feat: add semantic-release pipeline with build tools and best practices

claude · claude · commit 6db1c23843ca · 2026-02-15T10:11:07.000Z
- Add build tools to image (dive, trivy, buildah, yq, hadolint) so the image can build itself as a self-hosted runner - Configure buildah vfs storage driver for container/rootless usage - Create semantic-release config for automated versioning from conventional commits with changelog generation - Add release workflow: semantic-release -> buildah build -> dive filesystem scan -> trivy vulnerability scan -> skopeo push with semver tags (major, major.minor, full, latest) - Add CI workflow: commitlint, hadolint lint, and build test on PRs - Update scheduled update-tools workflow with new tools (dive, hadolint, yq) - Add best practice configs: .hadolint.yaml (trusted registries), .commitlintrc.yaml (conventional commits), .containerignore (minimal build context) https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
diff --git a/.commitlintrc.yaml b/.commitlintrc.yaml
@@ -0,0 +1,2 @@
+extends:
+  - "@commitlint/config-conventional"
diff --git a/.containerignore b/.containerignore
@@ -0,0 +1,12 @@
+.git
+.github
+build
+.env
+*.md
+LICENSE
+.dive-ci
+.hadolint.yaml
+.releaserc.yaml
+.commitlintrc.yaml
+.containerignore
+scripts/
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  commitlint:
+    name: Lint commit messages
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: wagoid/commitlint-github-action@v6
+
+  hadolint:
+    name: Lint Containerfile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Containerfile
+
+  build:
+    name: Test build
+    runs-on: ubuntu-latest
+    needs: [hadolint]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: docker build -f Containerfile -t test-build .
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,145 @@
+name: Release
+
+on:
+  push:
+    branches: [master]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Semantic release
+    runs-on: ubuntu-latest
+    outputs:
+      new_release_published: ${{ steps.semantic.outputs.new_release_published }}
+      new_release_version: ${{ steps.semantic.outputs.new_release_version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: cycjimmy/semantic-release-action@v4
+        id: semantic
+        with:
+          extra_plugins: |
+            @semantic-release/changelog
+            @semantic-release/git
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build-and-push:
+    name: Build, scan & push
+    needs: release
+    if: needs.release.outputs.new_release_published == 'true'
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_VERSION: ${{ needs.release.outputs.new_release_version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build tools
+        run: ./scripts/install_tools.sh
+
+      - name: Read manifest
+        id: manifest
+        run: |
+          echo "image_name=$(yq e '.name' manifest.yaml)" >> "$GITHUB_OUTPUT"
+          echo "registry=$(yq e '.registry' manifest.yaml)" >> "$GITHUB_OUTPUT"
+          echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT"
+
+      - name: Validate Containerfile
+        run: |
+          docker pull -q ghcr.io/hadolint/hadolint:latest
+          docker run --rm -i hadolint/hadolint:latest < Containerfile
+
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+          IMAGE_FORMAT: ${{ steps.manifest.outputs.format }}
+        run: |
+          # Build args from manifest
+          BUILD_ARGS=""
+          for arg in $(yq e '.build.args[]' manifest.yaml); do
+            BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}"
+          done
+
+          # Labels from manifest
+          LABELS=""
+          while IFS= read -r label; do
+            if [[ -n "${label}" ]]; then
+              label_key="${label%%=*}"
+              label_value="${label#*=}"
+              label_value="${label_value%\"}"
+              label_value="${label_value#\"}"
+              LABELS="${LABELS} --label ${label_key}=${label_value}"
+            fi
+          done < <(yq e '.build.labels[]' manifest.yaml)
+
+          # Add version label
+          LABELS="${LABELS} --label org.opencontainers.image.version=${IMAGE_VERSION}"
+
+          # shellcheck disable=SC2086
+          buildah build \
+            --squash \
+            --pull-always \
+            --format "${IMAGE_FORMAT}" \
+            ${BUILD_ARGS} \
+            ${LABELS} \
+            --tag "${IMAGE_NAME}:${IMAGE_VERSION}" \
+            .
+
+          # Save to OCI archive for scanning and pushing
+          mkdir -p build
+          buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar"
+
+          # Load into Docker daemon for dive scan
+          docker load -i "build/${IMAGE_NAME}.tar" 2>/dev/null || true
+          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}" 2>/dev/null || true
+
+      - name: Dive filesystem scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}"
+
+      - name: Trivy vulnerability scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: |
+          trivy image \
+            --input "build/${IMAGE_NAME}.tar" \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            "${IMAGE_NAME}:${IMAGE_VERSION}"
+
+      - name: Login to GHCR
+        env:
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Push to registry
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: |
+          MAJOR_MINOR="${IMAGE_VERSION%.*}"
+          MAJOR="${IMAGE_VERSION%%.*}"
+
+          # Push semantic version tag (1.2.3)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${IMAGE_VERSION}"
+
+          # Push major.minor tag (1.2)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR_MINOR}"
+
+          # Push major tag (1)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}"
+
+          # Push latest tag
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:latest"
+
+      - name: Verify pushed image
+        env:
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: |
+          skopeo inspect "docker://${REGISTRY}:${IMAGE_VERSION}" --format '{{.Labels}}'
diff --git a/.github/workflows/update-tools.yaml b/.github/workflows/update-tools.yaml
@@ -29,18 +29,30 @@ jobs:
           ARGO_LATEST=$(get_latest_version "argoproj/argo-workflows")
           KARGO_LATEST=$(get_latest_version "akuity/kargo")
           PACK_LATEST=$(get_latest_version "buildpacks/pack")
+          DIVE_LATEST=$(get_latest_version "wagoodman/dive")
+          HADOLINT_LATEST=$(get_latest_version "hadolint/hadolint")
+          YQ_LATEST=$(get_latest_version "mikefarah/yq")
 
           echo "argo=${ARGO_LATEST}" >> "$GITHUB_OUTPUT"
           echo "kargo=${KARGO_LATEST}" >> "$GITHUB_OUTPUT"
           echo "pack=${PACK_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "dive=${DIVE_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "hadolint=${HADOLINT_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "yq=${YQ_LATEST}" >> "$GITHUB_OUTPUT"
 
           ARGO_CURRENT=$(grep -oP 'ARGO_VERSION=\K[0-9.]+' Containerfile)
           KARGO_CURRENT=$(grep -oP 'KARGO_VERSION=\K[0-9.]+' Containerfile)
           PACK_CURRENT=$(grep -oP 'PACK_VERSION=\K[0-9.]+' Containerfile)
+          DIVE_CURRENT=$(grep -oP 'DIVE_VERSION=\K[0-9.]+' Containerfile)
+          HADOLINT_CURRENT=$(grep -oP 'HADOLINT_VERSION=\K[0-9.]+' Containerfile)
+          YQ_CURRENT=$(grep -oP 'YQ_VERSION=\K[0-9.]+' Containerfile)
 
           echo "argo_current=${ARGO_CURRENT}" >> "$GITHUB_OUTPUT"
           echo "kargo_current=${KARGO_CURRENT}" >> "$GITHUB_OUTPUT"
           echo "pack_current=${PACK_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "dive_current=${DIVE_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "hadolint_current=${HADOLINT_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "yq_current=${YQ_CURRENT}" >> "$GITHUB_OUTPUT"
 
           UPDATES=""
           if [ "${ARGO_CURRENT}" != "${ARGO_LATEST}" ]; then
@@ -52,6 +64,15 @@ jobs:
           if [ "${PACK_CURRENT}" != "${PACK_LATEST}" ]; then
             UPDATES="${UPDATES}- pack (Buildpacks): ${PACK_CURRENT} -> ${PACK_LATEST}\n"
           fi
+          if [ "${DIVE_CURRENT}" != "${DIVE_LATEST}" ]; then
+            UPDATES="${UPDATES}- dive: ${DIVE_CURRENT} -> ${DIVE_LATEST}\n"
+          fi
+          if [ "${HADOLINT_CURRENT}" != "${HADOLINT_LATEST}" ]; then
+            UPDATES="${UPDATES}- hadolint: ${HADOLINT_CURRENT} -> ${HADOLINT_LATEST}\n"
+          fi
+          if [ "${YQ_CURRENT}" != "${YQ_LATEST}" ]; then
+            UPDATES="${UPDATES}- yq: ${YQ_CURRENT} -> ${YQ_LATEST}\n"
+          fi
 
