Single python release and review points

Signed-off-by: Luke Hinds <luke@stacklok.com>

Author: lukehinds

.github/workflows/build-publish-image.yml

@@ -3,20 +3,17 @@ name: Build and Publish Bandit Images
 on:
   release:
     types: [created]
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at midnight
 
 jobs:
   build-and-publish:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
-    strategy:
-      matrix:
-        python-version: ['38', '39', '310', '311', '312']
-        architecture: [amd64, arm64]
+
     steps:
     - name: Check out the repo
       uses: actions/checkout@v4
@@ -41,14 +38,14 @@ jobs:
       uses: docker/build-push-action@v5
       with:
         context: .
-        file: ./docker/Dockerfile-py${{ matrix.python-version }}
+        file: ./docker/Dockerfile
         push: true
-        tags: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }}
-        platforms: linux/${{ matrix.architecture }}
+        tags: ghcr.io/${{ github.repository }}/bandit:latest
+        platforms: linux/amd64, linux/arm64
 
     - name: Sign the image
       env:
-        TAGS: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }}
+        TAGS: ghcr.io/${{ github.repository }}/bandit:latest
         DIGEST: ${{ steps.build-and-push.outputs.digest }}
       run: |
-       echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+        echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

README.rst

@@ -91,34 +91,30 @@ Bandit is available as a container image, built within the bandit repository
 using GitHub Actions. The image is available on gchr.io:
 
 ```bash
-docker pull gcr.io/pycqa/bandit/bandit:py312-arm64
+docker pull ghcr.io/pycqa/bandit/bandit
 ```
 
 The image is built for the following architectures:
 
 * amd64
 * arm64
+* armv7
 
-The image is tagged with the Python version and architecture, for example:
+To pull a specific architecture, use the following format:
 
-* py312-amd64
-* py312-arm64
-
-Python versions supported are:
+```bash
+docker pull ghcr.io/pycqa/bandit/bandit:<tag>-<arch>
+```
 
-* 3.8 (py38-amd64)
-* 3.9 (py39-amd64)
-* 3.10 (py310-amd64)
-* 3.11 (py311-amd64)
-* 3.12 (py312-amd64)
+Where `<tag>` is the release version of Bandit and `<arch>` is the architecture
 
 Every image is signed with sigstore cosign and it is possible to verify the
 source of origin using the following cosign command:
 
 ```bash
 cosign verify ghcr.io/pycqa/bandit/bandit:py39-amd64 \
-  --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/1.7.6 \
+  --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/<version> \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com
 ```
 
-Where `1.7.6` is the release version of Bandit.
+Where `<version>` is the release version of Bandit.

docker/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.12-alpine
+
+# Install Git (required for pbr versioning)
+RUN apk add --no-cache git
+
+# Copy the source code into the container
+COPY . /bandit
+
+# Set the working directory
+WORKDIR /bandit
+
+# Install Bandit from the source code using pip
+RUN pip install .
+
+# Define entrypoint and default command
+ENTRYPOINT ["bandit"]