From 1300f93d16024c0dbfc1905df47c0dd0bd9c99ab Mon Sep 17 00:00:00 2001 From: Sebastian Noe Date: Mon, 11 May 2026 20:14:26 +0200 Subject: [PATCH] ci: replace Docker Hub workflow with hardened GHCR pipeline (#5) - Add docker-publish.yml: builds, signs (cosign), and attests images on GHCR - All actions SHA-pinned for supply chain protection - Minimal GITHUB_TOKEN permissions (deny-all default) - SBOM generation and SLSA provenance attestation - Multi-platform builds (amd64 + arm64) with GHA caching - Triggers only on *.*.*-fork* tags (pre-releases skip 'latest') - Add dependabot.yml for automated action/gem/npm updates - Remove old docker.yml (pushed to upstream's Docker Hub registry) Co-authored-by: Sebastian Noe --- .github/dependabot.yml | 22 +++++++ .github/workflows/docker-publish.yml | 85 ++++++++++++++++++++++++++++ .github/workflows/docker.yml | 47 --------------- 3 files changed, 107 insertions(+), 47 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/docker-publish.yml delete mode 100644 .github/workflows/docker.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..aa8878a2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "ci" + - package-ecosystem: "bundler" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "deps" + open-pull-requests-limit: 5 + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "deps" + open-pull-requests-limit: 5 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 00000000..dd5b519e --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,85 @@ +name: Build and Publish Docker Image + +on: + push: + tags: + - "*.*.*-fork*" + +permissions: {} + +jobs: + build-and-push: + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + packages: write + id-token: write + attestations: write + + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=match,pattern=(.*),group=1 + type=raw,value=latest,enable=${{ !contains(github.ref, '-alpha') && !contains(github.ref, '-beta') && !contains(github.ref, '-rc') }} + type=sha,prefix=sha- + labels: | + org.opencontainers.image.title=DocuSeal (Fork) + org.opencontainers.image.description=DocuSeal with Teams, Reminders, and White-label features + org.opencontainers.image.vendor=s256 + org.opencontainers.image.source=https://github.com/s256/docuseal-with-some-pro-features + + - name: Create .version file + env: + VERSION: ${{ github.ref_name }} + run: echo "$VERSION" > .version + + - name: Build and push Docker image + id: build + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 + with: + context: . + push: true + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Install cosign + uses: sigstore/cosign-installer@3454372be43e8dd44c6a73b22b8f0b4c0d0c4f8e # v3.8.2 + + - name: Sign image with cosign + run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }} + + - name: Generate SBOM + uses: anchore/sbom-action@fc73183ea2a8c7b2c8e54ba5b67b0c8b67e89ef5 # v0.18.0 + with: + image: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }} + + - name: Attest build provenance + uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml deleted file mode 100644 index 2eb09ddc..00000000 --- a/.github/workflows/docker.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Build Docker Images - -on: - push: - tags: - - "*.*.*" - -jobs: - build: - runs-on: ubuntu-24.04-arm - timeout-minutes: 30 - - steps: - - name: Checkout code - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - images: docuseal/docuseal - tags: type=semver,pattern={{version}} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Create .version file - run: echo ${{ github.ref_name }} > .version - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - context: . - push: true - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }}