feat: build and release container image in CI

Signed-off-by: Felix Moessbauer <[email protected]>

Author: fmoessbauer

.github/actions/docker-init/action.yml

@@ -0,0 +1,100 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+#
+# Derived from the https://github.com/siemens/kas docker-init action
+
+name: docker-init
+
+inputs:
+  deploy-user:
+    required: true
+  deploy-token:
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      shell: bash
+      env:
+        QEMU_USER_STATIC_PACKAGE: qemu-user-static_7.2+dfsg-7+deb12u12_amd64.deb
+        REPO_DATE: 20250130T084806Z
+        PACKAGE_SHA256: 1a2696081c1f30d464f79fd300196822397c77f05440ea9ce6dc8e9658b595ec
+      run: |
+        # temporarily use Debian qemu-user-static until Ubuntu fixes theirs
+        wget -q http://snapshot.debian.org/archive/debian/${REPO_DATE}/pool/main/q/qemu/${QEMU_USER_STATIC_PACKAGE}
+        echo "${PACKAGE_SHA256} ${QEMU_USER_STATIC_PACKAGE}" | sha256sum -c
+        sudo dpkg -i ${QEMU_USER_STATIC_PACKAGE}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        driver-opts: image=moby/buildkit:v0.16.0
+
+    - name: Login to ghcr.io
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.deploy-user }}
+        password: ${{ inputs.deploy-token }}
+
+    - name: Set SOURCE_DATE_EPOCH
+      run: |
+        echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      shell: bash
+
+    - name: Determine Debian tag
+      run: |
+        COMMIT_DATE=$(date -d @$(git log -1 --pretty=%ct) +%Y%m%d)
+        DEBIAN_RELEASE=$(grep -m 1 'ARG DEBIAN_TAG=' Dockerfile | sed 's/.*DEBIAN_TAG=\(.*\)-.*/\1/')
+        echo "DEBIAN_TAG=$(podman search --list-tags docker.io/debian --limit 1000000000 | \
+                           grep "$DEBIAN_RELEASE-.*-slim" | sort -r | sed 's/.*[ ]\+//' | \
+                           ./scripts/lower-bound.py $DEBIAN_RELEASE-$COMMIT_DATE-slim )" \
+                           >> $GITHUB_ENV
+      shell: bash
+
+    - name: Prepare repository for COPY-in
+      run: |
+        git clone . /home/runner/debsbom-clone
+      shell: bash
+
+    - name: Define image metadata
+      run: |
+        echo "IMAGE_DESCRIPTION=debsbom generates (Software Bill of Materials) for distributions based on Debian" >> $GITHUB_ENV
+        # make image metadata reproducible (also for image re-builders)
+        echo "IMAGE_COMMIT_DATE=$(date -d @$(git log -1 --pretty=%ct) --iso-8601=seconds)" >> $GITHUB_ENV
+        echo "IMAGE_OFFICIAL_URL=https://github.com/siemens/debsbom" >> $GITHUB_ENV
+      shell: bash
+
+    - name: Extract metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        annotations: |
+          org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
+          org.opencontainers.image.licenses=MIT
+          org.opencontainers.image.created=${{ env.IMAGE_COMMIT_DATE }}
+          org.opencontainers.image.source=${{ env.IMAGE_OFFICIAL_URL }}
+          org.opencontainers.image.url=${{ env.IMAGE_OFFICIAL_URL }}
+      env:
+        DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+    - name: Cache apt
+      id: cache-apt
+      uses: actions/cache@v4
+      with:
+        path: |
+          var-cache-apt
+          var-lib-apt
+        key: cache-apt-${{ env.DEBIAN_TAG }}-${{ inputs.image-name }}
+
+    - name: Inject cache into docker
+      uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de #v3.1.2
+      with:
+        cache-map: |
+          {
+            "var-cache-apt": "/var/cache/apt",
+            "var-lib-apt": "/var/lib/apt"
+          }
+        skip-extraction: ${{ steps.cache.outputs.cache-hit }}

.github/workflows/containers.yml

@@ -0,0 +1,80 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+name: Containers
+
+on:
+  push:
+
+jobs:
+  build_containers:
+    name: Build, test and deploy container images
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v4
+      - name: Set up docker build
+        uses: ./.github/actions/docker-init
+        with:
+          deploy-user: ${{ github.actor }}
+          deploy-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build debsbom image
+        uses: docker/build-push-action@v6
+        with:
+          context: /home/runner/debsbom-clone
+          target: debsbom
+          platforms: linux/amd64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=docker,rewrite-timestamp=true
+          tags: ghcr.io/${{ github.repository }}/debsbom:test
+      - name: Test debsbom image
+        run: |
+          docker run ghcr.io/${{ github.repository }}/debsbom:test debsbom --version
+      - name: Complete build and deploy debsbom image
+        if: github.ref == 'refs/heads/main'
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: /home/runner/debsbom-clone
+          target: debsbom
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          provenance: false
+          outputs: type=registry,rewrite-timestamp=true
+          tags: ghcr.io/${{ github.repository }}/debsbom:latest
+          annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest debsbom image
+        if: github.ref == 'refs/heads/main'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/debsbom
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+  cleanup_ghcr_containers:
+    name: cleanup untagged debsbom containers
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-24.04
+    needs: build_containers
+    permissions:
+      packages: write
+    steps:
+      - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 #v1.0.16
+        with:
+          dry-run: false
+          validate: true
+          package: debsbom
+          token: ${{ secrets.GITHUB_TOKEN }}

scripts/lower-bound.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+#
+# Takes a reverse-sorted, line separated list and
+# returns the first element that is equal or smaller
+# than the first argument.
+
+import sys
+
+for line in sys.stdin:
+    if line.rstrip() <= sys.argv[1]:
+        print(line.rstrip())
+        break