CP-24414: bump anchore/scan-action from 5 to 6 (#75) #193
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DockerBuild | |
on: | |
push: | |
branches: | |
- develop | |
- main | |
tags: | |
- '*' | |
# tag is pr-<number> | |
pull_request: | |
release: | |
types: | |
- created | |
- published | |
- released | |
env: | |
REGISTRY_LOCAL_ADDR: localhost:5000 | |
REGISTRY_PROD_ADDR: ghcr.io | |
IMAGE_NAME: ${{ github.repository }}/cloudzero-agent-validator | |
jobs: | |
docker: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
# Checkout the repository code | |
- name: SETUP - Checkout | |
id: checkout_code | |
uses: actions/checkout@v4 | |
- # Install buildx for multi-platform builds | |
name: SETUP - Docker Buildx | |
id: install_buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
with: | |
driver-opts: network=host | |
# Sanity Check: Validate the k8s and Registry is Running | |
- name: SANITY CHECK - Registry are running | |
id: validate_kind_install | |
run: | | |
docker pull busybox | |
docker tag busybox ${{ env.REGISTRY_LOCAL_ADDR }}/localbusybox | |
docker push ${{ env.REGISTRY_LOCAL_ADDR }}/localbusybox | |
# Format the image name to OCI compatable format | |
- name: INPUT PREP - image name formatting | |
id: image_name | |
run: | | |
IMAGE_NAME=${{ env.IMAGE_NAME }} | |
echo "IMAGE_NAME=${IMAGE_NAME,,}" >>${GITHUB_ENV} | |
# Extract metadata (tags, labels) the docker image build | |
- name: INPUT PREP - Extract Docker metadata from git repository | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
env: | |
VALIDATOR_IMAGE_DESCRIPTION: "CloudZero Agent Validator" | |
with: | |
# ONLY use the local registry address for the image until it is tested | |
images: ${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }} | |
# Tag generation rules: | |
# 1. branch name (used for develop or main) | |
# 2. PR number (used for PRs) | |
# 3. version to match the semver pattern for the chart | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
labels: | | |
maintainer=CloudZero | |
org.opencontainers.image.description=${{ env.VALIDATOR_IMAGE_DESCRIPTION }} | |
org.opencontainers.image.vendor=CloudZero | |
image.name=${{ env.REGISTRY_PROD_ADDR }}/${{ env.IMAGE_NAME }} | |
# https://github.com/docker/metadata-action?tab=readme-ov-file#latest-tag | |
# should only occur whtn a semver or raw when we are on master | |
flavor: | | |
latest=false | |
- name: INPUT PREP - Set build time revision | |
run: | | |
REVISION=$(git rev-parse --short HEAD) | |
TAG=$(echo "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}") | |
BUILD_TIME=$(date -u +'%Y-%m-%dT%H:%M:%SZ') | |
echo "REVISION=${REVISION}" >>${GITHUB_ENV} | |
echo "TAG=${TAG}" >>${GITHUB_ENV} | |
echo "BUILD_TIME=${BUILD_TIME}" >>${GITHUB_ENV} | |
- name: TEST - Build image | |
id: build_image | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
env: | |
PLATFORMS: "linux/amd64,linux/arm64" | |
VALIDATOR_DOCKERFILE: docker/Dockerfile | |
VALIDATOR_CONTEXT: . | |
with: | |
push: true | |
context: ${{ env.VALIDATOR_CONTEXT }} | |
file: ${{ env.VALIDATOR_DOCKERFILE }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ env.PLATFORMS }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
BUILD_TIME=${{ env.BUILD_TIME }} | |
REVISION=${{ env.REVISION }} | |
TAG=${{ env.TAG }} | |
- name: SECURITY - Grype Docker Image Scan | |
uses: anchore/scan-action@v6 | |
with: | |
image: ${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
fail-build: true | |
severity-cutoff: high | |
- name: SECURITY - Trivy Docker Image Scan | |
uses: aquasecurity/trivy-action@0.29.0 | |
with: | |
image-ref: ${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
########################################################################### | |
# PRODUCTION ONLY STEPS BEYOND THIS POINT | |
# | |
# install regctl for registry management operations | |
- name: PRODUCTION STEP - Install Regctl for registry management | |
if: github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
id: install_regctl | |
uses: iarekylew00t/regctl-installer@v3 | |
# Login to product docker registry | |
- name: PRODUCTION STEP - login to container registry | |
if: github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
id: prod_registry_login | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | \ | |
regctl registry login ${{ env.REGISTRY_PROD_ADDR }} \ | |
--user "${{ github.actor }}" \ | |
--pass-stdin | |
# Copy the image from the local registry | |
# to the production registry (retagging at the same time) | |
# only allow on main, develop branches, or a version tag | |
- name: PRODUCTION STEP - Publish Image to Production | |
if: github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
id: prod_publish_image | |
run: | | |
regctl registry set --tls=disabled ${{ env.REGISTRY_LOCAL_ADDR }} | |
regctl image copy \ | |
${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \ | |
${{ env.REGISTRY_PROD_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
if [[ ${{ steps.meta.outputs.version }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
regctl image copy \ | |
${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \ | |
${{ env.REGISTRY_PROD_ADDR }}/${{ env.IMAGE_NAME }}:latest | |
fi |