Skip to content

feat: add common workflows #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
smuu wants to merge 1 commit into from
Closed

feat: add common workflows #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 156 additions & 0 deletions .github/workflows/reusable_dockerfile_pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
name: Docker Build & Publish

on:
workflow_call:
inputs:
dockerfile:
required: false
type: string
description: "Path to Dockerfile"
default: "Dockerfile"
packageName:
required: false
type: string
description: "You can specify a different package name."
default: "${{ github.repository }}"

env:
REGISTRY: ghcr.io
MAINTAINER: ${{ github.repository_owner }}
DESCRIPTION: "${{ github.repository_owner }} repository ${{ github.repository }}"

jobs:
prepare-env:
runs-on: "ubuntu-latest"
outputs:
output_short_sha: ${{ steps.setting_env.outputs.short_sha }}
output_image_name: ${{ steps.setting_env.outputs.image_name }}
steps:
- name: Checkout
uses: "actions/checkout@v3"

- name: Add vars to ENV
id: setting_env
run: |
echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV
echo "short_sha=`echo ${GITHUB_SHA} | cut -c1-8`" >> "$GITHUB_OUTPUT"
# yamllint disable
echo "IMAGE_NAME=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
echo "image_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
# here we validate if we have specified a different package name in
# the inputs, if so, we change the package to it.
if [[ ${{ inputs.packageName }} != ${{ github.repository}} ]];then
# validate the input package name characters
if [[ ! "${{ inputs.packageName }}" =~ ^[A-Za-z0-9\-]+$ ]]; then
echo "------------------------------------------------------------"
echo "ERROR: Package name not valid! => [ ${{ inputs.packageName }} ]"
echo "ONLY can use: A-Za-z0-9\-"
echo "------------------------------------------------------------"
exit 1
fi
echo "IMAGE_NAME=$(echo ${{ github.repository_owner }}/${{ inputs.packageName }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
echo "image_name=$(echo ${{ github.repository_owner }}/${{ inputs.packageName }} | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
fi
# yamllint enable

docker-security:
needs: prepare-env
runs-on: "ubuntu-latest"
steps:
- name: Checkout
uses: "actions/checkout@v3"

- name: Build and Push
uses: docker/build-push-action@v4
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
with:
push: false
platforms: linux/amd64
# we're building the container before the scan, use the short sha tag
# for referring to it later
tags: ${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}
file: ${{ inputs.dockerfile }}

- name: Run Trivy vulnerability scanner
# source: https://github.com/aquasecurity/trivy-action
# https://github.com/marketplace/actions/aqua-security-trivy
uses: aquasecurity/trivy-action@master
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
with:
# here we use the local tag that we've built before
image-ref: '${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}'
format: 'table'
#exit-code: '1' # uncomment to stop the CI if the scanner fails
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

docker-build:
strategy:
matrix:
platforms: ["linux/amd64", "linux/arm64"]
runs-on: "ubuntu-latest"
# wait until the jobs are finished.
needs: ["prepare-env", "docker-security"]
permissions:
contents: write
packages: write

steps:
- name: Checkout
uses: "actions/checkout@v3"

- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@v4
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
with:
images: ${{ env.REGISTRY }}/${{ env.OUTPUT_IMAGE_NAME }}
# yamllint disable
labels: |
maintainer=${{ env.MAINTAINER }}
commitUrl=https://github.com/${{ github.repository }}/commit/${{ github.sha }}
dockerPull=docker pull ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.OUTPUT_SHORT_SHA }}
org.opencontainers.image.description=${{ env.DESCRIPTION }}
tags: |
# output minimal (short sha)
type=raw,value={{sha}}
# output v0.2.1/v*-*
type=semver,pattern={{raw}}
# pull request event
type=ref,enable=true,prefix=pr-,suffix=,event=pr
# yamllint enable

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

# We always build the image but we only push if we are on the `main`,
# `master` branch or a versioned `v*` branch
- name: Build and PushDocker Image
uses: docker/build-push-action@v4
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
with:
platforms: ${{ matrix.platforms }}
# yamllint disable
# The following line, is execute as an if statement, only push when
# the branch is main, master or starts with v*
push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }}
# yamllint enable
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ${{ inputs.dockerfile }}