.yaml   | 102 +++++++++++++++---
 ...er-ko-cosign-trivy-syft-x86-arm64-root-usr |  73 +++++++++++++
 2 files changed, 163 insertions(+), 12 deletions(-)
 create mode 100644 Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr

diff --git a/.github/workflows/base-container-build.yaml b/.github/workflows/base-container-build.yaml
index 013aeb1..1c3811c 100644
--- a/.github/workflows/base-container-build.yaml
+++ b/.github/workflows/base-container-build.yaml
@@ -17,41 +17,44 @@ on:
 # Global KANIKO Variables:
 # See: https://github.com/int128/kaniko-action
 #  - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile.
-#  - CONTAINERFILE_NAME is name and location of the Containerfile.
+#  - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint.
+#  - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ]
 env:
     KANIKO_BUILD_CONTEXT: "${{ github.workspace }}"
-    CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base"
+    BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base"
+    GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr"
 
 jobs:
-  build:
+  # goreleaser-glibc-image-base has a /bin/bash entrypoint
+  build-base-image:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
 
-      - name: Extract Tools Versions from Containerfile
+      - name: Extract Tools Versions from Containerfile as we use this in tags names
         id: extract
         run: |
           # Extract values from the Containerfile
-          GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
 
-          GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
           
-          TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
           
-          COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
           
-          KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
           
-          SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
 
-          DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $CONTAINERFILE_NAME | cut -d'=' -f2)
+          DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
           echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
 
       - name: Container metadata and tags
@@ -94,6 +97,81 @@ jobs:
           labels: ${{ steps.metadata.outputs.labels }}
           cache: true
           cache-repository: ghcr.io/${{ github.repository }}/cache
-          file: ${{ env.CONTAINERFILE_NAME }}
+          file: ${{ env.BASE_CONTAINERFILE_NAME }}
+          context: ${{ env.KANIKO_BUILD_CONTEXT }}
+          verbosity: "info"  # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
+
+
+  # goreleaser-glibc has a goreleaser entrypoint
+  build-goreleaser-entryp-image:
+    needs: build-base-image  # Ensure this job runs after build-base-image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract Tools Versions from Containerfile as we use this in tags names
+        id: extract
+        run: |
+          # Extract values from the Containerfile
+          GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
+
+          GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
+          
+          TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
+          
+          COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
+          
+          KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
+          
+          SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
+
+          DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
+          echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Container metadata and tags
+        uses: docker/metadata-action@v5
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            # use tools version as tags
+            type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
+            type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
+            type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
+            type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
+            type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
+            type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
+
+            type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
+            type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
+            type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
+            type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
+            type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
+            type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
+
+            # minimal (short sha)
+            type=sha
+            # full length sha
+            type=sha,format=long
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: int128/kaniko-action@v1
+        with:
+          push: true
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache: true
+          cache-repository: ghcr.io/${{ github.repository }}/cache
+          file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }}
           context: ${{ env.KANIKO_BUILD_CONTEXT }}
           verbosity: "info"  # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
\ No newline at end of file
diff --git a/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr b/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr
new file mode 100644
index 0000000..80c352d
--- /dev/null
+++ b/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr
@@ -0,0 +1,73 @@
+# Copyright 2024 Thales
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Set Go & tools versions. This needs to match the versions from the corresponding base image
+# ghcr.io/thalesgroup/goreleaser-glibc-image-base (the one with entrypoint /bin/bash)
+ARG GOLANG_VERSION=1.22.5
+ARG TRIVY_VERSION=0.49.1
+ARG SYFT_VERSION=1.9.0
+ARG COSIGN_VERSION=2.4.0
+ARG KO_VERSION=0.16.0
+# goreleaser v2.1.0 ships with go1.22.5
+ARG GORELEASER_VERSION=2.1.0
+
+# Set Debian version name (e.g. bookworm)
+ARG DEBIAN_VERSION=bookworm
+
+# For OCI labels
+# This should look like this:
+#   FROM ghcr.io/thalesgroup/goreleaser-glibc-image-base:golang-1.22.5-bookworm
+ARG BASE_REGISTRY="ghcr.io"
+ARG BASE_IMAGE="thalesgroup/goreleaser-glibc-image-base"
+ARG BASE_IMAGE_TAG="golang-${GOLANG_VERSION}-${DEBIAN_VERSION}"
+
+#==============================================================================#
+# Sets entrypoint to goreleaser
+#==============================================================================#
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_IMAGE_TAG} AS goreleaser_base
+
+ENTRYPOINT [ "/go/bin/goreleaser" ]
+
+# See https://github.com/opencontainers/image-spec/blob/main/annotations.md
+ARG LABEL_CREATED=""
+ARG LABEL_AUTHOR="Thales Open Source <oss@thalesgroup.com>"
+ARG LABEL_URL="ghcr.io/thalesgroup/goreleaser-glibc-image-base"
+ARG LABEL_DOCUMENTATION="https://github.com/ThalesGroup/goreleaser-glibc-image"
+ARG LABEL_SOURCE="https://github.com/ThalesGroup/goreleaser-glibc-image"
+ARG LABEL_VERSION=""
+ARG LABEL_REVISION=""
+ARG LABEL_VENDOR="Thales"
+ARG LABEL_LICENSES="Apache 2.0"
+ARG LABEL_TITLE="goreleaser-glibc-image-base"
+ARG LABEL_REF_NAME=""
+ARG LABEL_DESCRIPTION="Container image that is shiped with goreleaser cosign ko-build trivy and syft, and using glibc on debian. The ENTRYPOINT of this image is /go/bin/goreleaser"
+ARG LABEL_BASE_DIGEST=""
+ARG BASE_REGISTRY
+ARG BASE_IMAGE
+ARG BASE_IMAGE_TAG
+ARG LABEL_BASE_NAME="${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_IMAGE_TAG}"
+LABEL org.opencontainers.image.created="${LABEL_CREATED}"
+LABEL org.opencontainers.image.authors="${LABEL_AUTHOR}"
+LABEL org.opencontainers.image.url="${LABEL_URL}"
+LABEL org.opencontainers.image.documentation="${LABEL_DOCUMENTATION}"
+LABEL org.opencontainers.image.source="${LABEL_SOURCE}"
+LABEL org.opencontainers.image.version="${LABEL_VERSION}"
+LABEL org.opencontainers.image.revision="${LABEL_REVISION}"
+LABEL org.opencontainers.image.vendor="${LABEL_VENDOR}"
+LABEL org.opencontainers.image.licenses="${LABEL_LICENSES}"
+LABEL org.opencontainers.image.title="${LABEL_TITLE}"
+LABEL org.opencontainers.image.ref.name="${LABEL_REF_NAME}"
+LABEL org.opencontainers.image.description="${LABEL_DESCRIPTION}"
+LABEL org.opencontainers.image.base.digest="${LABEL_BASE_DIGEST}"
+LABEL org.opencontainers.image.base.name="${LABEL_BASE_NAME}"
\ No newline at end of file