           if [ -z "${UPDATES}" ]; then
             echo "has_updates=false" >> "$GITHUB_OUTPUT"
@@ -73,19 +94,29 @@ jobs:
           ARGO_LATEST: ${{ steps.versions.outputs.argo }}
           KARGO_LATEST: ${{ steps.versions.outputs.kargo }}
           PACK_LATEST: ${{ steps.versions.outputs.pack }}
+          DIVE_LATEST: ${{ steps.versions.outputs.dive }}
+          HADOLINT_LATEST: ${{ steps.versions.outputs.hadolint }}
+          YQ_LATEST: ${{ steps.versions.outputs.yq }}
           ARGO_CURRENT: ${{ steps.versions.outputs.argo_current }}
           KARGO_CURRENT: ${{ steps.versions.outputs.kargo_current }}
           PACK_CURRENT: ${{ steps.versions.outputs.pack_current }}
+          DIVE_CURRENT: ${{ steps.versions.outputs.dive_current }}
+          HADOLINT_CURRENT: ${{ steps.versions.outputs.hadolint_current }}
+          YQ_CURRENT: ${{ steps.versions.outputs.yq_current }}
         run: |
-          if [ "${ARGO_CURRENT}" != "${ARGO_LATEST}" ]; then
-            sed -i "s/ARGO_VERSION=${ARGO_CURRENT}/ARGO_VERSION=${ARGO_LATEST}/g" Containerfile manifest.yaml
-          fi
-          if [ "${KARGO_CURRENT}" != "${KARGO_LATEST}" ]; then
-            sed -i "s/KARGO_VERSION=${KARGO_CURRENT}/KARGO_VERSION=${KARGO_LATEST}/g" Containerfile manifest.yaml
-          fi
-          if [ "${PACK_CURRENT}" != "${PACK_LATEST}" ]; then
-            sed -i "s/PACK_VERSION=${PACK_CURRENT}/PACK_VERSION=${PACK_LATEST}/g" Containerfile manifest.yaml
-          fi
+          update_version() {
+            local name="$1" current="$2" latest="$3"
+            if [ "${current}" != "${latest}" ]; then
+              sed -i "s/${name}=${current}/${name}=${latest}/g" Containerfile manifest.yaml
+            fi
+          }
+
+          update_version "ARGO_VERSION" "${ARGO_CURRENT}" "${ARGO_LATEST}"
+          update_version "KARGO_VERSION" "${KARGO_CURRENT}" "${KARGO_LATEST}"
+          update_version "PACK_VERSION" "${PACK_CURRENT}" "${PACK_LATEST}"
+          update_version "DIVE_VERSION" "${DIVE_CURRENT}" "${DIVE_LATEST}"
+          update_version "HADOLINT_VERSION" "${HADOLINT_CURRENT}" "${HADOLINT_LATEST}"
+          update_version "YQ_VERSION" "${YQ_CURRENT}" "${YQ_LATEST}"
 
       - name: Create pull request
         if: steps.versions.outputs.has_updates == 'true'
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -0,0 +1,3 @@
+trustedRegistries:
+  - docker.io
+  - ghcr.io
diff --git a/.releaserc.yaml b/.releaserc.yaml
@@ -0,0 +1,14 @@
+branches:
+  - master
+
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - - "@semantic-release/changelog"
+    - changelogFile: CHANGELOG.md
+  - - "@semantic-release/github"
+    - assets: []
+  - - "@semantic-release/git"
+    - assets:
+        - CHANGELOG.md
+      message: "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
diff --git a/Containerfile b/Containerfile
@@ -32,6 +32,51 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
+# Install buildah
+# hadolint ignore=DL3008
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y buildah \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure buildah storage for container/rootless usage
+RUN mkdir -p /etc/containers \
+    && printf '[storage]\ndriver = "vfs"\n' > /etc/containers/storage.conf
+
+# Install trivy (vulnerability scanner)
+# hadolint ignore=DL3008,DL4006
+RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \
+      | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \
+      | tee /etc/apt/sources.list.d/trivy.list \
+    && apt-get update \
+    && apt-get install --no-install-recommends -y trivy \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install dive (container filesystem analysis)
+ARG DIVE_VERSION=0.12.0
+# hadolint ignore=DL3008
+RUN curl -sSL -o /tmp/dive.deb \
+      "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb" \
+    && apt-get update \
+    && apt-get install --no-install-recommends -y /tmp/dive.deb \
+    && rm /tmp/dive.deb \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install hadolint (Dockerfile/Containerfile linter)
+ARG HADOLINT_VERSION=2.12.0
+RUN curl -sSL -o /usr/local/bin/hadolint \
+      "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" \
+    && chmod +x /usr/local/bin/hadolint
+
+# Install yq (YAML processor)
+ARG YQ_VERSION=4.45.4
+RUN curl -sSL -o /usr/local/bin/yq \
+      "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \
+    && chmod +x /usr/local/bin/yq
+
 # Install Argo Workflows CLI
 ARG ARGO_VERSION=3.6.4
 RUN curl -sSL -o /tmp/argo-linux-amd64.gz \
@@ -85,6 +130,3 @@ RUN curl -LsSf https://astral.sh/uv/install.sh | sh
 
 # Add Poetry and UV to PATH
 RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc
-
-# Placeholder command to keep the container running
-# CMD ["/bin/bash", "-c", "while true; do sleep 1; done"]
diff --git a/manifest.yaml b/manifest.yaml
@@ -1,5 +1,5 @@
 name: python-github-runner
-tags: 
+tags:
   - latest
 registry: ghcr.io/deerhide/python-github-runner
 build:
@@ -9,6 +9,9 @@ build:
     - ARGO_VERSION=3.6.4
     - KARGO_VERSION=1.9.2
     - PACK_VERSION=0.36.4
+    - DIVE_VERSION=0.12.0
+    - HADOLINT_VERSION=2.12.0
+    - YQ_VERSION=4.45.4
   labels:
     - org.opencontainers.image.source=https://github.com/deerhide/python-github-runner
     - org.opencontainers.image.description="Python GitHub Runner"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+extends:`
	`2`	`+ - "@commitlint/config-conventional"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+trustedRegistries:`
	`2`	`+ - docker.io`
	`3`	`+ - ghcr.io`