| # syntax=docker.io/docker/dockerfile:1.20 | |
| # From https://github.com/sigstore/cosign/releases | |
| FROM ghcr.io/sigstore/cosign/cosign:v3.0.3 AS cosign | |
| # From https://github.com/regclient/regclient/releases | |
| FROM ghcr.io/regclient/regctl:v0.11.1 AS regctl | |
| FROM ghcr.io/dependabot/dependabot-updater-core | |
| ENV PATH=/opt/bin:$PATH | |
| COPY --from=regctl /regctl /opt/bin/regctl | |
| COPY --from=cosign /ko-app/cosign /opt/bin/cosign | |
| RUN chmod o+rx /opt/bin/regctl && \ | |
| chmod +x /opt/bin/cosign | |
| # Verify regclient binary. See https://regclient.org/install/#verifying-signatures | |
| RUN REGCTL_VERSION=$(regctl version --format '{{.VCSTag}}') && \ | |
| cosign verify \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp https://github.com/regclient/regclient/.github/workflows/ \ | |
| ghcr.io/regclient/regctl:${REGCTL_VERSION} && \ | |
| # Remove cosign as it is not needed in the final image | |
| rm /opt/bin/cosign | |
| USER dependabot | |
| COPY --chown=dependabot:dependabot --parents docker common $DEPENDABOT_HOME/ | |
| COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater | |