From d48b1a97e7a913504ff234c3b41b3f855ef9214e Mon Sep 17 00:00:00 2001
From: Victor Martinez <victormartinezrubio@gmail.com>
Date: Tue, 14 May 2024 21:30:24 +0200
Subject: [PATCH] ci: build and push Docker image based on Chainguard base
 image (#4005)

---
 .github/workflows/release.yml | 34 ++++++++++++++++++++++++++++++++++
 Dockerfile.wolfi              |  3 +++
 2 files changed, 37 insertions(+)
 create mode 100644 Dockerfile.wolfi

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 773fd9c1779..ab94e545716 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
         with:
           context: .
+          file: 'Dockerfile'
           push: true
           tags: ${{ steps.docker-meta.outputs.tags }}
           labels: ${{ steps.docker-meta.outputs.labels }}
@@ -75,6 +76,39 @@ jobs:
           subject-digest: ${{ steps.docker-push.outputs.digest }}
           push-to-registry: true
 
+      - name: Extract metadata (tags, labels) (wolfi)
+        id: docker-meta-wolfi
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          flavor: |
+            latest=auto
+            suffix=-wolfi
+          tags: |
+            # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+            type=semver,pattern={{version}}
+            # "edge" Docker tag on git push to default branch
+            type=edge
+
+      - name: Build and Push Docker Image (wolfi)
+        id: docker-push-wolfi
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          file: 'Dockerfile.wolfi'
+          push: true
+          tags: ${{ steps.docker-meta-wolfi.outputs.tags }}
+          labels: ${{ steps.docker-meta-wolfi.outputs.labels }}
+          build-args: |
+            AGENT_DIR=/build/dist/nodejs
+
+      - name: Attest Docker image (wolfi)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.docker-push-wolfi.outputs.digest }}
+          push-to-registry: true
+
       - name: Read AWS vault secrets
         uses: hashicorp/vault-action@v3.0.0
         with:
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
new file mode 100644
index 00000000000..f03619042b9
--- /dev/null
+++ b/Dockerfile.wolfi
@@ -0,0 +1,3 @@
+FROM docker.elastic.co/wolfi/chainguard-base@sha256:9f940409f96296ef56140bcc4665c204dd499af4c32c96cc00e792558097c3f1
+ARG AGENT_DIR
+COPY ${AGENT_DIR} /opt/nodejs
\ No newline at end of file