-
Notifications
You must be signed in to change notification settings - Fork 0
279 lines (256 loc) · 10.2 KB
/
docker-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
# A common workflow for building, testing and publishing docker images in the samply organization (see https://github.com/samply).
# Upon completion of this workflow, following actions will be taken:
# 1) Build the docker image using a Dockerfile in the source code (default is ./Dockerfile)
# 2) Scan the image for vulnerabilities with trivy (see https://github.com/aquasecurity/trivy)
# 3) Upload the scan results from step 2 to the github security tab of the repository
# 4) Generating appropriate image tags for publishing using the docker/metadata-action. Following Rules are applied:
# 1. Running the action on push to the main branch will trigger tagging image as latest
# 2. Running the action on push to a git branch trigger tagging image as "<branchname>"
# 3. Running the action on push of a git tag matching the semver schema will trigger tagging image with {MAJOR}, {MAJOR}.{MINOR} and {MAJOR}.{MINOR}.{PATCH}
# 4. Running the action on push to a pull request, will trigger tagging for the github container registry with ghcr.io/<repository-name>/<pr-reference>. This will be skipped for private repositories.
# 5. Running the action on a scheduled basis will trigger tagging images with "nightly".
# 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4.
#
# An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml
name: Build, Test and Deploy Docker Image
on:
workflow_call:
inputs:
# The Docker Hub Repository you want eventually push to, e.g samply/share-client
image-name:
required: true
type: string
# Define special prefixes for docker tags
image-tag-prefix:
required: false
type: string
# Define special suffixes for docker tags
image-tag-suffix:
required: false
type: string
# Define the build context of your image, typically default '.' will be enough
build-context:
required: false
type: string
default: '.'
# Define the Dockerfile of your image, typically default './Dockerfile' will be enough
build-file:
required: false
type: string
default: './Dockerfile'
build-platforms:
required: false
type: string
default: "linux/amd64,linux/arm64/v8"
build-platforms-short:
required: false
type: string
# A list of build arguments, passed to the docker build
# FIXME: GitHub Actions currently doesn't support list types on inputs. This needs to be parsed by us from string.
build-args:
required: false
type: string
# If your actions generate an artifact in a previous build step, you can tell this worflow to download it.
# '*' will download *ALL* build artifacts into named subdirectories.
artifact-name:
required: false
type: string
default: ''
binary-name:
required: false
type: string
# Set to none, dockerhub, ghcr or both
push-to:
required: true
type: string
secrets:
DOCKERHUB_USERNAME:
required: true
DOCKERHUB_TOKEN:
required: true
jobs:
tidy-ghcr:
name: Tidy GHCR
runs-on: ubuntu-latest
uses: actions/delete-package-versions@v5
with:
package-name: ${{ inputs.image-name }}
package-type: 'container'
min-versions-to-keep: 10
build:
name: Dockerize${{ inputs.binary-name && format(' ({0})', inputs.binary-name) }}${{ inputs.image-tag-suffix && format(' ({0})', inputs.image-tag-suffix) }}
runs-on: ubuntu-latest
steps:
- name: Read vars
env:
ARCHS_LONG: ${{ inputs.build-platforms }}
ARCHS_SHORT: ${{ inputs.build-platforms-short }}
PUSH_TO: ${{ inputs.push-to }}
run: |
RESULT=""
if [ "$ARCHS_SHORT" == "" ]; then
RESULT="$ARCHS_LONG"
else
for ARCH in $(echo "$ARCHS_SHORT" | jq -r '.[]'); do
if [ "$ARCH" == "amd64" ]; then
RESULT="$RESULT,linux/amd64"
fi
if [ "$ARCH" == "arm64" ]; then
RESULT="$RESULT,linux/arm64/v8"
fi
done
fi
GHCR=
DOCKERHUB=
case "$PUSH_TO" in
both)
GHCR=true
DOCKERHUB=true
;;
dockerhub)
DOCKERHUB=true
;;
ghcr)
GHCR=true
;;
none)
;;
*)
echo "Unsupported push target: \"$PUSH_TO\". Please supply none, dockerhub, ghcr or both."
