feat: build from authelia/base base image (#8884)

* feat: build from authelia/base base image This change moves Authelia's base image from a musl based distro (alpine) to a glibc based custom image distro (chisel/ubuntu). Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * feat: add mode=max image provenance attestations Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * feat: index digest sha to from statement in provenance attestations Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * feat: add reproducible metadata to provenance attestation Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * feat: add sbom metadata to image manifest Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * fix(suites): prevent race condition in ha mysql test Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * refactor(suites): log to confirm when services are ready Signed-off-by: Amir Zarrinkafsh <nightah@me.com> * fix(suites): increase wait timer for mariadb ha test Signed-off-by: Amir Zarrinkafsh <nightah@me.com> --------- Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
author: Amir Zarrinkafsh <nightah@me.com> 2025-03-06 13:10:48 +1100
committer: GitHub <noreply@github.com> 2025-03-06 02:10:48 +0000
commit: 7d1adffab57d038dad929431549e874abfdcb7b0 (patch)
tree: a594e05c2fe03ca45676ae8e9d82d18f50839fa5
parent: 68945a4d318c13a284ff4b72f56b6f61a650d27b (diff)
14 files changed, 129 insertions, 143 deletions
diff --git a/.buildkite/annotations/artifacts b/.buildkite/annotations/artifacts
index 54393f113..152a7baa4 100644
--- a/.buildkite/annotations/artifacts
+++ b/.buildkite/annotations/artifacts
@@ -5,8 +5,6 @@
     <dd>
       <a href="artifact://authelia-linux-amd64.tar.gz">authelia-linux-amd64.tar.gz</a><br>
       <a href="artifact://authelia-linux-amd64.tar.gz.sha256">authelia-linux-amd64.tar.gz.sha256</a><br>
-      <a href="artifact://authelia-linux-amd64-musl.tar.gz">authelia-linux-amd64-musl.tar.gz</a><br>
-      <a href="artifact://authelia-linux-amd64-musl.tar.gz.sha256">authelia-linux-amd64-musl.tar.gz.sha256</a><br>
       <a href="artifact://authelia-freebsd-amd64.tar.gz">authelia-freebsd-amd64.tar.gz</a><br>
       <a href="artifact://authelia-freebsd-amd64.tar.gz.sha256">authelia-freebsd-amd64.tar.gz.sha256</a><br>
       <a href="artifact://authelia_amd64.deb">authelia_amd64.deb</a><br>
@@ -18,8 +16,6 @@
     <dd>
       <a href="artifact://authelia-linux-arm.tar.gz">authelia-linux-arm.tar.gz</a><br>
       <a href="artifact://authelia-linux-arm.tar.gz.sha256">authelia-linux-arm.tar.gz.sha256</a><br>
-      <a href="artifact://authelia-linux-arm-musl.tar.gz">authelia-linux-arm-musl.tar.gz</a><br>
-      <a href="artifact://authelia-linux-arm-musl.tar.gz.sha256">authelia-linux-arm-musl.tar.gz.sha256</a><br>
       <a href="artifact://authelia_armhf.deb">authelia_armhf.deb</a><br>
       <a href="artifact://authelia_armhf.deb.sha256">authelia_armhf.deb.sha256</a>
     </dd>
@@ -29,8 +25,6 @@
     <dd>
       <a href="artifact://authelia-linux-arm64.tar.gz">authelia-linux-arm64.tar.gz</a><br>
       <a href="artifact://authelia-linux-arm64.tar.gz.sha256">authelia-linux-arm64.tar.gz.sha256</a><br>
-      <a href="artifact://authelia-linux-arm64-musl.tar.gz">authelia-linux-arm64-musl.tar.gz</a><br>
-      <a href="artifact://authelia-linux-arm64-musl.tar.gz.sha256">authelia-linux-arm64-musl.tar.gz.sha256</a><br>
       <a href="artifact://authelia_arm64.deb">authelia_arm64.deb</a><br>
       <a href="artifact://authelia_arm64.deb.sha256">authelia_arm64.deb.sha256</a>
     </dd>
diff --git a/.buildkite/deployment.sh b/.buildkite/deployment.sh
index b2118d172..6902ef2c0 100755
--- a/.buildkite/deployment.sh
+++ b/.buildkite/deployment.sh
@@ -22,10 +22,30 @@ env:
   CI_BYPASS: ${CI_BYPASS}
 
 steps:
+  - label: ":rocket: Trigger Pipeline [baseimage]"
+    trigger: "baseimage"
+    build:
+      message: "${BUILDKITE_MESSAGE}"
+      env:
+        AUTHELIA_RELEASE: "${BUILDKITE_TAG//v}"
+        BUILDKITE_PULL_REQUEST: "${BUILDKITE_PULL_REQUEST}"
+        BUILDKITE_PULL_REQUEST_BASE_BRANCH: "${BUILDKITE_PULL_REQUEST_BASE_BRANCH}"
+        BUILDKITE_PULL_REQUEST_REPO: "${BUILDKITE_PULL_REQUEST_REPO}"
+    depends_on: ~
+    key: "baseimage"
+    if: build.tag != null && build.env("CI_BYPASS") != "true"
+
   - label: ":docker: Deploy Manifest"
     command: "authelia-scripts docker push-manifest"
     depends_on:
       - "unit-test"
+EOF
+if [[ "${BUILDKITE_TAG}" != "" ]]; then
+cat << EOF
+      - "baseimage"
+EOF
+fi
+cat << EOF
     retry:
       manual:
         permit_on_passed: true
@@ -45,7 +65,7 @@ steps:
     agents:
       upload: "fast"
     key: "artifacts"
-    if: build.tag != null
+    if: build.tag != null && build.env("CI_BYPASS") != "true"
 
   - label: ":linux: Deploy AUR"
     command: ".buildkite/steps/aurpackages.sh | buildkite-agent pipeline upload"
@@ -60,5 +80,5 @@ steps:
       - "build-deb-package-armhf"
     agents:
       upload: "fast"
-    if: build.tag != null
+    if: build.tag != null && build.env("CI_BYPASS") != "true"
 EOF
diff --git a/.buildkite/hooks/post-command b/.buildkite/hooks/post-command
index 9cb859632..a2cb80c7f 100755
--- a/.buildkite/hooks/post-command
+++ b/.buildkite/hooks/post-command
@@ -44,10 +44,6 @@ if [[ ${BUILDKITE_LABEL} == ":debian: Package Builds" ]]; then
   buildkite-agent annotate --style "success" --context "ctx-success" < .buildkite/annotations/artifacts
 fi
 
-if [[ ${BUILDKITE_LABEL} == ":docker: Build and Deploy Image" ]]; then
-  docker logout
-fi
-
 if [[ ${BUILDKITE_LABEL} =~ ":docker: Deploy" ]]; then
   docker logout
   docker logout ghcr.io
diff --git a/.buildkite/hooks/pre-artifact b/.buildkite/hooks/pre-artifact
index 2a3aaadd2..d284d0413 100755
--- a/.buildkite/hooks/pre-artifact
+++ b/.buildkite/hooks/pre-artifact
@@ -2,7 +2,7 @@
 
 set +u
 
-declare -A BUILDS=(["linux"]="amd64 arm arm64 amd64-musl arm-musl arm64-musl" ["freebsd"]="amd64")
+declare -A BUILDS=(["linux"]="amd64 arm arm64" ["freebsd"]="amd64")
 DOCKER_IMAGE=authelia:dist
 
 if [[ "${BUILDKITE_LABEL}" == ":hammer_and_wrench: Unit Test" ]]; then
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index bd2db9af4..c9dfe7c9d 100755
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -20,10 +20,6 @@ if [[ "${BUILDKITE_LABEL}" == ":docker: Build Image [coverage]" ]]; then
   cp -R /buildkite/.local .
 fi
 
-if [[ "${BUILDKITE_STEP_KEY}" =~ build-deb-package-(arm64|armhf) && "${BUILDKITE_AGENT_NAME}" =~ sauron* ]]; then
-  docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
-fi
-
 if [[ "${BUILDKITE_LABEL}" =~ ":debian: Build Package" ]]; then
   buildkite-agent artifact download "authelia-linux-${ARCH}.tar.gz" .
 fi
@@ -67,8 +63,8 @@ fi
 
 if [[ "${BUILDKITE_LABEL}" == ":docker: Deploy Manifest" ]]; then
   echo "--- :go: :react: :swagger: Extract pre-built binary"
-  buildkite-agent artifact download "authelia-linux-*-musl.tar.gz" .
-  for archive in authelia-linux-*-musl.tar.gz; do tar xzf "${archive}" --wildcards "authelia-linux-*"; done
+  buildkite-agent artifact download "authelia-linux-*.tar.gz" .
+  for archive in authelia-linux-*.tar.gz; do tar xzf "${archive}" --wildcards "authelia-linux-*"; done
 fi
 
 if [[ "${BUILDKITE_LABEL}" == ":github: Deploy Artifacts" ]]; then
diff --git a/.buildkite/steps/ghartifacts.sh b/.buildkite/steps/ghartifacts.sh
index 5b3caf552..b172b901f 100755
--- a/.buildkite/steps/ghartifacts.sh
+++ b/.buildkite/steps/ghartifacts.sh
@@ -7,9 +7,6 @@ for FILE in \
   authelia-linux-amd64.tar.gz authelia-linux-amd64.tar.gz.sha256 \
   authelia-linux-arm.tar.gz authelia-linux-arm.tar.gz.sha256 \
   authelia-linux-arm64.tar.gz authelia-linux-arm64.tar.gz.sha256 \
-  authelia-linux-amd64-musl.tar.gz authelia-linux-amd64-musl.tar.gz.sha256 \
-  authelia-linux-arm-musl.tar.gz authelia-linux-arm-musl.tar.gz.sha256 \
-  authelia-linux-arm64-musl.tar.gz authelia-linux-arm64-musl.tar.gz.sha256 \
   authelia-freebsd-amd64.tar.gz authelia-freebsd-amd64.tar.gz.sha256 \
   authelia-public_html.tar.gz authelia-public_html.tar.gz.sha256;
 do
diff --git a/Dockerfile b/Dockerfile
index 774a49bb2..ce7309550 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,28 +1,26 @@
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
+ARG BASE="authelia/base:latest"
+
+FROM ${BASE}
 
 ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /app
 
-# Set environment variables
-ENV PATH="/app:${PATH}" \
-    PUID=0 \
-    PGID=0 \
-    X_AUTHELIA_CONFIG="/config/configuration.yml"
-
-RUN \
-	apk --no-cache add ca-certificates su-exec tzdata wget
+ENV \
+	PATH="/app:${PATH}" \
+	PUID=0 \
+	PGID=0 \
+	X_AUTHELIA_CONFIG="/config/configuration.yml"
 
-COPY LICENSE .healthcheck.env entrypoint.sh healthcheck.sh ./
+COPY --link LICENSE entrypoint.sh healthcheck.sh ./
 
-RUN \
-	chmod 0666 /app/.healthcheck.env
+COPY --link --chmod=666 .healthcheck.env ./
 
-COPY authelia-${TARGETOS}-${TARGETARCH}-musl ./authelia
+COPY --link authelia-${TARGETOS}-${TARGETARCH} ./authelia
 
 EXPOSE 9091
 
diff --git a/Dockerfile.coverage b/Dockerfile.coverage
index 100808ec7..4f790ba00 100644
--- a/Dockerfile.coverage
+++ b/Dockerfile.coverage
@@ -5,60 +5,58 @@ FROM node:23-alpine@sha256:dc4d20572e425f9d4c68a6f9c382fbcfec3fa2f8ef0b12cb1d96f
 
 WORKDIR /node/src/app
 
-COPY .local /root/.local
-COPY web ./
+COPY --link .local /root/.local
+COPY --link web ./
 
 # Install the dependencies and build
-RUN yarn global add pnpm && \
-    pnpm install --frozen-lockfile && pnpm coverage
+RUN \
+	yarn global add pnpm && \
+	pnpm install --frozen-lockfile && \
+	pnpm coverage
 
 # =======================================
 # ===== Build image for the backend =====
 # =======================================
-FROM golang:1.24.0-alpine@sha256:2d40d4fc278dad38be0777d5e2a88a2c6dee51b0b29c97a764fc6c6a11ca893c AS builder-backend
+FROM golang:1.24.0-bookworm@sha256:b970e6d47c09fdd34179acef5c4fecaf6410f0b597a759733b3cbea04b4e604a AS builder-backend
 
 WORKDIR /go/src/app
 
-RUN \
-	echo ">> Downloading required apk's..." && \
-	apk --no-cache add gcc musl-dev
-
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 
 RUN \
 	echo ">> Downloading go modules..." && \
 	go mod download
 
-COPY / ./
+COPY --link / ./
 
 # Prepare static files to be embedded in Go binary
-COPY --from=builder-frontend /node/src/internal/server/public_html internal/server/public_html
+COPY --link --from=builder-frontend /node/src/internal/server/public_html internal/server/public_html
 
 ARG LDFLAGS_EXTRA
+
 RUN \
 	mv api internal/server/public_html/api && \
-	cd cmd/authelia && \
-	chmod 0666 /go/src/app/.healthcheck.env && \
 	echo ">> Starting go build (coverage via -cover)..." && \
 	CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build -cover -covermode=atomic \
-	-ldflags "${LDFLAGS_EXTRA}" -o authelia
+	-ldflags "${LDFLAGS_EXTRA}" -o authelia ./cmd/authelia
 
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
-
-RUN apk --no-cache add ca-certificates tzdata wget
+FROM authelia/base:latest
 
 WORKDIR /app
 
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
+COPY --link --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh ./
+
+COPY --link	--from=builder-backend --chmod=666 /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 
-ENV PATH="/app:${PATH}" \
+ENV \
+	PATH="/app:${PATH}" \
 	GOCOVERDIR="/authelia/coverage/" \
-    X_AUTHELIA_CONFIG="/config/configuration.yml"
+	X_AUTHELIA_CONFIG="/config/configuration.yml"
 
 CMD ["authelia"]
 HEALTHCHECK --interval=30s --timeout=3s CMD /app/healthcheck.sh
diff --git a/Dockerfile.dev b/Dockerfile.dev
index 715d54b54..5d6eea59f 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -5,38 +5,36 @@ FROM node:23-alpine@sha256:dc4d20572e425f9d4c68a6f9c382fbcfec3fa2f8ef0b12cb1d96f
 
 WORKDIR /node/src/app
 
-COPY web ./
+COPY --link web ./
 
 # Install the dependencies and build
-RUN yarn global add pnpm && \
-    pnpm install --frozen-lockfile && pnpm coverage
+RUN \
+	yarn global add pnpm && \
+	pnpm install --frozen-lockfile && \
+	pnpm coverage
 
 # =======================================
 # ===== Build image for the backend =====
 # =======================================
-FROM golang:1.24.0-alpine@sha256:2d40d4fc278dad38be0777d5e2a88a2c6dee51b0b29c97a764fc6c6a11ca893c AS builder-backend
+FROM golang:1.24.0-bookworm@sha256:b970e6d47c09fdd34179acef5c4fecaf6410f0b597a759733b3cbea04b4e604a AS builder-backend
 
 WORKDIR /go/src/app
 
-RUN \
-	echo ">> Downloading required apk's..." && \
-	apk --no-cache add gcc musl-dev
-
-COPY go.mod go.sum ./
+COPY --link go.mod go.sum ./
 
 RUN \
 	echo ">> Downloading go modules..." && \
 	go mod download
 
-COPY / ./
+COPY --link / ./
 
 # Prepare static files to be embedded in Go binary
-COPY --from=builder-frontend /node/src/internal/server/public_html internal/server/public_html
+COPY --link --from=builder-frontend /node/src/internal/server/public_html internal/server/public_html
 
 ARG LDFLAGS_EXTRA
+
 RUN \
 	mv api internal/server/public_html/api && \
-	chmod 0666 /go/src/app/.healthcheck.env && \
 	echo ">> Starting go build..." && \
 	CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build \
 	-ldflags "-linkmode=external -s -w ${LDFLAGS_EXTRA}" -trimpath -buildmode=pie -o authelia ./cmd/authelia
@@ -44,23 +42,19 @@ RUN \
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
+FROM authelia/base:latest
 
 WORKDIR /app
 
-# Set environment variables
-ENV PATH="/app:${PATH}" \
-    PUID=0 \
-    PGID=0 \
-    X_AUTHELIA_CONFIG="/config/configuration.yml"
+ENV \
+	PATH="/app:${PATH}" \
+	PUID=0 \
+	PGID=0 \
+	X_AUTHELIA_CONFIG="/config/configuration.yml"
 
-RUN \
-	apk --no-cache add ca-certificates su-exec tzdata wget
-
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
+COPY --link --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
 
-RUN \
-	chmod 0666 /app/.healthcheck.env
+COPY --link	--from=builder-backend --chmod=666 /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 
diff --git a/cmd/authelia-scripts/cmd/build.go b/cmd/authelia-scripts/cmd/build.go
index 90c6b8a3d..217008524 100644
--- a/cmd/authelia-scripts/cmd/build.go
+++ b/cmd/authelia-scripts/cmd/build.go
@@ -77,22 +77,7 @@ func buildAutheliaBinaryGOX(xflags []string) {
 
 	s := time.Now()
 
-	wg.Add(2)
-
-	go func() {
-		defer wg.Done()
-
-		cmd := utils.CommandWithStdout("gox", "-output={{.Dir}}-{{.OS}}-{{.Arch}}-musl", "-buildmode=pie", "-trimpath", "-cgo", "-ldflags=-linkmode=external -s -w "+strings.Join(xflags, " "), "-osarch=linux/amd64 linux/arm linux/arm64", "./cmd/authelia/")
-
-		cmd.Env = append(os.Environ(),
-			"CGO_CPPFLAGS=-D_FORTIFY_SOURCE=2 -fstack-protector-strong", "CGO_LDFLAGS=-Wl,-z,relro,-z,now",
-			"GOX_LINUX_ARM_CC=arm-linux-musleabihf-gcc", "GOX_LINUX_ARM64_CC=aarch64-linux-musl-gcc")
-
-		err := cmd.Run()
-		if err != nil {
-			log.Fatal(err)
-		}
-	}()
+	wg.Add(1)
 
 	go func() {
 		defer wg.Done()
diff --git a/cmd/authelia-scripts/cmd/const.go b/cmd/authelia-scripts/cmd/const.go
index 44630607b..5810ba161 100644
--- a/cmd/authelia-scripts/cmd/const.go
+++ b/cmd/authelia-scripts/cmd/const.go
@@ -3,6 +3,9 @@ package cmd
 // OutputDir the output directory where the built version of Authelia is located.
 var OutputDir = "dist"
 
+// BaseImageName the official name of Authelia base docker image.
+var BaseImageName = "authelia/base"
+
 // DockerImageName the official name of Authelia docker image.
 var DockerImageName = "authelia/authelia"
 
diff --git a/cmd/authelia-scripts/cmd/helpers_docker.go b/cmd/authelia-scripts/cmd/helpers_docker.go
index f05eba9ac..0a481ea36 100644
--- a/cmd/authelia-scripts/cmd/helpers_docker.go
+++ b/cmd/authelia-scripts/cmd/helpers_docker.go
@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"bufio"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -16,7 +15,7 @@ type Docker struct{}
 
 // Build build a docker image.
 func (d *Docker) Build(tag, dockerfile, target string, buildMetaData *Build) error {
-	args := []string{"build", "-t", tag, "-f", dockerfile, "--progress=plain"}
+	args := []string{"build", "-t", tag, "-f", dockerfile, "--progress=plain", "--pull"}
 
 	for label, value := range buildMetaData.ContainerLabels() {
 		if value == "" {
@@ -65,53 +64,36 @@ func (d *Docker) Manifest(tags []string) error {
 		args = append(args, "--label", fmt.Sprintf("%s=%s", label, value))
 	}
 
-	var baseImageTag string
-
-	from, err := getDockerfileDirective("Dockerfile", "FROM")
-	if err == nil {
-		baseImageTag = from[strings.IndexRune(from, ':')+1:]
-		args = append(args, "--label", "org.opencontainers.image.base.name=docker.io/library/alpine:"+baseImageTag)
+	baseImageTag := "latest"
+	if ciTag != "" {
+		baseImageTag = strings.TrimPrefix(ciTag, "v")
 	}
 
-	resp, err := http.Get("https://hub.docker.com/v2/repositories/library/alpine/tags/" + baseImageTag + "/images")
+	indexDigest, err := getManifestIndexDigest(baseImageTag)
 	if err != nil {
 		return err
 	}
 
-	defer resp.Body.Close()
-
-	images := DockerImages{}
+	args = append(args, "--build-arg", "BASE="+BaseImageName+":"+indexDigest, "--label", "org.opencontainers.image.base.name=docker.io/"+BaseImageName+":"+indexDigest)
 
-	if err = json.NewDecoder(resp.Body).Decode(&images); err != nil {
+	digestAMD64, digestARM, digestARM64, err := getBaseImageDigests(baseImageTag)
+	if err != nil {
 		return err
 	}
 
-	var (
-		digestAMD64, digestARM, digestARM64 string
-	)
-
-	for _, platform := range []string{"linux/amd64", "linux/arm/v7", "linux/arm64"} {
-		for _, image := range images {
-			if !image.Match(platform) {
-				continue
-			}
-
-			switch platform {
-			case "linux/amd64":
-				digestAMD64 = image.Digest
-			case "linux/arm/v7":
-				digestARM = image.Digest
-			case "linux/arm64":
-				digestARM64 = image.Digest
-			}
-		}
-	}
-
 	finalArgs := make([]string, len(args))
 
 	copy(finalArgs, args)
 
-	finalArgs = append(finalArgs, "--output", "type=image,\"name="+dockerhub+"/"+DockerImageName+","+ghcr+"/"+DockerImageName+"\","+annotations+"annotation.org.opencontainers.image.base.name=docker.io/library/alpine:"+baseImageTag+",annotation[linux/amd64].org.opencontainers.image.base.digest="+digestAMD64+",annotation[linux/arm/v7].org.opencontainers.image.base.digest="+digestARM+",annotation[linux/arm64].org.opencontainers.image.base.digest="+digestARM64, "--platform", "linux/amd64,linux/arm/v7,linux/arm64", "--builder", "buildx", "--push", ".")
+	finalArgs = append(finalArgs,
+		"--output", "type=image,\"name="+dockerhub+"/"+DockerImageName+","+ghcr+"/"+DockerImageName+"\","+
+			annotations+"annotation.org.opencontainers.image.base.name=docker.io/"+BaseImageName+":"+indexDigest+
+			",annotation[linux/amd64].org.opencontainers.image.base.digest="+digestAMD64+
+			",annotation[linux/arm/v7].org.opencontainers.image.base.digest="+digestARM+
+			",annotation[linux/arm64].org.opencontainers.image.base.digest="+digestARM64,
+		"--platform", "linux/amd64,linux/arm/v7,linux/arm64",
+		"--provenance", "mode=max,reproducible=true", "--sbom", "true",
+		"--builder", "buildx", "--push", ".")
 
 	if err = utils.CommandWithStdout("docker", finalArgs...).Run(); err != nil {
 		return err
@@ -125,24 +107,45 @@ func (d *Docker) PublishReadme() error {
 	return utils.CommandWithStdout("bash", "-c", `token=$(curl -fs --retry 3 -H "Content-Type: application/json" -X "POST" -d '{"username": "'$DOCKER_USERNAME'", "password": "'$DOCKER_PASSWORD'"}' https://hub.docker.com/v2/users/login/ | jq -r .token) && jq -n --arg msg "$(cat README.md | sed -r 's/(\<img\ src\=\")(\.\/)/\1https:\/\/github.com\/authelia\/authelia\/raw\/master\//' | sed 's/\.\//https:\/\/github.com\/authelia\/authelia\/blob\/master\//g' | sed '/start \[contributing\]/ a <a href="https://github.com/authelia/authelia/graphs/contributors"><img src="https://opencollective.com/authelia-sponsors/contributors.svg?width=890" /></a>' | sed '/Thanks goes to/,/### Backers/{/### Backers/!d}')" '{"registry":"registry-1.docker.io","full_description": $msg }' | curl -fs --retry 3 -o /dev/null -L -X "PATCH" -H "Content-Type: application/json" -H "Authorization: JWT $token" -d @- https://hub.docker.com/v2/repositories/authelia/authelia/`).Run()
 }
 
-func getDockerfileDirective(filePath, directive string) (from string, err error) {
-	var f *os.File
-
-	if f, err = os.Open(filePath); err != nil {
-		return "", err
+func getBaseImageDigests(tag string) (amd64, arm, arm64 string, err error) {
+	resp, err := http.Get("https://hub.docker.com/v2/repositories/" + BaseImageName + "/tags/" + tag + "/images")
+	if err != nil {
+		return "", "", "", err
 	}
 
-	defer f.Close()
+	defer resp.Body.Close()
+
+	images := DockerImages{}
 
-	s := bufio.NewScanner(f)
+	if err = json.NewDecoder(resp.Body).Decode(&images); err != nil {
+		return "", "", "", err
+	}
 
-	for s.Scan() {
-		data := s.Text()
+	for _, platform := range []string{"linux/amd64", "linux/arm/v7", "linux/arm64"} {
+		for _, image := range images {
+			if !image.Match(platform) {
+				continue
+			}
 
-		if strings.HasPrefix(data, directive+" ") {
-			return data[5:], nil
+			switch platform {
+			case "linux/amd64":
+				amd64 = image.Digest
+			case "linux/arm/v7":
+				arm = image.Digest
+			case "linux/arm64":
+				arm64 = image.Digest
+			}
 		}
 	}
 
-	return "", nil
+	return amd64, arm, arm64, nil
+}
+
+func getManifestIndexDigest(tag string) (digest string, err error) {
+	digest, _, err = utils.RunCommandAndReturnOutput(`docker buildx imagetools inspect ` + BaseImageName + `:` + tag + ` --format "{{ json . }}" | jq -r '(.name/":"|last) + "@" + .manifest.digest'`)
+	if err != nil {
+		return "", err
+	}
+
+	return digest, nil
 }
diff --git a/internal/suites/environment.go b/internal/suites/environment.go
index a4360b2ba..0d255ee32 100644
--- a/internal/suites/environment.go
+++ b/internal/suites/environment.go
@@ -27,6 +27,7 @@ func waitUntilServiceLogDetected(
 
 		for _, pattern := range logPatterns {
 			if strings.Contains(logs, pattern) {
+				log.Debug("Service " + service + " is ready!")
 				return true, nil
 			}
 		}
diff --git a/internal/suites/suite_high_availability_test.go b/internal/suites/suite_high_availability_test.go
index d8d79181f..b35986b06 100644
--- a/internal/suites/suite_high_availability_test.go
+++ b/internal/suites/suite_high_availability_test.go
@@ -157,6 +157,7 @@ func (s *HighAvailabilityWebDriverSuite) TestShouldKeepUserDataInDB() {
 	s.Require().NoError(err)
 
 	s.Require().NoError(waitUntilServiceLog(haDockerEnvironment, "mariadb", "mariadbd: ready for connections"))
+	time.Sleep(time.Second * 3)
 
 	s.doLoginSecondFactorTOTP(s.T(), s.Context(ctx), "john", "password", false, "")
 	s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
author	Amir Zarrinkafsh <nightah@me.com>	2025-03-06 13:10:48 +1100
committer	GitHub <noreply@github.com>	2025-03-06 02:10:48 +0000
commit	7d1adffab57d038dad929431549e874abfdcb7b0 (patch)
tree	a594e05c2fe03ca45676ae8e9d82d18f50839fa5
parent	68945a4d318c13a284ff4b72f56b6f61a650d27b (diff)