Put metadata in image annotations

Attestations in the image manifest aren't really usable with current tooling.

This also uses GitHub to attest the image provenance

Author: dflook

.github/workflows/base-image.yaml

@@ -8,7 +8,7 @@ on:
       - image/Dockerfile-base
       - .github/workflows/base-image.yaml
   schedule:
-    - cron: 0 1 * * 1
+    - cron: 0 1 1 * *
 
 permissions:
   contents: read
@@ -17,31 +17,53 @@ jobs:
   push_image:
     runs-on: ubuntu-24.04
     name: Docker Images
-    env:
-      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+    permissions:
+      id-token: write
+      attestations: write
+    environment:
+      name: dockerhub
+      url: https://hub.docker.com/r/danielflook/terraform-github-actions-base/tags?name=${{ github.run_id }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: Registry login
+        env:
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
           echo $DOCKER_TOKEN | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
       - name: Base image
+        id: build-and-push
         run: |
           docker buildx build \
             --tag danielflook/terraform-github-actions-base:$GITHUB_RUN_ID \
             --tag danielflook/terraform-github-actions-base:latest  \
             --platform linux/amd64,linux/arm64 \
             --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
+            --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
+            --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
+            --annotation "index,manifest:org.opencontainers.image.title=terraform-github-actions-base" \
+            --annotation "index,manifest:org.opencontainers.image.description=Base image for terraform-github-actions" \
+            --annotation "index:org.opencontainers.image.ref.name=docker.io/danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \
+            --annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
+            --annotation "index,manifest:ref.tag=$GITHUB_RUN_ID" \
+            --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/debian:bullseye-slim" \
             --file image/Dockerfile-base \
             --push \
             --iidfile manifest-list-digest.txt \
             image
 
           echo "digest=$(<manifest-list-digest.txt)" >> "$GITHUB_OUTPUT"
+
+      - name: Generate image attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/danielflook/terraform-github-actions-base
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}

image/Dockerfile

@@ -5,14 +5,6 @@ ARG TARGETARCH
 ARG FETCH_CHECKSUMS
 ARG VERSION=99.0.0
 
-RUN gpg --recv-keys C874011F0AB405110D02105534365D9472D7468F \
- && echo "C874011F0AB405110D02105534365D9472D7468F:6:" | gpg --import-ownertrust
-
-RUN curl https://get.opentofu.org/opentofu.gpg | gpg --import \
- && echo "E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80:6:" | gpg --import-ownertrust
-
-RUN gpg --check-trustdb
-
 COPY src/ /tmp/src/
 COPY setup.py /tmp
 RUN sed -i "s|version='.*'|version=\'${VERSION}\'|" /tmp/setup.py \
@@ -45,10 +37,6 @@ COPY tools/compact_plan.py /usr/local/bin/compact_plan
 COPY tools/format_tf_credentials.py /usr/local/bin/format_tf_credentials
 COPY tools/github_comment_react.py /usr/local/bin/github_comment_react
 
-RUN echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config \
- && echo "IdentityFile /.ssh/id_rsa" >> /etc/ssh/ssh_config \
- && mkdir -p /.ssh
-
 COPY tools/http_credential_actions_helper.py /usr/bin/git-credential-actions
 RUN git config --system credential.helper /usr/bin/git-credential-actions \
  && git config --system credential.useHttpPath true \

image/Dockerfile-base

@@ -6,16 +6,17 @@ RUN git clone https://github.com/cloudposse/tfmask.git \
  && make \
  && make go/build
 
-FROM debian:bullseye-slim as base
+FROM debian:bullseye-slim AS terraform-github-actions-base
 
 # Terraform environment variables
 ENV CHECKPOINT_DISABLE=true
 ENV TF_IN_AUTOMATION=true
 ENV TF_INPUT=false
 ENV TF_PLUGIN_CACHE_DIR=/usr/local/share/terraform/plugin-cache
 
-RUN apt-get update  \
- && apt-get install --no-install-recommends -y \
+RUN <<EOF
+ apt-get update
+ apt-get install --no-install-recommends -y \
     git \
     ssh \
     tar \
@@ -31,12 +32,23 @@ RUN apt-get update  \
     gpg \
     gpg-agent \
     dirmngr \
-    tree \
- && rm -rf /var/lib/apt/lists/*
+    tree
+ rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p $TF_PLUGIN_CACHE_DIR
+ mkdir -p $TF_PLUGIN_CACHE_DIR
+
+ gpg --recv-keys C874011F0AB405110D02105534365D9472D7468F
+ echo "C874011F0AB405110D02105534365D9472D7468F:6:" | gpg --import-ownertrust
+
+ curl https://get.opentofu.org/opentofu.gpg | gpg --import
+ echo "E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80:6:" | gpg --import-ownertrust
+
+ gpg --check-trustdb
+
+ echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config
+ echo "IdentityFile /.ssh/id_rsa" >> /etc/ssh/ssh_config
+ mkdir -p /.ssh
+EOF
 
 COPY --from=tfmask /go/tfmask/release/tfmask /usr/local/bin/tfmask
 ENV TFMASK_RESOURCES_REGEX="(?i)^(random_id|kubernetes_secret|acme_certificate).*$"
-
-ENTRYPOINT ["/usr/local/bin/terraform"]