build multiple alpine images

nginxinc · Jun 10, 2024 · f17aeb1 · f17aeb1
1 parent 78b78f5
commit f17aeb1
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,14 +16,15 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ["3.17", "3.19", "3.20"]
+        openssl_version: ["3.0.9"]
+      fail-fast: false
     steps:
       - name: Checkout Repository
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - name: Get Alpine version
-        id: alpine
-        run: echo "version=$(grep -m1 'FROM alpine' <Dockerfile | awk -F'[:]' '{print $2}')" >> $GITHUB_OUTPUT
-
       - name: Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
@@ -52,7 +53,7 @@ jobs:
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{version}},suffix=-alpine${{ steps.alpine.outputs.version }}
+            type=semver,pattern={{version}},suffix=-alpine${{ matrix.image }}
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
@@ -62,30 +63,36 @@ jobs:
         with:
           file: Dockerfile
           context: "."
-          cache-from: type=gha,scope=alpine
-          cache-to: type=gha,scope=alpine,mode=max
+          cache-from: type=gha,scope=alpine${{ matrix.image }}
+          cache-to: type=gha,scope=alpine${{ matrix.image }},mode=max
           tags: ${{ steps.meta.outputs.tags }}
           load: ${{ github.event_name == 'pull_request' }}
           push: ${{ github.event_name != 'pull_request' }}
           platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }}
           annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
+          target: alpine
           pull: true
           sbom: ${{ github.event_name != 'pull_request' }}
           provenance: ${{ github.event_name != 'pull_request' }}
+          build-args: | 
+            BUILD_OS=alpine:${{ matrix.image }}
+            OPENSSL_VERSION=${{ matrix.openssl_version }}
 
       - name: Run Grype vulnerability scanner
         uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
         continue-on-error: true
         id: scan
         with:
-          image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }}
+          image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }}-alpine${{ matrix.image }}
           only-fixed: true
           add-cpes-if-none: true
+        if: ${{ github.event_name != 'pull_request' }}
 
       - name: Upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+        if: ${{ github.event_name != 'pull_request' }}
 
       - name: Create/Update Draft
         uses: lucacome/draft-release@e076259ceb036bc5f2c2a76559784c12cf8d2e74 # v1.0.4

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,10 @@
-FROM alpine:3.19
-
+# syntax=docker/dockerfile:1.6
+ARG BUILD_OS=alpine:3.19
 ARG OPENSSL_VERSION=3.0.9
 
+FROM ${BUILD_OS} as alpine
+ARG OPENSSL_VERSION
+
 RUN apk add --no-cache --virtual .build-deps \
     make gcc libgcc musl-dev linux-headers perl vim \
     &&  wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \