-
Notifications
You must be signed in to change notification settings - Fork 1
300 lines (275 loc) · 11.3 KB
/
Copy pathdocker-ci.yml
File metadata and controls
300 lines (275 loc) · 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
# A common workflow for building, testing and publishing docker images in the samply organization (see https://github.com/samply).
# Upon completion of this workflow, following actions will be taken:
# 1) Build the docker image using a Dockerfile in the source code (default is ./Dockerfile)
# 2) Scan the image for vulnerabilities with trivy (see https://github.com/aquasecurity/trivy)
# 3) Upload the scan results from step 2 to the github security tab of the repository
# 4) Generating appropriate image tags for publishing using the docker/metadata-action. Following Rules are applied:
# * Running the action on push to a git branch adds the tag "<branchname>"
# * Running the action on push of a semver tag of the form "v<major>.<minor>.<patch>" without specified pre-release adds the tags "<major>" (if not 0), "<major>.<minor>", "<major>.<minor>.<patch>", and "latest"
# * Running the action on push of a semver tag of the form "v<major>.<minor>.<patch>-<prerelease>" adds the tag "<major>.<minor>.<patch>-<prerelease>"
# * Running the action on a scheduled basis adds the same tag as a branch push ("<branchname>")
# * Running the action on pull request pushes only to GHCR (if enabled) with the tag "pr-<pr-number>"
# * When pushing to GHCR (if enabled) always adds the tag "sha-<short-commit-sha>"
# 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4.
#
# An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml
name: Build, Test and Deploy Docker Image
on:
workflow_call:
inputs:
# The Docker Hub Repository you want eventually push to, e.g samply/share-client
image-name:
required: true
type: string
# Define special prefixes for docker tags
image-tag-prefix:
required: false
type: string
# Define special suffixes for docker tags
image-tag-suffix:
required: false
type: string
# Define the build context of your image, typically default '.' will be enough
build-context:
required: false
type: string
default: '.'
# Define the Dockerfile of your image, typically default './Dockerfile' will be enough
build-file:
required: false
type: string
default: './Dockerfile'
build-platforms:
required: false
type: string
default: "linux/amd64,linux/arm64/v8"
build-platforms-short:
required: false
type: string
# A list of build arguments, passed to the docker build
# FIXME: GitHub Actions currently doesn't support list types on inputs. This needs to be parsed by us from string.
build-args:
required: false
type: string
# If your actions generate an artifact in a previous build step, you can tell this worflow to download it.
# '*' will download *ALL* build artifacts into named subdirectories.
artifact-name:
required: false
type: string
default: ''
binary-name:
required: false
type: string
# Set to none, docker.io or ghcr.io. By default, will push to dockerhub for branches "main" and "develop" and to ghcr for all other branches.
push-to:
required: false
type: string
default: 'auto'
# delete GHCR images older than ... (default: "6 months"; state "keep" to skip)
ghcr-retention-policy:
required: false
default: '6 months'
type: string
secrets:
DOCKERHUB_USERNAME:
required: true
DOCKERHUB_TOKEN:
required: true
jobs:
tidy-ghcr:
name: Tidy GHCR images (${{ inputs.image-name }})
runs-on: ubuntu-latest
if: ${{ inputs.ghcr-retention-policy != 'keep' }}
permissions:
packages: write
steps:
- name: Compute package name
run: |
IMGNAME="${{ inputs.image-name }}"
echo "pkgname=${IMGNAME/samply\//}" >> $GITHUB_ENV
- name: Delete old images
uses: dataaxiom/ghcr-cleanup-action@v1
with:
packages: ${{ env.pkgname }}
delete-untagged: true
older-than: ${{ inputs.ghcr-retention-policy }}
token: ${{ secrets.GITHUB_TOKEN }}
build:
name: Dockerize${{ inputs.binary-name && format(' ({0})', inputs.binary-name) }}${{ inputs.image-tag-suffix && format(' ({0})', inputs.image-tag-suffix) }}
runs-on: ubuntu-latest
steps:
- name: Read vars
env:
ARCHS_LONG: ${{ inputs.build-platforms }}
ARCHS_SHORT: ${{ inputs.build-platforms-short }}
PUSH_TO: ${{ inputs.push-to }}
run: |
RESULT=""
## Architecture
if [ "$ARCHS_SHORT" == "" ]; then
RESULT="$ARCHS_LONG"
else
for ARCH in $(echo "$ARCHS_SHORT" | jq -r '.[]'); do
if [ "$ARCH" == "amd64" ]; then
RESULT="$RESULT,linux/amd64"
fi
if [ "$ARCH" == "arm64" ]; then
RESULT="$RESULT,linux/arm64/v8"
fi
done
fi
## Registry
if [[ "$PUSH_TO" == "auto" ]]; then
# If this is a tag, push to dockerhub
if [[ "${{ github.ref_type }}" == "tag" ]]; then
PUSH_TO="docker.io"
else
# If this is branch main or develop, push to Docker Hub
case "${{ github.ref_name }}" in
main|develop)
PUSH_TO="docker.io"
;;
*)
# Otherwise push to ghcr
PUSH_TO="ghcr.io"
;;
esac
fi
fi
case "$PUSH_TO" in
docker.io|ghcr.io)
;;
none)
PUSH_TO=""
;;
*)
echo "Unsupported push target: \"$PUSH_TO\". Please supply auto, none, docker.io or ghcr.io"
exit 1
esac
echo "Resulting build_platforms is \"$RESULT\""
echo "build_platforms=$RESULT" >> $GITHUB_ENV
echo "registry=$PUSH_TO" >> $GITHUB_ENV
- name: Analyze repository
run: |
VISIBILITY="$(curl https://api.github.com/repos/${{ github.repository }} | jq -r .visibility)"
if [ "$VISIBILITY" != "public" ]; then
echo "Repository is not public -- will skip security scans."
