Merge pull request #41 from ironpeakservices/fix/ci

Feature: GitHub Container Registry

.github/workflows/release.yaml

@@ -0,0 +1,39 @@
+
+on:
+  push:
+    branches:
+    - master
+
+name: Publish Image
+jobs:
+  dockerpush:
+    name: docker build
+    runs-on: ubuntu-latest
+    steps:
+    - 
+      uses: actions/[email protected]
+    - 
+      uses: go-semantic-release/action@v1
+      id: version
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - 
+      run: echo "Pushing version ${{ steps.version.outputs.version }}"
+    - 
+      name: Publish to Registry
+      uses: elgohr/[email protected]
+      with:
+        registry: ghcr.io
+        name: "ghcr.io/ironpeakservices/iron-alpine:${{ steps.version.outputs.version }}"
+        username: hazcod
+        password: ${{ secrets.PACKAGE_TOKEN }}
+    - 
+      name: Create GitHub release
+      uses: actions/[email protected]
+      with:
+          tag_name: ${{ steps.version.outputs.version }}
+          release_name: iron-alpine
+          draft: false
+          prerelease: false
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security.yaml

@@ -0,0 +1,60 @@
+name: Security
+
+on:
+  push:
+    branches: [master]
+  schedule:
+    - cron: '0 11 * * 2'
+
+jobs:
+  dockerscan:
+    name: Docker Scan
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        uses: actions/checkout@v1
+      - 
+        name: Set env
+        run: echo ::set-env name=RELEASE_VERSION::$(git describe --tags $(git rev-list --tags --max-count=1))
+      -
+         name: Docker login
+         env:
+           USER: hazcod
+           REGISTRY: docker.pkg.github.com
+         run: echo "${{ secrets.PACKAGE_TOKEN }}" | docker login -u "${USER}" --password-stdin "${REGISTRY}"
+      -
+         name: Docker pull
+         run: docker pull "docker.pkg.github.com/ironpeakservices/iron-alpine:${{ env.RELEASE_VERSION }}" 
+      -
+        name: Run vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.pkg.github.com/ironpeakservices/iron-alpine:${{ env.RELEASE_VERSION }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - 
+        name: Upload Trivy scan results to Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  goscan:
+    name: Go Scan
+    runs-on: ubuntu-latest
+    steps:
+    - 
+      uses: actions/checkout@v2
+    - 
+      run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+    - 
+      name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: go
+    - 
+      name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

README.md

@@ -4,7 +4,7 @@ Hardened alpine linux baseimage for Docker.
 Note: If you use Golang, build statically and use [iron-scratch](https://github.com/ironpeakservices/iron-scratch).
 If you are using Java/Python/NodeJS/dotnet, use a [distroless image](https://github.com/GoogleContainerTools/distroless) instead.
 
-`docker pull docker.pkg.github.com/ironpeakservices/iron-alpine/iron-alpine:3.10.3`
+`docker pull ghcr.io/ironpeakservices/iron-alpine:1.0.0`
 
 ## How is this different?
 - ca-certificates included
@@ -25,7 +25,7 @@ If you are using Java/Python/NodeJS/dotnet, use a [distroless image](https://git
 	- sets permissions on /app after installation
 
 ## Example
-`docker pull ironpeakservices/hardened-alpine`
+`docker pull ghcr.io/ironpeakservices/iron-alpine:1.0.0`
 
 See [the nginx example](example/).