Squashed commit of the following:

EvanDarwin · EvanDarwin · commit ae5010ff1488 · 2025-04-18T23:55:27.000-07:00
commit 0cd1d1b Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:53:45 2025 -0700 Update SBOM artifact retention period to 90 days commit bfc9a25 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:30:05 2025 -0700 Update upload-artifact action to v4 and extend SBOM retention period to 365 days commit fa3ed42 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:27:48 2025 -0700 Add Syft installation and SBOM generation to Docker workflow; update README for version 5.4.7 commit c22f9da Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:06:18 2025 -0700 Update GitHub Actions to use latest versions of checkout, Buildx, and login actions commit 3af6fcc Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:03:05 2025 -0700 Remove attestation configuration from Docker image workflow commit d29764a Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:02:32 2025 -0700 Test experimental new workflow commit a5a51d2 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 23:01:02 2025 -0700 Remove obsolete Docker workflows and update Dockerfile to use dynamic Lua version commit 8f727f6 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 22:55:31 2025 -0700 Update Lua and LuaRocks versions to 5.4.7 and 3.11.1 respectively commit 8e1cc76 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 22:55:27 2025 -0700 Remove tag trigger from SBOM and Attestation workflow; restrict to master and ci-changes branches commit c4f20c8 Author: Evan Darwin <edarwin@protonmail.com> Date: Fri Apr 18 22:40:38 2025 -0700 Enhance Docker workflows with attestation and SBOM support; update README for security features and usage instructions
diff --git a/.github/workflows/dockerimage-latest.yml b/.github/workflows/dockerimage-latest.yml
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -2,7 +2,7 @@ name: Lua Docker - Image CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [ master, ci-changes ]
   pull_request:
     branches: [ master ]
 
@@ -11,6 +11,71 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag evandarwin/lua:$(cat .lua.release)
+    - uses: actions/checkout@v4
+    
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      
+    - name: Configure Docker BuildKit
+      run: |
+        echo "DOCKER_BUILDKIT=1" >> $GITHUB_ENV
+        
+    - name: Login to Docker Hub
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+        
+    - name: Extract version components
+      id: version
+      run: |
+        FULL_VERSION=$(cat .lua.release)
+        MAJOR_VERSION=$(echo $FULL_VERSION | cut -d'.' -f1)
+        MAJOR_MINOR_VERSION=$(echo $FULL_VERSION | cut -d'.' -f1,2)
+        
+        echo "full_version=$FULL_VERSION" >> $GITHUB_OUTPUT
+        echo "major_version=$MAJOR_VERSION" >> $GITHUB_OUTPUT
+        echo "major_minor_version=$MAJOR_MINOR_VERSION" >> $GITHUB_OUTPUT
+
+    - name: Install Syft for SBOM generation
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+        
+    - name: Build and push
+      uses: docker/build-push-action@v4
+      with:
+        context: .
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: |
+          evandarwin/lua:${{ steps.version.outputs.full_version }}
+          evandarwin/lua:${{ steps.version.outputs.major_minor_version }}
+          evandarwin/lua:${{ steps.version.outputs.major_version }}
+          evandarwin/lua:latest
+        provenance: true
+        outputs: type=image,name=evandarwin/lua
+        build-args: |
+          BUILD_DATE=${{ github.event.repository.updated_at }}
+          VCS_REF=${{ github.sha }}
+          VERSION=${{ steps.version.outputs.full_version }}
+          
+    - name: Generate SBOM
+      if: github.event_name != 'pull_request'
+      run: |
+        # Create output directory
+        mkdir -p sbom
+        
+        # Generate SBOM in multiple formats
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o spdx-json=sbom/spdx.json
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o cyclonedx-json=sbom/cyclonedx.json
+        
+        # Optional: Generate human-readable text version
+        syft evandarwin/lua:${{ steps.version.outputs.full_version }} -o text=sbom/sbom.txt
+        
+    - name: Upload SBOM as artifact
+      if: github.event_name != 'pull_request'
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom-files
+        path: sbom/
+        retention-days: 90
diff --git a/.lua.release b/.lua.release
@@ -1 +1 @@
-5.4.6
+5.4.7
diff --git a/.luarocks.release b/.luarocks.release
@@ -1 +1 @@
-3.9.2
+3.11.1
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "workbench.colorCustomizations": {
+        "activityBar.background": "#540358",
+        "titleBar.activeBackground": "#75057B",
+        "titleBar.activeForeground": "#FFF9FF"
+    }
+}
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,22 @@
 FROM alpine:latest
+
+# Build arguments
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VERSION
+
+# Set metadata labels
+LABEL org.opencontainers.image.created="${BUILD_DATE}" \
+     org.opencontainers.image.revision="${VCS_REF}" \
+     org.opencontainers.image.version="${VERSION}" \
+     org.opencontainers.image.authors="Evan Darwin <github@relta.net>" \
+     org.opencontainers.image.url="https://github.com/evandarwin/lua-docker" \
+     org.opencontainers.image.documentation="https://github.com/evandarwin/lua-docker/blob/master/README.md" \
+     org.opencontainers.image.description="Lua with LuaRocks container image"
+
 ENV AUTHOR="Evan Darwin <github@relta.net>"
 
-ENV VERSION_LUA="5.4.6"
+ENV VERSION_LUA="${VERSION:-5.4.7}"
 ENV VERSION_LUAROCKS="3.9.2"
 
 RUN apk add --no-cache libc-dev readline readline-dev unzip make gcc coreutils wget && \
diff --git a/README.md b/README.md
@@ -2,9 +2,48 @@
 
 <img src="docs/lua.png" alt="Lua for Docker" style="zoom:33%;" />
 
+A simple `alpine` docker image that includes the Lua runtime as well as [LuaRocks](https://luarocks.org/).
 
+## Features
 
-A simple `alpine` docker image that includes the Lua runtime as well as [LuaRocks](https://luarocks.org/).
+- Lua 5.4.7 runtime
+- LuaRocks 3.9.2 package manager
+- Based on Alpine Linux for a minimal footprint
+- Container attestation and SBOM support
+
+## Available Tags
+
+Several version tags are available for flexibility:
+
+- `evandarwin/lua:5.4.7` - Specific version (e.g., 5.4.7)
+- `evandarwin/lua:5.4` - Major.Minor version (e.g., 5.4)
+- `evandarwin/lua:5` - Major version only (e.g., 5)
+- `evandarwin/lua:latest` - Latest stable release
+
+We recommend using the specific version tag for production environments to ensure stability, while the less specific tags can be used for development or when you want to automatically get updates.
+
+## Docker Image Security
+
+This image includes supply chain security features:
+
+### Attestations
+
+The image build process includes:
+- Docker provenance attestation
+- Software Bill of Materials (SBOM)
+
+## Usage
+
+```bash
+# Pull a specific version
+docker pull evandarwin/lua:5.4.7
+
+# Or use the major.minor version
+docker pull evandarwin/lua:5.4
+
+# Run a Lua command
+docker run -it evandarwin/lua:5.4.7 lua -e "print('Hello from Lua!')"
+```
 
 Have fun!
 
