Build chainguard/busybox based images for use with GitHub Actions

pauldoomgov · jeffmendoza · commit 7abad1419276 · 2023-07-31T08:11:53.000-07:00
We would like the option of running AllStar as a GitHub Action. The current container image uses `cgr.dev/chainguard/static` which is an excellent minimal base with very little surface area. Unfortunately, GitHub Actions requires `tail` to be available for use as a container:

~~~sh
/usr/bin/docker create --name ... --label ... --workdir /__w/.allstar/.allstar --network ...  -e "HOME=/github/home" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work":"/__w" -v "/home/runner/runners/2.306.0/externals":"/__e":ro -v "/home/runner/work/_temp":"/__w/_temp" -v "/home/runner/work/_actions":"/__w/_actions" -v "/opt/hostedtoolcache":"/__t" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflo→
~~~

This change updates the build workflow to build a second image based on `cgr.dev/chainguard/busybox` with the tag `VERSION-busybox`.
Combining this image with use of the `-once` flag makes it possible to run AllStar in GitHub Actions.

Example GitHub Actions jobs YAML:
~~~
name: "Scheduled AllStar Enforcement"
on:
  schedule:
  - cron: "0 * * * *"

jobs:
  deployment:
    runs-on: ubuntu-latest
    container: ghcr.io/ossf/allstar:v3.1-busybox
    environment: prod
    steps:
      - name: "AllStar Enforce"
        env:
          APP_ID: ${{ vars.APP_ID }}
          KEY_SECRET: ${{ vars.KEY_SECRET }}
          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
        run: /ko-app/allstar -once
~~~

The standard minimal `cgr.dev/chainguard/stable` images are still built.

Signed-off-by: Paul Hirsch &lt;paul.hirsch@gsa.gov&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,11 +30,19 @@ jobs:
       - run: ko publish -B ./cmd/allstar --tags ${{ github.ref_name }} --image-refs allstar.ref
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}
-
+      - run: ko publish -B ./cmd/allstar --tags ${{ github.ref_name }}-busybox --image-refs allstar-busybox.ref
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}
+          KO_DEFAULTBASEIMAGE: cgr.dev/chainguard/busybox
       - run: |
           echo "signing $(cat allstar.ref)"
           cosign sign --yes -a git_sha="$GITHUB_SHA" "$(cat allstar.ref)"
+          echo "signing $(cat allstar-busybox.ref)"
+          cosign sign --yes -a git_sha="$GITHUB_SHA" "$(cat allstar-busybox.ref)"
 
-      - run: gh release create ${{ github.ref_name }} --notes "ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}"
+      - run: |
+          gh release create ${{ github.ref_name }} --notes "Images:
+          * ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}
+          * ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}-busybox"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
