Merge pull request #327 from theseion/update-qemu

chore: update QEMU to v9.2.0

.github/workflows/publish.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          image: tonistiigi/binfmt:qemu-v8.1.5
+          image: tonistiigi/binfmt:qemu-v9.2.0
 
       # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
@@ -62,7 +62,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: 'Build and push to Docker Hub: ${{ matrix.target }}'
+      - name: 'Build and push ${{ matrix.target }}'
         id: build-and-push
         uses: docker/bake-action@v4.1.0
         with:

.github/workflows/verifyimage.yml

@@ -5,7 +5,6 @@ on:
     branches:
       - main
 env:
-  REPO: "owasp/modsecurity-crs"
   # sha256sum format: <hash><space><format (space for text)><file name>
   MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f  modsecurity.conf-recommended"
 
@@ -42,37 +41,58 @@ jobs:
       # https://github.com/docker/setup-qemu-action
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v9.2.0
 
       # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           driver-opts: image=moby/buildkit:master
 
-      - name: Build images
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build ${{ matrix.target }}-verification
         uses: docker/bake-action@v4.1.0
         with:
           files: |
             ./docker-bake.hcl
           targets: ${{ matrix.target }}
+          # Build only linux/amd64 and tag the images as verification builds.
+          # Create a tar archive and load the image into Docker.
           set: |
             *.platform=linux/amd64
-          load: true
+            ${{ matrix.target }}.tags=${{ matrix.target }}-verification
+            *.output=type=docker,dest=${{ matrix.target }}-verification.tar
+            *.output=type=docker
           push: false
 
+      - name: Upload image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.target }}-verification.tar
+          path: ${{ matrix.target }}-verification.tar
+          retention-days: 7
+          overwrite: true
+
       - name: Run ${{ matrix.target }}
         run: |
           . .github/workflows/configure-rules-for-test.sh \
             src/opt/modsecurity/configure-rules.conf \
             README.md \
             "${{ matrix.target }}.env"
-          echo "Starting container ${{ matrix.target }}"
+          echo "Starting container ${{ matrix.target }}-verification"
           docker run \
             --pull "never" \
             -d \
             --name ${{ matrix.target }}-test \
             --env-file "${{ matrix.target }}.env" \
-            "${REPO}:${{ matrix.target }}"
+            "${{ matrix.target }}-verification"
           sleep 30
           docker logs ${{ matrix.target }}-test
 

docker-bake.hcl

@@ -53,17 +53,14 @@ variable "lua-modules-debian" {
 
 variable "REPOS" {
     # List of repositories to tag
-    default = [
-        "owasp/modsecurity-crs",
-        "ghcr.io/coreruleset/modsecurity-crs",
-    ]
+    default = "owasp/modsecurity-crs, ghcr.io/coreruleset/modsecurity-crs"
 }
 
 variable "nginx-dynamic-modules" {
     # List of dynamic modules to include in the nginx build
     default = [
-        "owasp-modsecurity/ModSecurity-nginx",
-        "openresty/headers-more-nginx-module"
+        {owner: "owasp-modsecurity", name: "ModSecurity-nginx", version: "v1.0.3"},
+        {owner: "openresty", name: "headers-more-nginx-module", version: "master"}
     ]
 }
 
@@ -84,7 +81,7 @@ function "patch" {
 
 function "tag" {
     params = [tag]
-    result = [for repo in REPOS : "${repo}:${tag}"]
+    result = [for repo in split(",", REPOS) : "${trimspace(repo)}:${tag}"]
 }
 
 function "vtag" {
@@ -153,8 +150,7 @@ target "nginx" {
     args = {
         LUA_MODULES = join(" ", lua-modules-debian)
         NGINX_VERSION = "${nginx-version}"
-        NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules)
-        MODSECURITY_NGINX_VERSION = "${modsecurity-nginx-version}"
+        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
     }
     tags = concat(tag("nginx"),
         vtag("${crs-version}", "nginx")
@@ -166,9 +162,8 @@ target "nginx-alpine" {
     dockerfile="nginx/Dockerfile-alpine"
     args = {
         LUA_MODULES = join(" ", lua-modules-alpine)
-        NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules)
         NGINX_VERSION = "${nginx-version}"
-        MODSECURITY_NGINX_VERSION = "${modsecurity-nginx-version}"
+        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
     }
     tags = concat(tag("nginx-alpine"),
         vtag("${crs-version}", "nginx-alpine")

nginx/Dockerfile

@@ -6,7 +6,6 @@ ARG MODSEC3_VERSION="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
-ARG MODSECURITY_NGINX_VERSION="n/a"
 
 USER root
 
@@ -60,15 +59,15 @@ RUN set -eux; \
 # Build modules
 RUN set -eux; \
     modules=""; \
-    for module in ${NGINX_DYNAMIC_MODULES}; \
+    set -- ${NGINX_DYNAMIC_MODULES}; \
+    while [ ${#} -gt 0 ]; \
     do \
-        repo=$(echo "${module}" | awk -F'/' '{print $2}'); \
-        if [ "${module}" == "owasp-modsecurity/ModSecurity-nginx" ]; then \
-          git clone -b v${MODSECURITY_NGINX_VERSION} --depth 1 "https://github.com/${module}.git"; \
-        else \
-          git clone -b master --depth 1 "https://github.com/${module}.git"; \
-        fi; \
-        modules="${modules} --add-dynamic-module=../${repo}"; \
+        owner="${1}"; \
+        name="${2}"; \
+        version="${3}"; \
+        shift 3; \
+        git clone -b "${version}" --depth 1 "https://github.com/${owner}/${name}.git"; \
+        modules="${modules} --add-dynamic-module=../${name}"; \
     done; \
     curl -sSL "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \

nginx/Dockerfile-alpine

@@ -5,7 +5,6 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS build
 ARG MODSEC3_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
-ARG MODSECURITY_NGINX_VERSION="n/a"
 
 USER root
 
@@ -56,15 +55,15 @@ RUN set -eux; \
    # Build modules
 RUN set -eux; \
     modules=""; \
-    for module in ${NGINX_DYNAMIC_MODULES}; \
+    set -- ${NGINX_DYNAMIC_MODULES}; \
+    while [ ${#} -gt 0 ]; \
     do \
-        repo=$(echo "${module}" | awk -F'/' '{print $2}'); \
-        if [ "${module}" == "owasp-modsecurity/ModSecurity-nginx" ]; then \
-          git clone -b v${MODSECURITY_NGINX_VERSION} --depth 1 "https://github.com/${module}.git"; \
-        else \
-          git clone -b master --depth 1 "https://github.com/${module}.git"; \
-        fi; \
-        modules="${modules} --add-dynamic-module=../${repo}"; \
+        owner="${1}"; \
+        name="${2}"; \
+        version="${3}"; \
+        shift 3; \
+        git clone -b "${version}" --depth 1 "https://github.com/${owner}/${name}.git"; \
+        modules="${modules} --add-dynamic-module=../${name}"; \
     done; \
     curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \