Skip to content
This repository was archived by the owner on Jan 24, 2026. It is now read-only.

feat: add Docker image publishing#28

Open
jmgilman wants to merge 6 commits intomasterfrom
feat/docker-image
Open

feat: add Docker image publishing#28
jmgilman wants to merge 6 commits intomasterfrom
feat/docker-image

Conversation

@jmgilman
Copy link
Contributor

@jmgilman jmgilman commented Jan 10, 2026

Summary

  • Add Docker image publishing to both GHCR (ghcr.io/meigma/blobber) and Docker Hub (meigma/blobber)
  • Multi-architecture support: linux/amd64 and linux/arm64
  • Base image: dhi.io/debian-base:trixie (Docker Hardened Image)

Security

  • Hadolint - Dockerfile linting in CI
  • Trivy - Vulnerability scanning with SARIF upload to GitHub Security
  • Cosign - Keyless image signing via Sigstore
  • Syft - SBOM generation attached as attestations

Workflows

Workflow Trigger Purpose
docker-ci.yml PR / push to master Lint, build, scan
docker-release.yml Tag push (v*) / workflow_dispatch Build, push, sign, attest

Image Tags

For a release like v1.2.3:

  • 1.2.3 - Full version
  • 1.2 - Minor (rolling)
  • 1 - Major (rolling)
  • latest - Most recent release

Required Secrets

Before merging, add these secrets to the repository:

  • DOCKERHUB_USERNAME - Docker Hub username
  • DOCKERHUB_TOKEN - Docker Hub access token

Test plan

  • CI workflow passes (Hadolint + Trivy)
  • After merge, run release workflow via workflow_dispatch with tag v1.1.0
  • Verify images are pushed to both registries
  • Verify signatures with cosign verify

🤖 Generated with Claude Code

@jmgilman @claude
feat: add Docker image publishing
891a013 
Add Docker image publishing to GHCR and Docker Hub with:
- Multi-architecture support (linux/amd64, linux/arm64)
- Hadolint linting and Trivy security scanning in CI
- Cosign keyless signing and SBOM attestation
- Separate CI and release workflows

Base image: dhi.io/debian-base:trixie (Docker Hardened Image)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 10, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 blobber b1e0eeb Commit Preview URL

Branch Preview URL		 Jan 10 2026, 04:10 AM

jmgilman and others added 2 commits January 9, 2026 18:54
@jmgilman @claude
fix(docker): add Docker Hub login for DHI base image
4f5d1dc 
DHI (Docker Hardened Images) require authentication to pull,
even though they're free.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman @claude
fix(docker): use debian:trixie-slim base image
1f81173 
DHI images (dhi.io) require special registry authentication
that's separate from Docker Hub. Switch to the official
debian:trixie-slim image which is publicly available.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-advanced-security
Copy link

github-advanced-security bot commented Jan 10, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

jmgilman and others added 3 commits January 9, 2026 19:02
@jmgilman @claude
fix(docker): use distroless base image
fb997bf 
Switch from debian:trixie-slim (which has CVEs) to
gcr.io/distroless/static-debian12:nonroot which:
- Has virtually no CVEs (minimal attack surface)
- Is perfect for static Go binaries
- Already runs as non-root (uid 65532)
- Includes CA certificates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman @claude
refactor(docker): replace Cosign/Syft with GitHub attestations
8059ce4 
Replace manual Cosign signing and Syft SBOM generation with GitHub's
native `actions/attest-build-provenance` action.

Changes:
- Add `attestations: write` permission
- Use `index.docker.io` prefix for Docker Hub (required for attestations)
- Remove `sign-and-attest` job (3 separate jobs -> 1 job)
- Remove `verify` job (use `gh attestation verify` instead)
- Remove BuildKit provenance/sbom (redundant with GitHub attestations)

Verification command:
  gh attestation verify oci://ghcr.io/meigma/blobber:latest -R meigma/blobber

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman @claude
feat(docker): add SBOM generation and attestation
b1e0eeb 
Add SBOM generation using anchore/sbom-action and attestation using
actions/attest-sbom for both GHCR and Docker Hub images.

- Generate SBOM with Syft via anchore/sbom-action
- Attest SBOM to both registries with actions/attest-sbom
- Disable artifact upload (attestation is the primary distribution)

Verification:
  gh attestation verify oci://ghcr.io/meigma/blobber:latest -R meigma/blobber \
    --predicate-type https://spdx.dev/Document

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmgilman