add permissions for gcr login to base image build (#5860)

.github/workflows/build-base-images.yml

@@ -16,7 +16,6 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   checks:
@@ -44,6 +43,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write # for scout report
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -113,6 +113,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false
@@ -185,6 +186,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false

.github/workflows/build-oss.yml

@@ -114,6 +114,16 @@ jobs:
           fi
         if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
       - name: Build Base Container
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
@@ -187,7 +197,7 @@ jobs:
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
-          image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"

.github/workflows/build-plus.yml

@@ -119,6 +119,16 @@ jobs:
           fi
         if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
       - name: Build Base Container
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
@@ -199,19 +209,13 @@ jobs:
       - name: Make directory for security scan results
         run: |
           mkdir -p "${{ inputs.image }}-results/"
-
-      - name: Extract image name for Scans
-        id: scan-tag
-        run: |
-          tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
-          echo "tag=$tag" >> $GITHUB_OUTPUT
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
-          image-ref: ${{ steps.scan-tag.outputs.tag }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
@@ -230,7 +234,7 @@ jobs:
         continue-on-error: true
         with:
           command: cves,recommendations
-          image: ${{ steps.scan-tag.outputs.tag }}
+          image: ${{ steps.meta.outputs.tags }}
           ignore-base: true
           only-fixed: true
           sarif-file: "${{ inputs.image }}-results/scout.sarif"