From f5d94fee2b9102a146a61b4003a1db18470cd9e7 Mon Sep 17 00:00:00 2001 From: Brandon Mitchell Date: Mon, 30 Sep 2024 09:56:54 -0400 Subject: [PATCH] Version bump - Update config to use yaml anchors and aliases - docker/build-push-action to v6.9.0 - github/codeql-action to v3.26.10 Signed-off-by: Brandon Mitchell --- .github/workflows/docker.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .version-bump.lock | 50 +++--- .version-bump.yml | 261 ++++++++------------------------ 4 files changed, 90 insertions(+), 225 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 285ccdb..ce46526 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -103,7 +103,7 @@ jobs: password: ${{ secrets.GHCR_TOKEN }} - name: Build - uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 id: build with: context: . diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1eb72b0..9566224 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -47,6 +47,6 @@ jobs: # required for Code scanning alerts - name: "Upload SARIF results to code scanning" - uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 with: sarif_file: results.sarif diff --git a/.version-bump.lock b/.version-bump.lock index 1991da7..6a38a75 100644 --- a/.version-bump.lock +++ b/.version-bump.lock @@ -13,31 +13,31 @@ {"name":"gha-golang-matrix","key":"golang-matrix","version":"[\"1.21\", \"1.22\", \"1.23\"]"} {"name":"gha-golang-release","key":"golang-latest","version":"1.23"} {"name":"gha-syft-version","key":"docker.io/anchore/syft","version":"v1.13.0"} -{"name":"gha-uses-commit","key":"actions/checkout:v4.2.0","version":"d632683dd7b4114ad314bca15554477dd762a938"} -{"name":"gha-uses-commit","key":"actions/setup-go:v5.0.2","version":"0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"} -{"name":"gha-uses-commit","key":"actions/stale:v9.0.0","version":"28ca1036281a5e5922ead5184a1bbf96e5fc984e"} -{"name":"gha-uses-commit","key":"actions/upload-artifact:v4.4.0","version":"50769540e7f4bd5e21e526ee35c689e35e0d6874"} -{"name":"gha-uses-commit","key":"anchore/sbom-action:v0.17.2","version":"61119d458adab75f756bc0b9e4bde25725f86a7a"} -{"name":"gha-uses-commit","key":"docker/build-push-action:v6.8.0","version":"32945a339266b759abcbdc89316275140b0fc960"} -{"name":"gha-uses-commit","key":"docker/login-action:v3.3.0","version":"9780b0c442fbb1117ed29e0efdff1e18412f7567"} -{"name":"gha-uses-commit","key":"docker/setup-buildx-action:v3.6.1","version":"988b5a0280414f521da01fcc63a27aeeb4b104db"} -{"name":"gha-uses-commit","key":"github/codeql-action:v3.26.9","version":"461ef6c76dfe95d5c364de2f431ddbd31a417628"} -{"name":"gha-uses-commit","key":"ossf/scorecard-action:v2.4.0","version":"62b2cac7ed8198b15735ed49ab1e5cf35480ba46"} -{"name":"gha-uses-commit","key":"regclient/actions:main","version":"35bc5829dd3d37ace2717971f3151894b43bfabc"} -{"name":"gha-uses-commit","key":"sigstore/cosign-installer:v3.6.0","version":"4959ce089c160fddf62f7b42464195ba1a56d382"} -{"name":"gha-uses-commit","key":"softprops/action-gh-release:v2.0.8","version":"c062e08bd532815e2082a85e87e3ef29c3e6d191"} -{"name":"gha-uses-semver","key":"actions/checkout","version":"v4.2.0"} -{"name":"gha-uses-semver","key":"actions/setup-go","version":"v5.0.2"} -{"name":"gha-uses-semver","key":"actions/stale","version":"v9.0.0"} -{"name":"gha-uses-semver","key":"actions/upload-artifact","version":"v4.4.0"} -{"name":"gha-uses-semver","key":"anchore/sbom-action","version":"v0.17.2"} -{"name":"gha-uses-semver","key":"docker/build-push-action","version":"v6.8.0"} -{"name":"gha-uses-semver","key":"docker/login-action","version":"v3.3.0"} -{"name":"gha-uses-semver","key":"docker/setup-buildx-action","version":"v3.6.1"} -{"name":"gha-uses-semver","key":"github/codeql-action","version":"v3.26.9"} -{"name":"gha-uses-semver","key":"ossf/scorecard-action","version":"v2.4.0"} -{"name":"gha-uses-semver","key":"sigstore/cosign-installer","version":"v3.6.0"} -{"name":"gha-uses-semver","key":"softprops/action-gh-release","version":"v2.0.8"} +{"name":"gha-uses-commit","key":"https://github.com/actions/checkout.git:v4.2.0","version":"d632683dd7b4114ad314bca15554477dd762a938"} +{"name":"gha-uses-commit","key":"https://github.com/actions/setup-go.git:v5.0.2","version":"0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"} +{"name":"gha-uses-commit","key":"https://github.com/actions/stale.git:v9.0.0","version":"28ca1036281a5e5922ead5184a1bbf96e5fc984e"} +{"name":"gha-uses-commit","key":"https://github.com/actions/upload-artifact.git:v4.4.0","version":"50769540e7f4bd5e21e526ee35c689e35e0d6874"} +{"name":"gha-uses-commit","key":"https://github.com/anchore/sbom-action.git:v0.17.2","version":"61119d458adab75f756bc0b9e4bde25725f86a7a"} +{"name":"gha-uses-commit","key":"https://github.com/docker/build-push-action.git:v6.9.0","version":"4f58ea79222b3b9dc2c8bbdd6debcef730109a75"} +{"name":"gha-uses-commit","key":"https://github.com/docker/login-action.git:v3.3.0","version":"9780b0c442fbb1117ed29e0efdff1e18412f7567"} +{"name":"gha-uses-commit","key":"https://github.com/docker/setup-buildx-action.git:v3.6.1","version":"988b5a0280414f521da01fcc63a27aeeb4b104db"} +{"name":"gha-uses-commit","key":"https://github.com/github/codeql-action.git:v3.26.10","version":"e2b3eafc8d227b0241d48be5f425d47c2d750a13"} +{"name":"gha-uses-commit","key":"https://github.com/ossf/scorecard-action.git:v2.4.0","version":"62b2cac7ed8198b15735ed49ab1e5cf35480ba46"} +{"name":"gha-uses-commit","key":"https://github.com/regclient/actions.git:main","version":"35bc5829dd3d37ace2717971f3151894b43bfabc"} +{"name":"gha-uses-commit","key":"https://github.com/sigstore/cosign-installer.git:v3.6.0","version":"4959ce089c160fddf62f7b42464195ba1a56d382"} +{"name":"gha-uses-commit","key":"https://github.com/softprops/action-gh-release.git:v2.0.8","version":"c062e08bd532815e2082a85e87e3ef29c3e6d191"} +{"name":"gha-uses-semver","key":"https://github.com/actions/checkout.git","version":"v4.2.0"} +{"name":"gha-uses-semver","key":"https://github.com/actions/setup-go.git","version":"v5.0.2"} +{"name":"gha-uses-semver","key":"https://github.com/actions/stale.git","version":"v9.0.0"} +{"name":"gha-uses-semver","key":"https://github.com/actions/upload-artifact.git","version":"v4.4.0"} +{"name":"gha-uses-semver","key":"https://github.com/anchore/sbom-action.git","version":"v0.17.2"} +{"name":"gha-uses-semver","key":"https://github.com/docker/build-push-action.git","version":"v6.9.0"} +{"name":"gha-uses-semver","key":"https://github.com/docker/login-action.git","version":"v3.3.0"} +{"name":"gha-uses-semver","key":"https://github.com/docker/setup-buildx-action.git","version":"v3.6.1"} +{"name":"gha-uses-semver","key":"https://github.com/github/codeql-action.git","version":"v3.26.10"} +{"name":"gha-uses-semver","key":"https://github.com/ossf/scorecard-action.git","version":"v2.4.0"} +{"name":"gha-uses-semver","key":"https://github.com/sigstore/cosign-installer.git","version":"v3.6.0"} +{"name":"gha-uses-semver","key":"https://github.com/softprops/action-gh-release.git","version":"v2.0.8"} {"name":"go-mod-golang-release","key":"golang-oldest","version":"1.21"} {"name":"makefile-ci-distribution","key":"docker.io/library/registry","version":"2.8.3"} {"name":"makefile-ci-zot","key":"ghcr.io/project-zot/zot-linux-amd64","version":"v2.1.1"} diff --git a/.version-bump.yml b/.version-bump.yml index f064353..e7421d5 100644 --- a/.version-bump.yml +++ b/.version-bump.yml @@ -46,401 +46,266 @@ files: processors: - osv-golang-release -processors: - docker-arg-alpine-tag: - key: "{{ .SourceArgs.repo }}" +x-processor-tmpl: + git-commit: &git-commit + key: "{{ .SourceArgs.url }}:{{ .SourceArgs.ref }}" scan: "regexp" - scanArgs: - regexp: '^ARG ALPINE_VER=(?Pv?\d+\.\d+\.\d+)@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-tag" - sourceArgs: - repo: "docker.io/library/alpine" + source: "git-commit" + filter: + expr: "^{{ .SourceArgs.ref }}$" + git-tag-semver: &git-tag-semver + key: "{{ .SourceArgs.url }}" + scan: "regexp" + source: "git-tag" filter: expr: '^v?\d+\.\d+\.\d+$' sort: method: "semver" - docker-arg-alpine-digest: + registry-digest: ®istry-digest key: "{{ .SourceArgs.image }}" scan: "regexp" + source: "registry-digest" + registry-tag-semver: ®istry-tag-semver + key: "{{ .SourceArgs.repo }}" + scan: "regexp" + source: "registry-tag" + filter: + expr: '^v?\d+\.\d+\.\d+$' + sort: + method: "semver" + +processors: + docker-arg-alpine-tag: + <<: *registry-tag-semver + scanArgs: + regexp: '^ARG ALPINE_VER=(?Pv?\d+\.\d+\.\d+)@(?Psha256:[0-9a-f]+)\s*$' + sourceArgs: + repo: "docker.io/library/alpine" + docker-arg-alpine-digest: + <<: *registry-digest scanArgs: regexp: '^ARG ALPINE_VER=(?Pv?\d+\.\d+\.\d+)@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-digest" sourceArgs: image: "docker.io/library/alpine:{{.ScanMatch.Tag}}" docker-arg-go-tag: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^ARG GO_VER=(?P[a-z0-9\-\.]+)-alpine@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/golang" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" docker-arg-go-digest: - key: "{{ .SourceArgs.image }}" - scan: "regexp" + <<: *registry-digest scanArgs: regexp: '^ARG GO_VER=(?P[a-z0-9\-\.]+)@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-digest" sourceArgs: image: "docker.io/library/golang:{{.ScanMatch.Tag}}" docker-arg-ecr: - key: "{{ .SourceArgs.url }}:{{ .SourceArgs.ref }}" - scan: "regexp" + <<: *git-commit scanArgs: regexp: '^ARG ECR_HELPER_VER=(?P[0-9a-f]+)\s*$' - source: "git-commit" sourceArgs: url: "https://github.com/awslabs/amazon-ecr-credential-helper.git" ref: main - filter: - expr: "^{{ .SourceArgs.ref }}$" docker-arg-gcr: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^ARG GCR_HELPER_VER=(?Pv?\d+\.\d+\.\d+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/GoogleCloudPlatform/docker-credential-gcr.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" docker-arg-lunajson: - key: "{{ .SourceArgs.url }}:{{ .SourceArgs.ref }}" - scan: "regexp" + <<: *git-commit scanArgs: regexp: '^ARG LUNAJSON_COMMIT=(?P[0-9a-f]+)\s*$' - source: "git-commit" sourceArgs: url: "https://github.com/grafi-tt/lunajson.git" ref: master - filter: - expr: "^{{ .SourceArgs.ref }}$" docker-arg-semver: - key: "{{ .SourceArgs.url }}:{{ .SourceArgs.ref }}" - scan: "regexp" + <<: *git-commit scanArgs: regexp: '^ARG SEMVER_COMMIT=(?P[0-9a-f]+)\s*$' - source: "git-commit" sourceArgs: url: "https://github.com/kikito/semver.lua.git" ref: master - filter: - expr: "^{{ .SourceArgs.ref }}$" gha-alpine-digest: - key: "{{ .SourceArgs.image }}" - scan: "regexp" + <<: *registry-digest scanArgs: regexp: '^\s*ALPINE_DIGEST: "(?Psha256:[0-9a-f]+)"\s*#\s*(?P\d+\.