Skip to content

Docker

Docker #157

Workflow file for this run

###############################################################################
# _ _ _ _ _____ _
# | | | | | | | | | __ \(_)
# | | ___ | |__ _ __ | |_| |__ ___ | |__) |_ _ __ _ __ ___ _ __
# _ | |/ _ \| '_ \| '_ \ | __| '_ \ / _ \ | _ /| | '_ \| '_ \ / _ \ '__|
# | |__| | (_) | | | | | | | | |_| | | | __/ | | \ \| | |_) | |_) | __/ |
# \____/ \___/|_| |_|_| |_| \__|_| |_|\___| |_| \_\_| .__/| .__/ \___|_|
# | | | |
# |_| |_|
#
# Copyright (c) 2021-2024 Claudio André <dev at claudioandre.slmail.me>
#
# This program comes with ABSOLUTELY NO WARRANTY; express or implied.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, as expressed in version 2, seen at
# http://www.gnu.org/licenses/gpl-2.0.html
###############################################################################
# GitHub Action to build John the Ripper's Docker image
# More info at https://github.com/openwall/john-packages
---
name: Docker
"on":
push:
branches: [docker]
workflow_dispatch:
inputs:
VERSION_NAME:
description: "The software version name"
required: true
default: "1.9J1+"
tag:
description: "The image tag"
required: true
type: choice
default: "bleeding"
options:
- bleeding
- latest
extra:
description: "Add another image tag"
type: string
push:
description: "Push the image to Docker registry?"
type: boolean
default: false
env:
REPO: ghcr.io/${{ github.repository_owner }}/john
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
name: build-image
permissions:
attestations: write
id-token: write
packages: write
outputs:
image: ${{ env.REPO }}:${{ github.event.inputs.tag }}
digest: ${{ steps.build-and-push.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
auth.docker.io:443
developer.download.nvidia.com:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
security.ubuntu.com:80
- name: Check out the repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get data
id: data
run: |
image_name="${{ env.REPO }}:${{ github.event.inputs.tag || 'test' }}"
version="1.9.$(date +%Y%m%d)"
image_tags="${image_name},"
image_tags+="${image_name}_J${{ github.run_number }},"
image_tags+="${image_name}_${version}"
if [[ -n "${{ github.event.inputs.extra }}" ]]; then
image_tags+=",${{ env.REPO }}:${{ github.event.inputs.extra }}"
fi
#TODO: edit before release (BLEEDING_RELEASE)
{
echo "now=$(date -u)"
echo "revision=$(git rev-parse --short=7 HEAD 2>/dev/null)"
echo "version=$version"
echo "image_tags=$image_tags"
} >> "$GITHUB_OUTPUT"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REPO }}:${{ github.event.inputs.tag }}
labels: |
software=John the Ripper ${{ github.event.inputs.VERSION_NAME }}
org.opencontainers.image.authors=Claudio André <dev at claudioandre.slmail.me>
org.opencontainers.image.description=John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/
org.opencontainers.image.title=John the Ripper CE Auditing Tool
org.opencontainers.image.url=https://www.openwall.com/john
org.opencontainers.image.version=${{ steps.data.outputs.version }}
org.opencontainers.image.vendor=Openwall
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Log in to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build image
id: build-and-push
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: "${{ github.workspace }}/deploy/docker"
platforms: linux/amd64,linux/arm64
push: ${{
(github.event.inputs.push || false)
}}
build-args: |
TYPE=ALL
RELEASE_COMMIT=f8e9ca1eac15e25170d21b77e66ec77efa0b7d0d
tags: ${{ steps.data.outputs.image_tags }}
labels: |
${{ steps.meta.outputs.labels }}
outputs: "type=image,name=target,\
annotation-index.org.opencontainers.image.description=John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/"
- name: Upload attestation
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
if: ${{ github.event.inputs.push == 'true' }}
with:
subject-name: ${{ env.REPO }}:${{ github.event.inputs.tag }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
provenance:
if: ${{ github.event.inputs.push == 'true' }}
needs: [build]
permissions:
actions: read # for detecting the GitHub Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image }}
digest: ${{ needs.build.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}