Merge pull request #1 from GitGuardian/ggguardian/fix-minio-bitnami-images

ggguardian · web-flow · commit f3167caa8380 · 2025-05-20T22:33:14.000+02:00
feat(minio-bitnami): fix permissions
diff --git a/.github/workflows/minio-bitnami-client.yaml b/.github/workflows/minio-bitnami-client.yaml
@@ -3,12 +3,16 @@ name: minio-bitnami-client
 on:
   schedule:
     - cron: "00 01 * * 1"
+  pull_request:
+    paths:
+      - .github/workflows/minio-bitnami-client.yaml
+      - 'images/minio-bitnami-client/**.yaml'
   push:
     branches:
       - 'main'
     paths:
       - .github/workflows/minio-bitnami-client.yaml
-      - 'images/minio-bitnami-client/*.yaml'
+      - 'images/minio-bitnami-client/**.yaml'
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/minio-bitnami.yaml b/.github/workflows/minio-bitnami.yaml
@@ -3,12 +3,16 @@ name: minio-bitnami
 on:
   schedule:
     - cron: "00 01 * * 1-5"
+  pull_request:
+    paths:
+      - .github/workflows/minio-bitnami.yaml
+      - 'images/minio-bitnami/**.yaml'
   push:
     branches:
       - 'main'
     paths:
       - .github/workflows/minio-bitnami.yaml
-      - 'images/minio-bitnami/*.yaml'
+      - 'images/minio-bitnami/**.yaml'
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,21 +3,6 @@ name: Reusable release workflow
 on:
   workflow_call:
     inputs:
-      registry:
-        description: 'Registry'
-        type: string
-        required: false
-        default: ghcr.io
-      registry-username:
-        description: 'Registry username'
-        type: string
-        required: false
-        default: ${{ github.actor }}
-      registry-password:
-        description: 'Registry password'
-        type: string
-        required: false
-        default: ''
       image:
         description: 'Image name'
         type: string
@@ -70,17 +55,27 @@ jobs:
     steps:
       - uses: imjasonh/setup-crane@v0.4
       - uses: sigstore/cosign-installer@v3
-
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Login to Registry
+      - name: Set Vars
+        id: vars
+        shell: bash
+        run: |
+          if [[ "${{ github.ref_name }}" == "main" ]]; then
+            echo "registry=ghcr.io" >> $GITHUB_OUTPUT
+          else
+            echo "registry=ttl.sh" >> $GITHUB_OUTPUT
+          fi
+
+      - if: steps.vars.outputs.registry == 'ghcr.io'
+        name: Login to GitHub Registry
         uses: docker/login-action@v3
         id: login-to-registry
         with:
-          registry: ${{ inputs.registry }}
-          username: ${{ inputs.registry-username }}
-          password: ${{ inputs.registry-password || github.token }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
 
       - name: Create SBOM directory
         id: output
@@ -93,22 +88,22 @@ jobs:
         uses: distroless/actions/apko-publish@main
         with:
           config: ${{ inputs.config-dir }}/${{ inputs.target }}.yaml
-          tag: ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.tag }}
+          tag: ${{ steps.vars.outputs.registry }}/${{ inputs.image }}:${{ inputs.tag }}
           package-append: ${{ inputs.packages }}
           archs: ${{ inputs.archs }}
           sbom-path: ${{ github.workspace }}/sbom
 
       - id: digest
         shell: bash
         run: |
-          echo "digest=$(crane digest ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "digest=$(crane digest ${{ steps.vars.outputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           if [[ "${{ inputs.archs }}" == *"amd64"* ]]; then
-              echo "digest-amd64=$(crane digest --platform=linux/amd64 ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+              echo "digest-amd64=$(crane digest --platform=linux/amd64 ${{ steps.vars.outputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           else
               echo "digest-amd64=''" >> $GITHUB_OUTPUT
           fi
           if [[ "${{ inputs.archs }}" == *"arm64"* ]]; then
-              echo "digest-arm64=$(crane digest --platform=linux/arm64 ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+              echo "digest-arm64=$(crane digest --platform=linux/arm64 ${{ steps.vars.outputs.registry }}/${{ inputs.image }}:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           else
               echo "digest-arm64=''" >> $GITHUB_OUTPUT
           fi
@@ -121,12 +116,13 @@ jobs:
           cosign sign \
             --recursive \
             --oidc-provider=github-actions \
-            ${{ inputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest }}
+            ${{ steps.vars.outputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest }}
 
