ci: build amd64+arm64 docker images incl. SBOM (#744)

* ci: build docker images for amd64+arm64

* comment out if / skip condition

* use recent version of aquasecurity/trivy-action

* generate sbom and upload+inline

Signed-off-by: Gil Desmarais <[email protected]>

* fix order

* tag images with sha

Signed-off-by: Gil Desmarais <[email protected]>

* let's go. comment in if and push.

* add note on sbom

---------

Signed-off-by: Gil Desmarais <[email protected]>

Author: gildesmarais

.github/workflows/test_build_push.yml

@@ -50,11 +50,69 @@ jobs:
       - hadolint
       - ruby
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      IMAGE_NAME: gilcreator/html2rss-web
+      TAG_SHA: ${{ github.sha }}
     steps:
-      - uses: actions/checkout@v4
-      - run: bin/docker-build
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            gilcreator/html2rss-web:latest
+            gilcreator/html2rss-web:${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          provenance: true
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.title=html2rss-web
+            org.opencontainers.image.description=Generates RSS feeds of any website & serves to the web!
+            org.opencontainers.image.sbom=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts
+
+      - name: Generate SBOM
+        uses: anchore/[email protected]
+        with:
+          image: gilcreator/html2rss-web:${{ github.sha }}
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.spdx.json
 
-      - run: bin/docker-push
-        env:
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      - name: Move updated cache into place
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

README.md

@@ -137,6 +137,7 @@ Please refer to [html2rss' README for a description of _the feed config and its
 This web application is distributed in a [rolling release](https://en.wikipedia.org/wiki/Rolling_release) fashion from the `master` branch.
 
 For the latest commit passing GitHub CI/CD on the master branch, an updated Docker image will be pushed to [Docker Hub: `gilcreator/html2rss-web`](https://hub.docker.com/r/gilcreator/html2rss-web).
+The [SBOM](https://en.wikipedia.org/wiki/Software_supply_chain) is embedded as an OCI label in the Docker image and is [also available as a build artifact](https://github.com/html2rss/html2rss-web/actions/workflows/test_build_push.yml?query=branch%3Amaster).
 
 GitHub's @dependabot is enabled for dependency updates and they are automatically merged to the `master` branch when the CI gives the green light.