exit 1
esac
echo "Resulting build_platforms is \"$RESULT\""
echo "build_platforms=$RESULT" >> $GITHUB_ENV
echo "dockerhub=$DOCKERHUB" >> $GITHUB_ENV
echo "ghcr=$GHCR" >> $GITHUB_ENV
- name: Analyze repository
run: |
VISIBILITY="$(curl https://api.github.com/repos/${{ github.repository }} | jq -r .visibility)"
if [ "$VISIBILITY" != "public" ]; then
echo "Repository is not public -- will skip security scans and push to github container registry."
echo "security-scan=false" >> $GITHUB_ENV
else
echo "security-scan=true" >> $GITHUB_ENV
fi
- name: Checkout Source Code
uses: actions/checkout@v2
- name: Download specific Build Artifact to artifacts/
if: ${{ inputs.artifact-name != '' && inputs.artifact-name != '*' }}
uses: actions/download-artifact@v3
with:
name: ${{ inputs.artifact-name }}
path: artifacts
- name: Download all Build Artifacts to artifacts/
if: ${{ inputs.artifact-name == '*' }}
uses: actions/download-artifact@v3
with:
path: artifacts
- name: Replace binary name in Dockerfile
if: ${{ inputs.binary-name }}
env:
BUILD_FILE: ${{ inputs.build-file }}
BINARY_NAME: ${{ inputs.binary-name }}
run: |
sed -i "s,/usr/local/bin/samply,/usr/local/bin/${BINARY_NAME},g" ${BUILD_FILE}
- name: ls
run: ls -laR
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Build and Export to Docker
uses: docker/build-push-action@v2
with:
context: ${{ inputs.build-context }}
file: ${{ inputs.build-file }}
build-args: ${{ inputs.build-args }}
# NOTE: Not specifying build platforms here due to conflict with the load option!
load: true
tags: ${{ inputs.image-name }}
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
if: ${{ env.security-scan != 'false' }}
with:
image-ref: ${{ inputs.image-name }}
format: sarif
timeout: '10m0s'
ignore-unfixed: true
output: trivy-results.sarif
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@codeql-bundle-20211208
if: ${{ env.security-scan != 'false' }}
with:
sarif_file: trivy-results.sarif
- name: Define Image Tags for Github Container Registry
id: docker-meta-ghcr
if: env.ghcr
uses: docker/metadata-action@v3
with:
images: |
"ghcr.io/${{ inputs.image-name }}"
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr,prefix=${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}pr-
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,format=long,prefix=${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}sha-
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
flavor: |
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true
- name: Login to Github Container Registry
if: env.ghcr
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and Push Image to Github Container Registry
if: env.ghcr
uses: docker/build-push-action@v2
with:
context: ${{ inputs.build-context }}
file: ${{ inputs.build-file }}
push: true
platforms: ${{ env.build_platforms }}
build-args: ${{ inputs.build-args }}
labels: ${{ steps.docker-meta-ghcr.outputs.labels }}
tags: ${{ steps.docker-meta-ghcr.outputs.tags }}
- name: Generate Image Tags for Docker Hub
id: docker-meta
uses: docker/metadata-action@v3
if: env.dockerhub
with:
images: |
${{ inputs.image-name }}
tags: |
type=schedule
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
flavor: |
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true
- name: Login to Docker Hub
uses: docker/login-action@v1
if: env.dockerhub
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and Push Image to Docker Hub
uses: docker/build-push-action@v2
if: env.dockerhub
with:
context: ${{ inputs.build-context }}
file: ${{ inputs.build-file }}
push: true
platforms: ${{ env.build_platforms }}
build-args: ${{ inputs.build-args }}
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}