Skip to content

Docker

Docker #144

Workflow file for this run

###############################################################################
# _ _ _ _ _____ _
# | | | | | | | | | __ \(_)
# | | ___ | |__ _ __ | |_| |__ ___ | |__) |_ _ __ _ __ ___ _ __
# _ | |/ _ \| '_ \| '_ \ | __| '_ \ / _ \ | _ /| | '_ \| '_ \ / _ \ '__|
# | |__| | (_) | | | | | | | | |_| | | | __/ | | \ \| | |_) | |_) | __/ |
# \____/ \___/|_| |_|_| |_| \__|_| |_|\___| |_| \_\_| .__/| .__/ \___|_|
# | | | |
# |_| |_|
#
# Copyright (c) 2021-2023 Claudio André <claudioandre.br at gmail.com>
#
# This program comes with ABSOLUTELY NO WARRANTY; express or implied.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, as expressed in version 2, seen at
# http://www.gnu.org/licenses/gpl-2.0.html
###############################################################################
# GitHub Action to build John the Ripper's Docker image
# More info at https://github.com/openwall/john-packages
---
name: Docker
"on":
push:
branches: [docker]
workflow_dispatch:
inputs:
VERSION_NAME:
description: "The software version name"
required: true
default: "1.9.0-jumbo-1+"
tag:
description: "The image tag"
required: true
type: choice
default: "latest"
options:
- latest
- rolling
extra:
description: "Add another image tag"
type: string
push:
description: "Push the image to Docker registry?"
type: boolean
default: false
env:
REPO: ghcr.io/${{ github.repository_owner }}/john
permissions: read-all
jobs:
build:
name: Build Docker image
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
packages: write
outputs:
image: ${{ env.REPO }}:${{ github.event.inputs.tag }}
digest: ${{ steps.build-and-push.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
auth.docker.io:443
developer.download.nvidia.com:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
security.ubuntu.com:80
- name: Check out the repo
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Get data
id: data
run: |
image_name="${{ env.REPO }}:${{ github.event.inputs.tag || 'test' }}"
version="1.9.$(date +%Y%m%d)"
image_tags="${image_name},"
image_tags+="${image_name}_J${{ github.run_number }},"
image_tags+="${image_name}_${version}"
if [[ -n "${{ github.event.inputs.extra }}" ]]; then
image_tags+=",${{ env.REPO }}:${{ github.event.inputs.extra }}"
fi
#TODO: edit before release (JUMBO_RELEASE)
{
echo "now=$(date -u)"
echo "revision=$(git rev-parse --short=7 HEAD 2>/dev/null)"
echo "version=$version"
echo "image_tags=$image_tags"
} >> "$GITHUB_OUTPUT"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REPO }}:${{ github.event.inputs.tag }}
labels: |
org.opencontainers.image.authors="Claudio André <claudioandre.br at gmail com>"
software="John the Ripper ${{ github.event.inputs.VERSION_NAME }}"
org.opencontainers.image.description="John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/"
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Log in to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build image
id: build-and-push
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: "${{ github.workspace }}/deploy/docker"
platforms: linux/amd64,linux/arm64
push: ${{
(github.event.inputs.push || false)
}}
build-args: |
TYPE=ALL
RELEASE_COMMIT=f9fedd238b0b1d69181c1fef033b85c787e96e57
tags: ${{ steps.data.outputs.image_tags }}
labels: |
${{ steps.meta.outputs.labels }}
outputs: "type=image,name=target,\
annotation-index.software=John the Ripper ${{ github.event.inputs.VERSION_NAME }},\
annotation-index.org.opencontainers.image.authors=Claudio André <claudioandre.br at gmail com>,\
annotation-index.org.opencontainers.image.created=${{ steps.data.outputs.now }},\
annotation-index.org.opencontainers.image.description=John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/,\
annotation-index.org.opencontainers.image.licenses=GPL-2.0,\
annotation-index.org.opencontainers.image.revision=${{ steps.data.outputs.revision }},\
annotation-index.org.opencontainers.image.source=https://github.com/openwall/john-packages.git,\
annotation-index.org.opencontainers.image.title=John the Ripper CE Auditing Tool,\
annotation-index.org.opencontainers.image.url=https://www.openwall.com/john,\
annotation-index.org.opencontainers.image.vendor=Openwall,\
annotation-index.org.opencontainers.image.version=${{ steps.data.outputs.version }}"
- name: Upload attestation
uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
if: ${{ github.event.inputs.push == 'true' }}
with:
subject-name: ${{ env.REPO }}:${{ github.event.inputs.tag }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
provenance:
if: ${{ github.event.inputs.push == 'true' }}
needs: [build]
permissions:
actions: read # for detecting the GitHub Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image }}
digest: ${{ needs.build.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}