Dockerfile and CI more secure

.github/workflows/ci.yaml

@@ -1,42 +1,145 @@
-name: CI
+name: ci
 on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
   push:
     branches:
       - main
-  pull_request:
 permissions:
   contents: read
 jobs:
-  test:
+  test-code:
     runs-on: ubuntu-latest
     steps:
-      - name: checkout
+      - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: setup-go
+      - name: Fetch all tags
+        run: git fetch --force --tags
+      - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version-file: go.mod
-      - name: make test
-        run: |
-          make test
-      - name: lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+          go-version-file: 'go.mod'
+      - name: Run Go Vet
+        run: go vet ./...    
+      - name: Run Go Tests
+        run: go test ./... -cover -race
+      - name: Build binary
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: build --snapshot
+      - name: Install license check tool
+        run: go install github.com/google/addlicense@dc31ac9ffcca99c9457226366135701794b128c0
+      - name: Check licenses
+        run: addlicense -l apache -check -v -ignore '**/*.yaml' -c 'The Score Authors' ./cmd ./internal/
+  test-multi-arch-build:
+    uses: docker/github-builder/.github/workflows/build.yml@2497a7d1e7d8683af4949c9d6d62012bc16ed59c # v1.5.0
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    with:
+      output: image
+      push: false
+      platforms: linux/amd64,linux/arm64
+      sbom: true
+      cache: true
+      context: .
+      set-meta-labels: true
+      set-meta-annotations: true
+      meta-images: |
+        score-helm
+      meta-tags: |
+        type=ref,event=pr
+    secrets:
+      registry-auths: |
+        - username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+  test-container:
+    runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Set up Docker
+        uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: latest
-      - name: Build docker image
+      - name: docker login docker.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - name: docker login dhi.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - name: Build container image from PR branch
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: .
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          tags: score-helm:pr-${{ github.event.number }}
+      - name: docker images
+        run: |
+          docker images
+      - name: checkout code in main branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+      - name: Build container image from main branch
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: false
           load: true
-          tags: score-helm:test
-          build-args: |
-            "VERSION=test"
-      - name: make test-app
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          tags: score-helm:main
+      - name: docker images
         run: |
-          make test-app
-      - name: make test-container
+          docker images
+      - name: Docker Scout Comparison between main branch and current PR branch
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1.20.4
+        with:
+          command: compare
+          image: local://score-helm:pr-${{ github.event.number }}
+          to: local://score-helm:main
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          organization: ${{ secrets.DOCKER_HUB_ORG }}
+      - name: Test docker image built in PR branch
         run: |
-          make test-container
+          mkdir test
+          sudo chown -R 65532:65532 test/
+          cd test
+          docker run --rm score-helm:pr-${{ github.event.number }} --version
+          docker run -v .:/score-helm --rm score-helm:pr-${{ github.event.number }} init
+          cat score.yaml

.github/workflows/release.yaml

@@ -0,0 +1,71 @@
+name: release
+on:
+  push:
+    tags:
+      - v**
+permissions:
+  contents: read
+jobs:
+  release-go-binary:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Fetch all tags
+        run: git fetch --force --tags
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: 'go.mod'
+      - name: test
+        run: go run gotest.tools/gotestsum@latest --format github-actions
+      - name: lint
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          version: latest
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
+  release-container-image:
+    uses: docker/github-builder/.github/workflows/build.yml@2497a7d1e7d8683af4949c9d6d62012bc16ed59c # v1.5.0
+    permissions:
+      id-token: write # to sign attestation(s) with GitHub OIDC Token
+      packages: write # to push container image to ghcr
+    with:
+      output: image
+      push: true
+      platforms: linux/amd64,linux/arm64
+      sbom: true
+      cache: true
+      context: .
+      set-meta-labels: true
+      set-meta-annotations: true
+      build-args: |
+        "VERSION=${{ github.ref_name }}"
+      meta-images: |
+        ghcr.io/score-spec/score-helm
+        scorespec/score-helm
+      meta-tags: |
+        type=ref,event=tag
+        latest
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        - username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_RELEASE_TOKEN }}

.github/workflows/upgrade-go-version.yaml

@@ -0,0 +1,46 @@
+name: Upgrade Go version
+on:
+  workflow_dispatch:
+    inputs:
+      go-version:
+        required: true
+      go-toolchain-version:
+        required: true
+permissions:
+  contents: read
+jobs:
+  upgrade-go-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ github.event.inputs.go-toolchain-version }}
+      - name: go get all
+        run: |
+          go mod edit -go ${{ github.event.inputs.go-version }}
+          go mod edit -toolchain go${{ github.event.inputs.go-toolchain-version }}
+          go get -u all
+          go mod tidy
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Upgrade Go version to ${{ github.event.inputs.go-toolchain-version }}
+          title: Upgrade Go version to ${{ github.event.inputs.go-toolchain-version }}
+          body: |
+            Upgrade Go version to ${{ github.event.inputs.go-toolchain-version }}:
+            https://go.dev/doc/devel/release
+            - [ ] Set PR as "Ready for review"
+            - [ ] Check CI
+            - [ ] Submit PR review
+          branch: upgrade-go
+          delete-branch: true
+          signoff: true
+          draft: always-true # Because of: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs.

Dockerfile

@@ -1,6 +1,6 @@
-FROM golang:1.26-alpine@sha256:c2a1f7b2095d046ae14b286b18413a05bb82c9bca9b25fe7ff5efef0f0826166 AS builder
+FROM --platform=$BUILDPLATFORM dhi.io/golang:1.26.1-alpine3.23-dev@sha256:fed0e3e2b4ca2502dc31c9dd7602539f08c4ac5216ae00bcbf56a64a0a8fcfca AS builder
 
-ARG VERSION
+ARG VERSION=0.0.0
 
 # Set the current working directory inside the container.
 WORKDIR /go/src/github.com/score-spec/score-helm
@@ -11,10 +11,10 @@ RUN go mod download
 
 # Copy the entire project and build it.
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-X github.com/score-spec/score-helm/internal/version.Version=${VERSION}" -o /usr/local/bin/score-helm ./cmd/score-helm
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X github.com/score-spec/score-helm/internal/version.Version=${VERSION}" -o /usr/local/bin/score-helm ./cmd/score-helm
 
-# We can use gcr.io/distroless/static since we don't rely on any linux libs or state, but we need ca-certificates to connect to https/oci with the init command.
-FROM gcr.io/distroless/static:530158861eebdbbf149f7e7e67bfe45eb433a35c@sha256:5c7e2b465ac6a2a4e5f4f7f722ce43b147dabe87cb21ac6c4007ae5178a1fa58
+# We can use static since we don't rely on any linux libs or state, but we need ca-certificates to connect to https/oci with the init command.
+FROM dhi.io/static:20251003-alpine3.23@sha256:a08d9a53a4758b4006d56341aa88b1edf583ddebd93e620a32acd5135535573c
 
 # Set the current working directory inside the container.
 WORKDIR /score-helm
@@ -23,4 +23,4 @@ WORKDIR /score-helm
 COPY --from=builder /usr/local/bin/score-helm /usr/local/bin/score-helm
 
 # Run the binary.
-ENTRYPOINT ["/usr/local/bin/score-helm"]
+ENTRYPOINT ["/usr/local/bin/score-helm"]