1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
# Copyright (C) 2025 Siemens
#
# SPDX-License-Identifier: MIT
#
# Derived from the https://github.com/siemens/kas docker-init action
name: docker-init
inputs:
deploy-user:
required: true
deploy-token:
required: true
runs:
using: composite
steps:
- name: Set up QEMU
shell: bash
env:
QEMU_USER_STATIC_PACKAGE: qemu-user-static_7.2+dfsg-7+deb12u12_amd64.deb
REPO_DATE: 20250130T084806Z
PACKAGE_SHA256: 1a2696081c1f30d464f79fd300196822397c77f05440ea9ce6dc8e9658b595ec
run: |
# temporarily use Debian qemu-user-static until Ubuntu fixes theirs
wget -q http://snapshot.debian.org/archive/debian/${REPO_DATE}/pool/main/q/qemu/${QEMU_USER_STATIC_PACKAGE}
echo "${PACKAGE_SHA256} ${QEMU_USER_STATIC_PACKAGE}" | sha256sum -c
sudo dpkg -i ${QEMU_USER_STATIC_PACKAGE}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:v0.16.0
- name: Login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ inputs.deploy-user }}
password: ${{ inputs.deploy-token }}
- name: Set SOURCE_DATE_EPOCH
run: |
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
shell: bash
- name: Determine Debian tag
run: |
COMMIT_DATE=$(date -d @$(git log -1 --pretty=%ct) +%Y%m%d)
DEBIAN_RELEASE=$(grep -m 1 'ARG DEBIAN_TAG=' Dockerfile | sed 's/.*DEBIAN_TAG=\(.*\)-.*/\1/')
echo "DEBIAN_TAG=$(podman search --list-tags docker.io/debian --limit 1000000000 | \
grep "$DEBIAN_RELEASE-.*-slim" | sort -r | sed 's/.*[ ]\+//' | \
./scripts/lower-bound.py $DEBIAN_RELEASE-$COMMIT_DATE-slim )" \
>> $GITHUB_ENV
shell: bash
- name: Prepare repository for COPY-in
run: |
git clone . /home/runner/debsbom-clone
shell: bash
- name: Define image metadata
run: |
echo "IMAGE_DESCRIPTION=debsbom generates (Software Bill of Materials) for distributions based on Debian" >> $GITHUB_ENV
# make image metadata reproducible (also for image re-builders)
echo "IMAGE_COMMIT_DATE=$(date -d @$(git log -1 --pretty=%ct) --iso-8601=seconds)" >> $GITHUB_ENV
echo "IMAGE_OFFICIAL_URL=https://github.com/siemens/debsbom" >> $GITHUB_ENV
shell: bash
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
annotations: |
org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
org.opencontainers.image.licenses=MIT
org.opencontainers.image.created=${{ env.IMAGE_COMMIT_DATE }}
org.opencontainers.image.source=${{ env.IMAGE_OFFICIAL_URL }}
org.opencontainers.image.url=${{ env.IMAGE_OFFICIAL_URL }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Cache apt
id: cache-apt
uses: actions/cache@v4
with:
path: |
var-cache-apt
var-lib-apt
key: cache-apt-${{ env.DEBIAN_TAG }}-${{ inputs.image-name }}
- name: Inject cache into docker
uses: reproducible-containers/buildkit-cache-dance@5b81f4d29dc8397a7d341dba3aeecc7ec54d6361 #v3.3.0
with:
cache-map: |
{
"var-cache-apt": "/var/cache/apt",
"var-lib-apt": "/var/lib/apt"
}
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
|
