From 99f4cb592628cea68dd6b066cec1480006c7363d Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Mon, 16 Jun 2025 17:02:23 +0100
Subject: [PATCH 1/2] Improve docker image tracking

- Adds the exact debian image digest we used in the layer history.
- Adds the base image manifest list digest as an annotation for both
the base and release images.
- Tags the base image used for a release with the release version number.
---
 .github/workflows/base-image.yaml |  5 +++++
 .github/workflows/release.yaml    | 35 +++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/.github/workflows/base-image.yaml b/.github/workflows/base-image.yaml
index 1c9ac3d8..5bfb1217 100644
--- a/.github/workflows/base-image.yaml
+++ b/.github/workflows/base-image.yaml
@@ -41,6 +41,10 @@ jobs:
       - name: Base image
         id: build-and-push
         run: |
+          BASE_DIGEST=$(docker buildx imagetools inspect "debian:bookworm-slim" --format '{{json .}}' | jq -r '.manifest.digest')
+
+          sed -i "s|FROM debian:bookworm-slim|FROM debian:bookworm-slim@$BASE_DIGEST|" "image/Dockerfile-base"
+
           docker buildx build \
             --tag "danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \
             --tag danielflook/terraform-github-actions-base:latest  \
@@ -55,6 +59,7 @@ jobs:
             --annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:ref.tag=$GITHUB_RUN_ID" \
             --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/debian:bookworm-slim" \
+            --annotation "index,manifest:base.manifest.digest=$BASE_DIGEST" \
             --file image/Dockerfile-base \
             --push \
             --iidfile manifest-list-digest.txt \
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f33758b2..8103b803 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -22,6 +22,7 @@ jobs:
       url: https://hub.docker.com/r/danielflook/terraform-github-actions/tags?name=${{ github.event.release.tag_name }}
     outputs:
       digest: ${{ steps.image_build.outputs.digest }}
+      base-digest: ${{ steps.image_build.outputs.base-digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -74,12 +75,14 @@ jobs:
             --annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:ref.tag=$RELEASE_TAG" \
             --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/danielflook/terraform-github-actions-base" \
+            --annotation "index,manifest:base.manifest.digest=$BASE_DIGEST" \
             --annotation "index:org.opencontainers.image.base.ref=$BASE_TAG" \
             --push \
             --iidfile manifest-list-digest.txt \
             image
 
           echo "digest=$(<manifest-list-digest.txt)" >> "$GITHUB_OUTPUT"
+          echo "base-digest=$BASE_DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Dockerhub ref attestation
         uses: actions/attest-build-provenance@v2
@@ -184,3 +187,35 @@ jobs:
               echo "Skipping dflook/$action"
             fi
           done
+
+  tag-base-image:
+    runs-on: ubuntu-24.04
+    name: Tag base image with release version
+    needs:
+      - image
+      - actions
+    permissions:
+      contents: read
+      packages: write
+    environment:
+      name: dockerhub
+      url: https://hub.docker.com/r/danielflook/terraform-github-actions-base/tags?name=${{ github.event.release.tag_name }}
+    steps:
+      - name: Registry login
+        env:
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+        run: |
+          echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
+
+      - name: Tag and push base image with release version
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+          BASE_DIGEST: ${{ needs.image.outputs.base-digest }}
+        run: |
+          # Tag the base image manifest list with the release version
+          docker buildx imagetools create \
+            --tag "danielflook/terraform-github-actions-base:$RELEASE_TAG" \
+            "danielflook/terraform-github-actions-base@$BASE_DIGEST"

From fc1b086310af40b629a7b82f3d3911dc9899ab68 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Mon, 16 Jun 2025 17:12:34 +0100
Subject: [PATCH 2/2] Remove unused permissions

---
 .github/workflows/release.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8103b803..ab475eb7 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -194,9 +194,7 @@ jobs:
     needs:
       - image
       - actions
-    permissions:
-      contents: read
-      packages: write
+    permissions: {}
     environment:
       name: dockerhub
       url: https://hub.docker.com/r/danielflook/terraform-github-actions-base/tags?name=${{ github.event.release.tag_name }}