diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b2806d..d888764 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,14 +16,15 @@ env: jobs: build: runs-on: ubuntu-latest + strategy: + matrix: + image: ["3.17", "3.19", "3.20"] + openssl_version: ["3.0.9"] + fail-fast: false steps: - name: Checkout Repository uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - name: Get Alpine version - id: alpine - run: echo "version=$(grep -m1 'FROM alpine' > $GITHUB_OUTPUT - - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -52,7 +53,7 @@ jobs: type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{version}},suffix=-alpine${{ steps.alpine.outputs.version }} + type=semver,pattern={{version}},suffix=-alpine${{ matrix.image }} env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index @@ -62,30 +63,36 @@ jobs: with: file: Dockerfile context: "." - cache-from: type=gha,scope=alpine - cache-to: type=gha,scope=alpine,mode=max + cache-from: type=gha,scope=alpine${{ matrix.image }} + cache-to: type=gha,scope=alpine${{ matrix.image }},mode=max tags: ${{ steps.meta.outputs.tags }} load: ${{ github.event_name == 'pull_request' }} push: ${{ github.event_name != 'pull_request' }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} + target: alpine pull: true sbom: ${{ github.event_name != 'pull_request' }} provenance: ${{ github.event_name != 'pull_request' }} + build-args: | + BUILD_OS=alpine:${{ matrix.image }} + OPENSSL_VERSION=${{ matrix.openssl_version }} - name: Run Grype vulnerability scanner uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 continue-on-error: true id: scan with: - image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }} + image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }}-alpine${{ matrix.image }} only-fixed: true add-cpes-if-none: true + if: ${{ github.event_name != 'pull_request' }} - name: Upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 with: sarif_file: ${{ steps.scan.outputs.sarif }} + if: ${{ github.event_name != 'pull_request' }} - name: Create/Update Draft uses: lucacome/draft-release@e076259ceb036bc5f2c2a76559784c12cf8d2e74 # v1.0.4 diff --git a/Dockerfile b/Dockerfile index a319296..ed7e063 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,10 @@ -FROM alpine:3.19 - +# syntax=docker/dockerfile:1.6 +ARG BUILD_OS=alpine:3.19 ARG OPENSSL_VERSION=3.0.9 +FROM ${BUILD_OS} as alpine +ARG OPENSSL_VERSION + RUN apk add --no-cache --virtual .build-deps \ make gcc libgcc musl-dev linux-headers perl vim \ && wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \ @@ -11,6 +14,7 @@ RUN apk add --no-cache --virtual .build-deps \ && make \ && make install_fips \ && apk del .build-deps \ - && cd .. && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} + && cd .. && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} \ + && apk upgrade --no-cache -U COPY openssl.cnf /etc/ssl/openssl.cnf