docker.yml

###############################################################################
#        _       _             _   _            _____  _
#       | |     | |           | | | |          |  __ \(_)
#       | | ___ | |__  _ __   | |_| |__   ___  | |__) |_ _ __  _ __   ___ _ __
#   _   | |/ _ \| '_ \| '_ \  | __| '_ \ / _ \ |  _  /| | '_ \| '_ \ / _ \ '__|
#  | |__| | (_) | | | | | | | | |_| | | |  __/ | | \ \| | |_) | |_) |  __/ |
#   \____/ \___/|_| |_|_| |_|  \__|_| |_|\___| |_|  \_\_| .__/| .__/ \___|_|
#                                                       | |   | |
#                                                       |_|   |_|
#
# Copyright (c) 2021-2024 Claudio André <dev at claudioandre.slmail.me>
#
# This program comes with ABSOLUTELY NO WARRANTY; express or implied.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, as expressed in version 2, seen at
# http://www.gnu.org/licenses/gpl-2.0.html
###############################################################################
# GitHub Action to build John the Ripper's Docker image
# More info at https://github.com/openwall/john-packages

---
name: Docker

"on":
  push:
    branches: [docker]
  workflow_dispatch:
    inputs:
      VERSION_NAME:
        description: "The software version name"
        required: true
        default: "1.9J1+"
      tag:
        description: "The image tag"
        required: true
        type: choice
        default: "bleeding"
        options:
          - bleeding
          - latest
      extra:
        description: "Add another image tag"
        type: string

      push:
        description: "Push the image to Docker registry?"
        type: boolean
        default: false

env:
  REPO: ghcr.io/${{ github.repository_owner }}/john

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    name: build-image

    permissions:
      attestations: write
      id-token: write
      packages: write

    outputs:
      image: ${{ env.REPO }}:${{ github.event.inputs.tag }}
      digest: ${{ steps.build-and-push.outputs.digest }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            archive.ubuntu.com:80
            auth.docker.io:443
            developer.download.nvidia.com:443
            fulcio.sigstore.dev:443
            ghcr.io:443
            github.com:443
            objects.githubusercontent.com:443
            ports.ubuntu.com:80
            production.cloudflare.docker.com:443
            raw.githubusercontent.com:443
            registry-1.docker.io:443
            rekor.sigstore.dev:443
            security.ubuntu.com:80

      - name: Check out the repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Get data
        id: data
        run: |
          image_name="${{ env.REPO }}:${{ github.event.inputs.tag || 'test' }}"
          version="1.9.$(date +%Y%m%d)"

          image_tags="${image_name},"
          image_tags+="${image_name}_J${{ github.run_number }},"
          image_tags+="${image_name}_${version}"

          if [[ -n "${{ github.event.inputs.extra }}" ]]; then
            image_tags+=",${{ env.REPO }}:${{ github.event.inputs.extra }}"
          fi
          #TODO: edit before release (BLEEDING_RELEASE)
          {
            echo "now=$(date -u)"
            echo "revision=$(git rev-parse --short=7 HEAD 2>/dev/null)"
            echo "version=$version"
            echo "image_tags=$image_tags"
          } >> "$GITHUB_OUTPUT"

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
        with:
          images: ${{ env.REPO }}:${{ github.event.inputs.tag }}
          labels: |
            software=John the Ripper ${{ github.event.inputs.VERSION_NAME }}
            org.opencontainers.image.authors=Claudio André <dev at claudioandre.slmail.me>
            org.opencontainers.image.description=John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/
            org.opencontainers.image.title=John the Ripper CE Auditing Tool
            org.opencontainers.image.url=https://www.openwall.com/john
            org.opencontainers.image.version=${{ steps.data.outputs.version }}
            org.opencontainers.image.vendor=Openwall

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build image
        id: build-and-push
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          context: "${{ github.workspace }}/deploy/docker"
          platforms: linux/amd64,linux/arm64
          push: ${{
            (github.event.inputs.push || false)
            }}
          build-args: |
            TYPE=ALL
            RELEASE_COMMIT=f9fedd238b0b1d69181c1fef033b85c787e96e57
          tags: ${{ steps.data.outputs.image_tags }}
          labels: |
            ${{ steps.meta.outputs.labels }}
          outputs: "type=image,name=target,\
            annotation-index.org.opencontainers.image.description=John the Ripper is an Open Source password security auditing and password recovery tool. See https://www.openwall.com/john/"

      - name: Upload attestation
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        if: ${{ github.event.inputs.push == 'true' }}
        with:
          subject-name: ${{ env.REPO }}:${{ github.event.inputs.tag }}
          subject-digest: ${{ steps.build-and-push.outputs.digest }}

  provenance:
    if: ${{ github.event.inputs.push == 'true' }}
    needs: [build]
    permissions:
      actions: read # for detecting the GitHub Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.

    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ${{ needs.build.outputs.image }}
      digest: ${{ needs.build.outputs.digest }}
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}