-      - name: Attest provenance
+      - if: steps.vars.outputs.registry == 'ghcr.io'
+        name: Attest provenance
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: ${{ inputs.registry }}/${{ inputs.image }}
+          subject-name: ${{ steps.vars.outputs.registry }}/${{ inputs.image }}
           subject-digest: ${{ steps.digest.outputs.digest }}
           push-to-registry: true
 
@@ -139,7 +135,7 @@ jobs:
             --type=spdxjson \
             --predicate=${{ github.workspace }}/sbom/sbom-index.spdx.json \
             --oidc-provider=github-actions \
-            ${{ inputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest }}
+            ${{ steps.vars.outputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest }}
 
       - if: steps.digest.outputs.digest-amd64 != ''
         name: Attest amd64 SBOM
@@ -151,7 +147,7 @@ jobs:
             --type=spdxjson \
             --predicate=${{ github.workspace }}/sbom/sbom-x86_64.spdx.json \
             --oidc-provider=github-actions \
-            ${{ inputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest-amd64 }}
+            ${{ steps.vars.outputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest-amd64 }}
 
       - if: steps.digest.outputs.digest-arm64 != ''
         name: Attest arm64 SBOM
@@ -163,14 +159,14 @@ jobs:
             --type=spdxjson \
             --predicate=${{ github.workspace }}/sbom/sbom-aarch64.spdx.json \
             --oidc-provider=github-actions \
-            ${{ inputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest-arm64 }}
+            ${{ steps.vars.outputs.registry }}/${{ inputs.image }}@${{ steps.digest.outputs.digest-arm64 }}
 
       - if: inputs.scan == 'true'
         name: Scan image
         id: scan
         uses: anchore/scan-action@v6
         with:
-          image: ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.tag }}
+          image: ${{ steps.vars.outputs.registry }}/${{ inputs.image }}:${{ inputs.tag }}
           cache-db: true
           fail-build: 'false'
           severity-cutoff: 'high'
diff --git a/images/minio-bitnami-client/prod.yaml b/images/minio-bitnami-client/prod.yaml
@@ -1,6 +1,8 @@
-include: images/apko.yaml
-
 contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
   packages:
     - bash
     - busybox
@@ -13,6 +15,22 @@ contents:
     - readline
     - wolfi-baselayout
 
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 0
+  run-as: nonroot
+
+work-dir: /opt/bitnami/minio-client
+
+archs:
+  - amd64
+  - arm64
+
 entrypoint:
   command: /opt/bitnami/scripts/minio-client/entrypoint.sh
 
@@ -22,6 +40,9 @@ environment:
   BITNAMI_APP_NAME: minio
 
 annotations:
-  org.opencontainers.image.title: 'minio-bitnami-client'
+  org.opencontainers.image.authors: 'GitGuardian SRE Team <sre@gitguardian.com>'
   org.opencontainers.image.description: 'MinIO-Bitnami client image based on Wolfi OS'
+  org.opencontainers.image.licenses: 'MIT'
   org.opencontainers.image.source": 'https://github.com/GitGuardian/wolfi/tree/main/images/minio-bitnami-client'
+  org.opencontainers.image.title: 'minio-bitnami-client'
+  org.opencontainers.image.vendor: 'GitGuardian'
diff --git a/images/minio-bitnami/prod.yaml b/images/minio-bitnami/prod.yaml
@@ -1,6 +1,8 @@
-include: images/apko.yaml
-
 contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
   packages:
     - bash
     - bash-binsh
@@ -14,6 +16,22 @@ contents:
     - wait-for-port
     - wolfi-baselayout
 
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 0
+  run-as: nonroot
+
+work-dir: /opt/bitnami/minio-client
+
+archs:
+  - amd64
+  - arm64
+
 entrypoint:
   command: /opt/bitnami/scripts/minio/entrypoint.sh
 
@@ -23,6 +41,9 @@ environment:
   BITNAMI_APP_NAME: minio
 
 annotations:
-  org.opencontainers.image.title: 'minio-bitnami'
+  org.opencontainers.image.authors: 'GitGuardian SRE Team <sre@gitguardian.com>'
   org.opencontainers.image.description: 'MinIO-Bitnami image based on Wolfi OS'
+  org.opencontainers.image.licenses: 'MIT'
   org.opencontainers.image.source": 'https://github.com/GitGuardian/wolfi/tree/main/images/minio-bitnami'
+  org.opencontainers.image.title: 'minio-bitnami'
+  org.opencontainers.image.vendor: 'GitGuardian'