echo "security-scan=false" >> $GITHUB_ENV
else
echo "security-scan=true" >> $GITHUB_ENV
fi
- name: Checkout Source Code
uses: actions/checkout@v6
- name: Download specific Build Artifact to artifacts/
if: ${{ inputs.artifact-name != '' && inputs.artifact-name != '*' }}
uses: actions/download-artifact@v6
with:
name: ${{ inputs.artifact-name }}
path: artifacts
- name: Download all Build Artifacts to artifacts/
if: ${{ inputs.artifact-name == '*' }}
uses: actions/download-artifact@v6
with:
path: artifacts
# see https://github.com/actions/toolkit/pull/1874
pattern: "!*.dockerbuild"
- name: Replace binary name in Dockerfile
if: ${{ inputs.binary-name }}
env:
BUILD_FILE: ${{ inputs.build-file }}
BINARY_NAME: ${{ inputs.binary-name }}
run: |
sed -i "s,/usr/local/bin/samply,/usr/local/bin/${BINARY_NAME},g" ${BUILD_FILE}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ env.build_platforms }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: setup-buildx
- name: "Docker: Cache (1/2)"
uses: actions/cache@v4
id: cache
with:
path: dockerci-cache
key: dockerci-${{ hashFiles(inputs.build-file) }}-${{ github.run_id }}
restore-keys: |
dockerci-${{ hashFiles(inputs.build-file) }}
- name: "Docker: Cache (2/2)"
uses: reproducible-containers/buildkit-cache-dance@v3
with:
builder: ${{ steps.setup-buildx.outputs.name }}
cache-dir: dockerci-cache
dockerfile: ${{ inputs.build-file }}
- name: Build and Export to Docker
uses: docker/build-push-action@v6
if: ${{ env.security-scan != 'false' }}
with:
# NOTE: Not specifying build platforms here due to conflict with the load option!
context: ${{ inputs.build-context }}
file: ${{ inputs.build-file }}
build-args: ${{ inputs.build-args }}
load: true
tags: ${{ inputs.image-name }}
pull: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
if: ${{ env.security-scan != 'false' }}
with:
image-ref: ${{ inputs.image-name }}
format: sarif
timeout: '10m0s'
ignore-unfixed: true
output: trivy-results.sarif
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v4
if: ${{ env.security-scan != 'false' && github.actor != 'dependabot[bot]' }}
with:
sarif_file: trivy-results.sarif
- name: "Docker: Generate Image Tags"
id: docker-meta
if: env.registry
uses: docker/metadata-action@v5
with:
images: |
"${{ env.registry }}/${{ inputs.image-name }}"
tags: |
# Scheduled runs: use the same branch tag as branch pushes
type=raw,value=${{ github.ref_name }},enable=${{ github.event_name == 'schedule' }}
# Branch pushes
type=ref,event=branch
# PRs
type=ref,event=pr,prefix=${{ inputs.image-tag-prefix }}pr-
# Semver tags
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
flavor: |
# The "latest" tag is set according to these rules: https://github.com/docker/metadata-action#latest-tag
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true
- name: "Docker: Login to ${{ env.registry }}"
if: env.registry
uses: docker/login-action@v3
with:
registry: ${{ env.registry }}
username: ${{ env.registry == 'ghcr.io' && github.actor || secrets.DOCKERHUB_USERNAME }}
password: ${{ env.registry == 'ghcr.io' && secrets.GITHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}
- name: "Docker: Build and Push to ${{ env.registry }}"
uses: docker/build-push-action@v6
if: env.registry
with:
context: ${{ inputs.build-context }}
file: ${{ inputs.build-file }}
push: ${{ github.actor != 'dependabot[bot]' }}
platforms: ${{ env.build_platforms }}
build-args: ${{ inputs.build-args }}
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}
pull: true
cache-from: type=gha
cache-to: type=gha,mode=max