From 467464e8f6c1cc92c0556ebf6a310deeefb95257 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 12:48:17 +0200 Subject: [PATCH 01/10] Avoid manifest not found when pulling via sha digest on quay.io --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d0b23d6..b36eb76 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -59,6 +59,7 @@ jobs: echo "image_labels=quay.expires-after=2w" >> $GITHUB_OUTPUT fi echo "image_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + echo "timestamp=$(date -u +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT - name: Login to quay.io if: github.actor != 'dependabot[bot]' @@ -117,6 +118,7 @@ jobs: CREATED=${{ steps.vars.outputs.image_created }} tags: | quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} + quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} platforms: linux/amd64,linux/arm64/v8 labels: ${{ steps.vars.outputs.image_labels }} provenance: false @@ -129,3 +131,4 @@ jobs: DST_IMAGE: ${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} run: | docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }} + docker buildx imagetools create ${{ env.SRC_IMAGE }}-${{ steps.vars.outputs.timestamp }} -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }} From c9507ef631a105b0cf9c4474daf1ce734fbbc045 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 12:53:11 +0200 Subject: [PATCH 02/10] fixup labels --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b36eb76..d6a59a2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -120,7 +120,9 @@ jobs: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} platforms: linux/amd64,linux/arm64/v8 - labels: ${{ steps.vars.outputs.image_labels }} + labels: | # one for each built tag + ${{ steps.vars.outputs.image_labels }} + ${{ steps.vars.outputs.image_labels }} provenance: false target: JAVA_BASE_IMAGE From a42749a3d0df943b65dc83a06344c35c18677c2a Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 12:57:11 +0200 Subject: [PATCH 03/10] wtf? --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d6a59a2..5963000 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -120,7 +120,7 @@ jobs: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} platforms: linux/amd64,linux/arm64/v8 - labels: | # one for each built tag + labels: | ${{ steps.vars.outputs.image_labels }} ${{ steps.vars.outputs.image_labels }} provenance: false From 541eb67fa92fa7a30479d883d0d1e18a21afc392 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 13:04:42 +0200 Subject: [PATCH 04/10] fixup --- .github/workflows/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5963000..b36eb76 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -120,9 +120,7 @@ jobs: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} platforms: linux/amd64,linux/arm64/v8 - labels: | - ${{ steps.vars.outputs.image_labels }} - ${{ steps.vars.outputs.image_labels }} + labels: ${{ steps.vars.outputs.image_labels }} provenance: false target: JAVA_BASE_IMAGE From e1c60a04bcda7fe9340bca8b8ee5e09ff802ecd2 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 13:53:00 +0200 Subject: [PATCH 05/10] use buildx to push timestamped tag --- .github/workflows/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b36eb76..eafcbdb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -118,12 +118,18 @@ jobs: CREATED=${{ steps.vars.outputs.image_created }} tags: | quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} - quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} platforms: linux/amd64,linux/arm64/v8 labels: ${{ steps.vars.outputs.image_labels }} provenance: false target: JAVA_BASE_IMAGE + - name: Push additional image to quay.io + env: + SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} + DST_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} + run: | + docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }} + - name: Push Image to docker.io if: github.ref_name == 'master' env: From d79558ba730bc1aedecc7a8d400de5d9de044816 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 14:04:49 +0200 Subject: [PATCH 06/10] give up expire label handling - just push additional tags on master only --- .github/workflows/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index eafcbdb..c06016e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -123,18 +123,19 @@ jobs: provenance: false target: JAVA_BASE_IMAGE - - name: Push additional image to quay.io + - name: Push additional anchored tag to quay.io + if: github.ref_name == 'master' env: SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} DST_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }} run: | docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }} - - name: Push Image to docker.io + - name: Push images to docker.io if: github.ref_name == 'master' env: SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} DST_IMAGE: ${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} run: | docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }} - docker buildx imagetools create ${{ env.SRC_IMAGE }}-${{ steps.vars.outputs.timestamp }} -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }} + docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }} From ce39e0e24e0c6a3dc32067701ac5a0f2018318d6 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 14:06:37 +0200 Subject: [PATCH 07/10] fix env deprecation warning --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f85b2b0..616a985 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,9 +7,9 @@ FROM rockylinux:8.8 AS rockylinux8 ARG JDIST ARG JAVA_MAJOR -ENV JAVA_HOME /etc/alternatives/jre -ENV LANG C.UTF-8 -ENV LC_ALL C.UTF-8 +ENV JAVA_HOME=/etc/alternatives/jre +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 RUN \ yum update --security -y && \ From cb5078bf7150e9302a8ed4a6eb86ea07254ca99e Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 14:14:58 +0200 Subject: [PATCH 08/10] update readme --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index d44ea2f..b684754 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ The images are available on: To ensure the propagation of security fixes from upstream projects, all supported tags are mutable and undergo periodic rebuilding. +#### Pin by digest + The suggested approach is to pin the sha256 digest for best reproducibility in your `Dockerfile`, for example: @@ -53,6 +55,17 @@ alfresco/alfresco-base-java jre17-rockylinux9 sha256:b749868ceb42bd6f58ae2f1 This configuration approach is compatible with [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker). +#### Pin by immutable tags + +Additional tags are being pushed for master releases, following the pattern +`$tag-YYMMDDHHMM`. Those tags are never overwritten and can be used as a more +intuitive approach. You can still use it in combination with digest for +increased security. + +> Quay.io doesn't retain previous images when a tag is overwritten, so using an +> immutable tag is mandatory in order to avoid getting `Manifest not found` +> error once a mutable tag get updated. + ## Development While any docker installation will produce valid images, building with From 29a7174abce96d9aa446001704fd676cdafaff20 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 14:17:48 +0200 Subject: [PATCH 09/10] minor step rephrase --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c06016e..0135506 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -123,7 +123,7 @@ jobs: provenance: false target: JAVA_BASE_IMAGE - - name: Push additional anchored tag to quay.io + - name: Push additional timestamped tag to quay.io if: github.ref_name == 'master' env: SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} From 37a72b4bbc8cbeede88f06347f92b557032f86f5 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 6 Aug 2024 08:48:05 +0200 Subject: [PATCH 10/10] more compact push --- .github/workflows/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0135506..68aa61f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -136,6 +136,7 @@ jobs: env: SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} DST_IMAGE: ${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }} - run: | - docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }} - docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }} + run: >- + docker buildx imagetools create ${{ env.SRC_IMAGE }} + -t ${{ env.DST_IMAGE }} + -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }}