woodruffw · trallard · Dec 17, 2024 · Dec 17, 2024 · Dec 18, 2024 · Feb 4, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,3 +17,12 @@ updates:
       github-actions:
         patterns:
           - "*"
+
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      docker:
+        patterns:
+          - "*"
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -176,3 +176,50 @@ jobs:
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*
+
+  docker-build:
+    name: Build and publish Docker image
+    runs-on: ubuntu-latest
+    env:
+      ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor
+    environment:
+      name: docker
+    if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
+    # Only run if the release job was successfully completed
+    needs: [release]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
+      - name: Extract Docker metadata
+        id: docker-metadata
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        with:
+          images: "${{ env.ZIZMOR_IMAGE }}"
+          tags: |
+            # use the release tag for the image tag too
+            type=ref, event=tag
+      - name: Login to GHRC
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
+        if: github.repository_owner == 'woodruffw'
+        with:
+          registry: ghcr.io
+          username: "${{ github.repository_owner }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          build-args: |
+            ZIZMOR_VERSION=${{ github.ref_name }}
+          platforms: linux/amd64,linux/arm64
+          # Build provenance attestations
+          provenance: true
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,35 @@
+FROM python:3.12-slim-bookworm AS build
+
+LABEL org.opencontainers.image.source=https://github.com/woodruffw/zizmor
+
+# Zizmor version to install (set as an argument to pair with zizmor releases)
+ARG ZIZMOR_VERSION
+
+ENV PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Add Rust to PATH
+ENV PATH="/root/.cargo/bin:${PATH}"
+ENV PATH="/root/.local/bin:${PATH}"
+
+RUN set -eux && \
+    apt-get update && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN pip install uv && \
+    uv tool install zizmor=="${ZIZMOR_VERSION}" && \
+    which zizmor
+
+# ------------------------------------------------------------------------------
+# Runtime image
+# ------------------------------------------------------------------------------
+
+FROM python:3.12-slim-bookworm
+
+# Copy necessary files from build stage
+COPY --from=build /root/.local/bin/zizmor /root/.local/bin/zizmor
+
+# Set the entrypoint to zizmor
+ENTRYPOINT ["/root/.local/bin/zizmor"]