Improving provenance of image

.github/workflows/build-containers.yml

@@ -12,13 +12,16 @@ jobs:
         include:
           - name: servicecontrol
             project: ServiceControl
-            description: ServiceControl error instance
+            title: ServiceControl
+            description: Gather status, performance and monitoring data for multiple endpoints from a single location.
           - name: servicecontrol-audit
             project: ServiceControl.Audit
-            description: ServiceControl audit instance
+            title: ServiceControl Audit Instance
+            description: Provide valuable information about the message flow through a system.
           - name: servicecontrol-monitoring
             project: ServiceControl.Monitoring
-            description: ServiceControl monitoring instance
+            title: ServiceControl Monitoring Instance
+            description: Track the health of a distributed system.
       fail-fast: false
     steps:
       - name: Check for secrets
@@ -40,24 +43,44 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build & inspect image
-        env:
-          TAG_NAME: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}
-        run: |
-          docker buildx build --push --tag ghcr.io/particular/${{ matrix.name }}:${{ env.TAG_NAME }} \
-              --file src/${{ matrix.project }}/Dockerfile \
-              --build-arg VERSION=${{ env.MinVerVersion }} \
-              --annotation "index:org.opencontainers.image.title=${{ matrix.name }}" \
-              --annotation "index:org.opencontainers.image.description=${{ matrix.description }}" \
-              --annotation "index:org.opencontainers.image.created=$(date '+%FT%TZ')" \
-              --annotation "index:org.opencontainers.image.revision=${{ github.sha }}" \
-              --annotation "index:org.opencontainers.image.authors=Particular Software" \
-              --annotation "index:org.opencontainers.image.vendor=Particular Software" \
-              --annotation "index:org.opencontainers.image.version=${{ env.MinVerVersion }}" \
-              --annotation "index:org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ github.sha }}" \
-              --annotation "index:org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}" \
-              --annotation "index:org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/" \
-              --annotation "index:org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra" \
-              --platform linux/arm64,linux/amd64 .
-          docker buildx imagetools inspect ghcr.io/particular/${{ matrix.name }}:${{ env.TAG_NAME }}
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Get current date
+        id: date
+        run: echo "date=$(date '+%FT%TZ')" >> $GITHUB_OUTPUT
+      - name: Build and push image to GitHub container registry
+        uses: docker/build-push-action@v6.14.0
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          sbom: true
+          labels: |
+            org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/${{ github.sha }}
+            org.opencontainers.image.authors="Particular Software"
+            org.opencontainers.image.vendor="Particular Software"
+            org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}
+            org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+            org.opencontainers.image.version=${{ env.MinVerVersion }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.title=${{ matrix.title }}
+            org.opencontainers.image.description=${{ matrix.description }}
+            org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
+          annotations: |
+            index:org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/${{ github.sha }}
+            index:org.opencontainers.image.authors="Particular Software"
+            index:org.opencontainers.image.vendor="Particular Software"
+            index:org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}
+            index:org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+            index:org.opencontainers.image.version=${{ env.MinVerVersion }}
+            index:org.opencontainers.image.revision=${{ github.sha }}
+            index:org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            index:org.opencontainers.image.title=${{ matrix.title }}
+            index:org.opencontainers.image.description=${{ matrix.description }}
+            index:org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
+          file: src/${{ matrix.project }}/Dockerfile
+          tags: ghcr.io/particular/${{ matrix.name }}:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}

.github/workflows/build-db-container.yml

@@ -24,8 +24,14 @@ jobs:
         uses: ./.github/actions/validate-version
         with:
           version: ${{ env.MinVerVersion }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Install Docker arm64 emulation
         run: docker run --privileged --rm tonistiigi/binfmt --install arm64
       - name: Build images

.github/workflows/container-integration-test.yml

@@ -56,7 +56,11 @@ jobs:
       - name: Run MinVer
         uses: Particular/run-minver-action@v1.0.0
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Log in to Docker Hub
         uses: docker/login-action@v3.3.0
         with:

.github/workflows/push-container-images.yml

@@ -22,28 +22,32 @@ jobs:
         with:
           version: ${{ inputs.version }}
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
         uses: docker/login-action@v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.9.0
       - name: Publish to Docker Hub
         run: |
           $containers = @('servicecontrol', 'servicecontrol-audit', 'servicecontrol-monitoring', 'servicecontrol-ravendb')
           $tags = "${{ steps.validate.outputs.container-tags }}" -Split ','
           $sourceTag = "${{ inputs.version }}"
 
-          foreach ($tag in $tags)
+          foreach($name in $containers)
           {
-            foreach($name in $containers)
-            {
-              Write-Output "::group::Pushing $($name):$($tag)"
-              $cmd = "docker buildx imagetools create --tag particular/$($name):$($tag) ghcr.io/particular/$($name):$($sourceTag)"
-              Write-Output "Command: $cmd"
-              Invoke-Expression $cmd
-              Write-Output "::endgroup::"
-            }
+            Write-Output "::group::Pushing $name with $tags tags"
+            $tagsCLI = $tags -replace "^", "--tag particular/${name}:"
+            $cmd = "docker buildx imagetools create $tagsCLI ghcr.io/particular/${name}:$sourceTag"
+            Write-Output "Command: $cmd"
+            Invoke-Expression $cmd
+            Write-Output "::endgroup::"
           }
       - name: Update Docker Hub Description - ServiceControl
         if: ${{ steps.validate.outputs.latest == 'true' }}

src/ServiceControl.Audit/Dockerfile

@@ -10,17 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl.Audit \
-      org.opencontainers.image.description="ServiceControl audit instance"
-
 EXPOSE 44444
 
 COPY --from=build /deploy/Particular.ServiceControl.Audit /app

src/ServiceControl.Monitoring/Dockerfile

@@ -10,17 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl.Monitoring \
-      org.opencontainers.image.description="ServiceControl monitoring instance"
-
 EXPOSE 33633
 
 COPY --from=build /deploy/Particular.ServiceControl.Monitoring /app

src/ServiceControl/Dockerfile

@@ -10,17 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl \
-      org.opencontainers.image.description="ServiceControl primary instance"
-
 EXPOSE 33333
 
 COPY --from=build /deploy/Particular.ServiceControl /app