feat: Update container build, scanning, and publishing

Author: GeekMasher

.github/workflows/container-publish.yml

@@ -0,0 +1,124 @@
+name: Container Build and Release
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: "Semantic version of the image"
+        required: true
+        type: string
+
+      container-file:
+        description: "Path to the Dockerfile"
+        type: string
+        default: "Dockerfile"
+
+      container-name:
+        description: "Name of the container"
+        type: string
+        default: "${{ github.repository }}"
+
+      sbom:
+        description: "Generate and upload SBOM"
+        type: string
+        default: "true"
+      
+      signing:
+        description: "Sign the image"
+        type: string
+        default: "false"
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  publish-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      # to upload SBOM
+      id-token: write
+      contents: write
+      # to upload Docker image
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set Container Metadata
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.REGISTRY }}/${{ inputs.container-name }}
+          tags: |
+            # latest / main
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            # SemVer
+            type=semver,pattern={{version}},value=${{ inputs.version }}
+            type=semver,pattern=v{{version}},value=${{ inputs.version }}
+            type=semver,pattern=v{{major}},value=${{ inputs.version }}
+            type=semver,pattern=v{{major}}.{{minor}},value=${{ inputs.version }}
+    
+      - name: Build & Publish Container ${{ inputs.container-name }}
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        if: ${{ steps.set-version.outputs.release == 'true' }}
+        id: build
+        with:
+          file: "${{ inputs.container-file }}"
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # SBOM Settings
+          sbom: true
+
+      # Upload Software Bill of Materials (SBOM) to GitHub
+      - name: Upload SBOM
+        uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746  # v0.1.1
+        if: ${{ inputs.sbom == 'true' }}
+        with:
+          filePath: '.'
+          filePattern: '*.spdx.json'
+
+  sign-image:
+    runs-on: ubuntu-latest
+    needs: publish-image
+    # Sign the image only if it is being published
+    if: ${{ inputs.signing == 'true' && inputs.publish == 'true'  }}
+
+    permissions:
+      # read the image from GitHub Container Registry
+      packages: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the published container
+        # This step uses the identity token to provision an ephemeral certificate against 
+        # the sigstore community Fulcio instance.
+        run: |
+          cosign sign --yes \
+            ${{ env.IMAGE_NAME }}@${{ needs.build-publish-image.outputs.digest }}
+  

.github/workflows/container-security.yml

@@ -0,0 +1,72 @@
+name: Container Security Scanning
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: "Semantic version of the image"
+        type: string
+
+      container-file:
+        description: "Path to the Dockerfile"
+        type: string
+        default: "Dockerfile"
+
+      container-name:
+        description: "Name of the container"
+        type: string
+        default: "${{ github.repository }}"
+
+      scanning-block:
+        description: "Block the build if vulnerabilities are found"
+        type: string
+        default: "false"
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  scan-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build Initial Container ${{ inputs.container-name }}
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        id: build
+        with:
+          file: "${{ inputs.container-file }}"
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # Scan the image for vulnerabilities
+      - name: Run the Anchore / Grype scan action
+        if: ${{ inputs.scanning == 'true' }}
+        uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ inputs.container-name }}:${{ steps.build.outputs.digest }}"
+          only-fixed: true
+          fail-build: ${{ inputs.scanning-block }}
+
+      - name: Upload vulnerability report
+        if: ${{ inputs.scanning == 'true' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}