\d+\.\d+)\s*$' - source: "registry-digest" sourceArgs: image: "docker.io/library/alpine:{{ .ScanMatch.Tag }}" gha-alpine-tag-base: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^\s*ALPINE_NAME: "alpine:(?Pv?\d+)"\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/alpine" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" # only return the major version number in the tag to support detecting a change in the base image template: '{{ index ( split .Version "." ) 0 }}' gha-alpine-tag-comment: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^\s*ALPINE_DIGEST: "(?Psha256:[0-9a-f]+)"\s*#\s*(?Pv?\d+\.\d+\.\d+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/alpine" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" gha-cosign-version: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^\s*cosign-release: "(?Pv?[0-9\.]+)"\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/sigstore/cosign.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" gha-golang-matrix: + <<: *registry-tag-semver key: "golang-matrix" - scan: "regexp" scanArgs: regexp: '^\s*gover: (?P\[["0-9, \.]+\])\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/golang" filter: expr: '^v?\d+\.\d+$' - sort: - method: "semver" template: '["{{ index .VerMap ( index .VerList 2 ) }}", "{{ index .VerMap ( index .VerList 1 ) }}", "{{ index .VerMap ( index .VerList 0 ) }}"]' gha-golang-release: + <<: *registry-tag-semver key: "golang-latest" - scan: "regexp" scanArgs: regexp: '^\s*RELEASE_GO_VER: "(?Pv?[0-9\.]+)"\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/golang" filter: expr: '^v?\d+\.\d+$' - sort: - method: "semver" gha-syft-version: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^\s*syft-version: "(?Pv?[0-9\.]+)"\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/anchore/syft" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" gha-uses-vx: - key: "{{ .ScanMatch.Repo }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^\s+-?\s+uses: (?P[^@/]+/[^@/]+)[^@]*@(?P[0-9a-f]+)\s+#\s+(?Pv?\d+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/{{ .ScanMatch.Repo }}.git" filter: expr: '^v?\d+$' - sort: - method: "semver" gha-uses-semver: - key: "{{ .ScanMatch.Repo }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^\s+-?\s+uses: (?P[^@/]+/[^@/]+)[^@]*@(?P[0-9a-f]+)\s+#\s+(?Pv?\d+\.\d+\.\d+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/{{ .ScanMatch.Repo }}.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" gha-uses-commit: - key: "{{ .ScanMatch.Repo }}:{{ .ScanMatch.Ref }}" - scan: "regexp" + <<: *git-commit scanArgs: regexp: '^\s+-?\s+uses: (?P[^@/]+/[^@/]+)[^@]*@(?P[0-9a-f]+)\s+#\s+(?P[\w\d\.]+)\s*$' - source: "git-commit" sourceArgs: url: "https://github.com/{{ .ScanMatch.Repo }}.git" ref: "{{ .ScanMatch.Ref }}" - filter: - expr: "^{{ .ScanMatch.Ref }}$" go-mod-golang-release: + <<: *registry-tag-semver key: "golang-oldest" - scan: "regexp" scanArgs: regexp: '^go (?P[0-9\.]+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/golang" filter: expr: '^\d+\.\d+$' - sort: - method: "semver" template: '{{ index .VerMap ( index .VerList 2 ) }}' makefile-ci-distribution: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^CI_DISTRIBUTION_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/registry" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-ci-zot: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^CI_ZOT_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "registry-tag" sourceArgs: repo: "ghcr.io/project-zot/zot-linux-amd64" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-gomajor: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^GOMAJOR_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/icholy/gomajor.