v5.1.0 - Add re-usable workflow to check for vulnerabilities

New feature

When using Rekor to store the SBOM, you can use a workflow to get a vulnerability report created by Grype.

Example

name: Check vulnerabilities 

on:
  schedule:
    - cron: '14 15 * * 1'
  workflow_dispatch:

permissions: 
  id-token: write

jobs:
  check:
    name: Check Vulnerabities
    uses: philips-software/docker-ci-scripts/.github/workflows/check-vulnerabilities.yaml@main
    with:
      image: <your-container>

Example can be found here.

What's Changed

• Bump stefanzweifel/git-auto-commit-action from 4.15.3 to 4.15.4 by @dependabot in #159
• add reusable workflow for checking for vulnerabilities by @JeroenKnoops in #161
• Check vulnerabilities by @JeroenKnoops in #162
• Fix README.md: DOCKER_BUILD_ARG -> DOCKER_BUILD_ARGS by @daantimmer in #163
• Update readme on Docker.io by @JeroenKnoops in #166
• Optimize workflow by @JeroenKnoops in #167

New Contributors

• @daantimmer made their first contribution in #163

Full Changelog: v5.0.0...v5.1.0

v5.0.0 - Keyless signing

Features

Keyless signing with sigstore

Sigstore announced GA for Rekor and Fulcio. Now you can use this to do keyless signing of containers.

:warn: Beware that this stores all information in a public log, so you should not use this for private containers.

Breaking changes

The deprecation warnings from previous releases have now become breaking. Please update your workflows.

Old argument	New argument
DOCKER_USERNAME	REGISTRY_USERNAME
DOCKER_PASSWORD	REGISTRY_TOKEN
DOCKER_REGISTRY	REGISTRY_URL

What's Changed

• Keyless signing by @JeroenKnoops in #154
• Prepare for release by @JeroenKnoops in #157

Dependency updates

• Bump docker from 20.10.20-git to 20.10.21-git by @dependabot in #153
• Bump stefanzweifel/git-auto-commit-action from 4.15.2 to 4.15.3 by @dependabot in #152
• Fix sign with your own keys. by @JeroenKnoops in #156

Full Changelog: v4.5.3...v5.0.0

v4.5.3 - Fix issue with outputs

What's Changed

• fix: GITHUB_OUTPUT doesn't need {} by @rjaegers in #150

Dependencies

• Bump npalm/action-docs-action from 1.2.0 to 1.3.0 by @dependabot in #149
• Bump stefanzweifel/git-auto-commit-action from 4.15.1 to 4.15.2 by @dependabot in #148
• Bump docker from 20.10.19-git to 20.10.20-git by @dependabot in #147

New Contributors

• @rjaegers made their first contribution in #150

Thanks @rjaegers for fixing this bug!

Full Changelog: v4.5.2...v4.5.3

v4.5.2 - Remove 'set-output' deprecations

What's Changed

• Replace deprecated set-output by @JeroenKnoops in #145

Dependency updates

• Bump stefanzweifel/git-auto-commit-action from 4.14.1 to 4.15.1 by @dependabot in #143
• Bump docker from 20.10.18-git to 20.10.19-git by @dependabot in #142

Full Changelog: v4.5.1...v4.5.2

v4.5.1 - documentation fix

What's Changed

• Update README file by @vanGastelJS in #138
• Bump docker from 20.10.17-git to 20.10.18-git by @dependabot in #139

New Contributors

• @vanGastelJS made their first contribution in #138

Full Changelog: v4.5.0...v4.5.1

v4.5.0 - Rename container arguments

Rename container arguments

Big shout-out to Jeroen van Gastel for renaming the container arguments.

What's Changed

• Feature/34 remove docker variables by @vanGastelJS in #135
• Feature/34 remove docker variables by @JeroenKnoops in #136

Full Changelog: v4.4.0...v4.5.0

DEPRECATION

In this release both arguments are still supported, but in the next major release they will be removed.

Renamed variables:
DOCKER_USERNAME => REGISTRY_USERNAME
DOCKER_PASSWORD => REGISTRY_TOKEN
DOCKER_REGISTRY => REGISTRY_URL

This is also displayed in the job summary:

v4.4.0 - Add build arg support

What's Changed

• feat: add support for build arguments by @mpas in #133

New Contributors

• @mpas made their first contribution in #133

Full Changelog: v4.3.0...v4.4.0

v4.3.0 - Add Push on Tags support

What's Changed

• Add push on tags by @JeroenKnoops in #131
• Add example on major, minor, and patch releases. by @JeroenKnoops in #129

Dependency Updates

• Bump npalm/action-docs-action from 1.1.0 to 1.2.0 by @dependabot in #126
• Bump docker from 20.10.15-git to 20.10.17-git by @dependabot in #127
• update slsa-provenance version to 0.8.0 by @JeroenKnoops in #128

Full Changelog: v4.2.0...v4.3.0

v4.2.0 - Add Job Summary Report

Feature

Job Summary

Add Job Summary Report. Now you see a nice overview of the images pushed, with the correct information on how to:

• verify the signature
• retrieve the SLSA-provenance
• retrieve the SBOM

Example screenshot

What's Changed

• Add summary on end of the steps by @JeroenKnoops in #123

Security Updates

• Bump docker from 20.10.12-git to 20.10.13-git by @dependabot in #117
• Bump stefanzweifel/git-auto-commit-action from 4.13.1 to 4.14.0 by @dependabot in #118
• Bump docker from 20.10.13-git to 20.10.14-git by @dependabot in #119
• Bump stefanzweifel/git-auto-commit-action from 4.14.0 to 4.14.1 by @dependabot in #120
• Bump docker from 20.10.14-git to 20.10.15-git by @dependabot in #122

Full Changelog: v4.1.3...v4.2.0

v4.1.3 - Update version of slsa-provenance

What's Changed

• Update version of SLSA-provenance from v0.7.0 to v0.7.2 by @JeroenKnoops in #114
• Bump actions/checkout from 2 to 3 by @dependabot in #115

Full Changelog: v4.1.2...v4.1.3