diff --git a/.github/workflows/bash.yaml b/.github/workflows/bash.yaml index 2a2c6e4..d26519f 100644 --- a/.github/workflows/bash.yaml +++ b/.github/workflows/bash.yaml @@ -29,11 +29,13 @@ jobs: publish: strategy: matrix: - version: [latest] + version: [latest, "5.3", "5.2"] variant: [prod, dev] name: ${{ matrix.version }}${{ matrix.variant == 'dev' && '-dev' || '' }} uses: './.github/workflows/release.yaml' with: tag: ${{ matrix.version }}${{ matrix.variant == 'dev' && '-dev' || '' }} target: ${{ matrix.variant }} + packages: >- + ${{ matrix.version != 'latest' && format('bash~{0}', matrix.version) || '' }} secrets: inherit diff --git a/images/bash/README.md b/images/bash/README.md index 8af8564..c4f69fb 100644 --- a/images/bash/README.md +++ b/images/bash/README.md @@ -6,8 +6,12 @@ Container image with only Bash and libc. Suitable for running any small scripts | 📌 Version | ⬇️ Pull URL | | ------------ | --------------------------------------------- | -| latest | ghcr.io/gitguardian/wolfi/bash:latest | -| latest-dev | ghcr.io/gitguardian/wolfi/bash:latest-dev | +| latest | ghcr.io/gitguardian/wolfi/bash:latest | +| latest-dev | ghcr.io/gitguardian/wolfi/bash:latest-dev | +| 5.3 | ghcr.io/gitguardian/wolfi/bash:5.3 | +| 5.3-dev | ghcr.io/gitguardian/wolfi/bash:5.3-dev | +| 5.2 | ghcr.io/gitguardian/wolfi/bash:5.2 | +| 5.2-dev | ghcr.io/gitguardian/wolfi/bash:5.2-dev | ## ✅ Verify the Provenance @@ -21,12 +25,12 @@ gh attestation verify \ oci://ghcr.io/gitguardian/wolfi/bash:latest ``` -- **Shell image** +- **Dev image** ```shell gh attestation verify \ --owner gitguardian \ - oci://ghcr.io/gitguardian/wolfi/bash:latest-shell + oci://ghcr.io/gitguardian/wolfi/bash:latest-dev ``` ## 📦 **Image Verification** @@ -46,13 +50,13 @@ cosign verify \ ghcr.io/gitguardian/wolfi/bash:latest | jq ``` -- **Shell image** +- **Dev image** ```shell cosign verify \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ - ghcr.io/gitguardian/wolfi/bash:latest-shell | jq + ghcr.io/gitguardian/wolfi/bash:latest-dev | jq ``` ### 📦 **Image SBOMs** @@ -72,14 +76,14 @@ cosign verify-attestation \ ghcr.io/gitguardian/wolfi/bash:latest ``` -- **Shell image** +- **Dev image** ```shell cosign verify-attestation \ --type=https://spdx.dev/Document \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ - ghcr.io/gitguardian/wolfi/bash:latest-shell + ghcr.io/gitguardian/wolfi/bash:latest-dev ``` This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log: @@ -113,11 +117,11 @@ cosign download attestation \ ghcr.io/gitguardian/wolfi/bash:latest | jq -r .payload | base64 -d | jq .predicate ``` -- **Shell image** +- **Dev image** ```shell cosign download attestation \ --platform=linux/amd64 \ --predicate-type=https://spdx.dev/Document \ - ghcr.io/gitguardian/wolfi/bash:latest-shell | jq -r .payload | base64 -d | jq .predicate + ghcr.io/gitguardian/wolfi/bash:latest-dev | jq -r .payload | base64 -d | jq .predicate ```