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-gosec: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^GOSEC_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/securego/gosec.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-go-vulncheck: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^GO_VULNCHECK_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "git-tag" sourceArgs: url: "https://go.googlesource.com/vuln.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-markdown-lint: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^MARKDOWN_LINT_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/davidanson/markdownlint-cli2" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-osv-scanner: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^OSV_SCANNER_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/google/osv-scanner.git" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-staticcheck: - key: "{{ .SourceArgs.url }}" - scan: "regexp" + <<: *git-tag-semver scanArgs: regexp: '^STATICCHECK_VER\?=(?Pv?[0-9\.]+)\s*$' - source: "git-tag" sourceArgs: url: "https://github.com/dominikh/go-tools.git" filter: - # ignore versions without a preceding "v" + # repo also has dated tags, ignore versions without a preceding "v" expr: '^v\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-syft-container-tag: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^SYFT_CONTAINER\?=(?P[^:]*):(?Pv?[0-9\.]+)@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-tag" sourceArgs: repo: "{{ .ScanMatch.Repo }}" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" makefile-syft-container-digest: - key: "{{ .SourceArgs.image }}" - scan: "regexp" + <<: *registry-digest scanArgs: regexp: '^SYFT_CONTAINER\?=(?P[^:]*):(?Pv?[0-9\.]+)@(?Psha256:[0-9a-f]+)\s*$' - source: "registry-digest" sourceArgs: image: "{{ .ScanMatch.Image }}:{{.ScanMatch.Tag}}" makefile-syft-version: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^SYFT_VERSION\?=(?Pv[0-9\.]+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/anchore/syft" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" osv-golang-release: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^GoVersionOverride = "(?Pv?[0-9\.]+)"\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/golang" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" shell-alpine-tag-base: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^\s*ALPINE_NAME="alpine:(?Pv?\d+)"\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/alpine" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" # only return the major version number in the tag to support detecting a change in the base image template: '{{ index ( split .Version "." ) 0 }}' shell-alpine-tag-comment: - key: "{{ .SourceArgs.repo }}" - scan: "regexp" + <<: *registry-tag-semver scanArgs: regexp: '^\s*ALPINE_DIGEST="(?Psha256:[0-9a-f]+)"\s*#\s*(?Pv?\d+\.\d+\.\d+)\s*$' - source: "registry-tag" sourceArgs: repo: "docker.io/library/alpine" - filter: - expr: '^v?\d+\.\d+\.\d+$' - sort: - method: "semver" shell-alpine-digest: - key: "{{ .SourceArgs.image }}" - scan: "regexp" + <<: *registry-digest scanArgs: regexp: '^\s*ALPINE_DIGEST="(?Psha256:[0-9a-f]+)"\s*#\s*(?P\d+\.\d+\.\d+)\s*$' - source: "registry-digest" sourceArgs: image: "docker.io/library/alpine:{{ .ScanMatch.Tag }}"