Skip to content

Commit

Permalink
Added reusable workflow for build and push
Browse files Browse the repository at this point in the history
  • Loading branch information
@simao-silva
simao-silva committed Jan 14, 2024
1 parent 37143d3 commit 43113a6
Show file tree
Hide file tree
Showing 3 changed files with 137 additions and 186 deletions.
98 changes: 6 additions & 92 deletions .github/workflows/docker-build-alpine.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,104 +2,18 @@ name: build and push image (Alpine version)

on:
push:
branches:
- "master"
# branches:
# - "master"
paths:
- Dockerfile
- .github/workflows/docker-build-alpine.yml
- renew*.py
- requirements.txt

env:
IMAGE_NAME: "simaofsilva/noip-renewer"
PIP_VERSION: "23.3.2" # renovate: datasource=pypi depName=pip versioning=pep440

jobs:
build-alpine:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]

- name: Get commit short hash
id: short_digest
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- name: Set up QEMU
uses: docker/[email protected]

- name: Set up Docker Buildx
uses: docker/[email protected]

- name: Build image for tests
uses: docker/[email protected]
with:
context: .
platforms: linux/amd64
load: true
tags: ${{ env.IMAGE_NAME }}:test-alpine
file: Dockerfile
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
- name: Set up Trivy
run: |
docker run --rm aquasec/trivy --version
docker volume create trivy-db
docker run --rm -v trivy-db:/root/.cache/ aquasec/trivy image --download-db-only
- name: Run Trivy vulnerability scanner
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v ./scan-results:/scan-results \
-v trivy-db:/root/.cache/ \
aquasec/trivy image \
--exit-code 1 \
--ignore-unfixed \
--vuln-type os,library \
--severity MEDIUM,CRITICAL,HIGH \
--format sarif \
--output /scan-results/trivy-alpine-image-scan.sarif \
--skip-files /usr/lib/librav1e.so.0.6.6 \
${{ env.IMAGE_NAME }}:test-alpine
- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/[email protected]
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: scan-results/trivy-alpine-image-scan.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: alpine-image-scan

- name: Login to DockerHub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push for Docker Hub
id: docker_build
uses: docker/[email protected]
with:
context: .
platforms: linux/amd64,linux/arm64/v8
push: true
tags: |
${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-alpine
${{ env.IMAGE_NAME }}:alpine
${{ env.IMAGE_NAME }}:latest
file: Dockerfile
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
validate-Dockerfile:
uses: ./.github/workflows/hadolint.yml
uses: ./.github/workflows/docker-build-and-push.yml
with:
filename: Dockerfile
variant: alpine
dockerfile: Dockerfile
platforms: linux/amd64,linux/arm64/v8
100 changes: 6 additions & 94 deletions .github/workflows/docker-build-debian.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,106 +2,18 @@ name: build and push image (Debian version)

on:
push:
branches:
- "master"
# branches:
# - "master"
paths:
- Dockerfile.debian
- .github/workflows/docker-build-debian.yml
- renew*.py
- requirements.txt

env:
IMAGE_NAME: "simaofsilva/noip-renewer"
PIP_VERSION: "23.3.2" # renovate: datasource=pypi depName=pip versioning=pep440
GECKODRIVER_VERSION: "v0.34.0" # renovate: datasource=github-tags depName=mozilla/geckodriver

jobs:
build-debian:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]

- name: Get commit short hash
id: short_digest
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- name: Set up QEMU
uses: docker/[email protected]

- name: Set up Docker Buildx
uses: docker/[email protected]

- name: Build image for tests
uses: docker/[email protected]
with:
context: .
platforms: linux/amd64
load: true
tags: ${{ env.IMAGE_NAME }}:test-debian
file: Dockerfile.debian
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_NAME }}:test-debian
format: "sarif"
output: "trivy-debian-image-scan.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "MEDIUM,CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/[email protected]
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: trivy-debian-image-scan.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: debian-image-scan

- name: Login to DockerHub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build for ARM v7 (caching)
uses: docker/[email protected]
with:
context: .
platforms: linux/arm/v7
load: true
tags: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-armv7
file: Dockerfile.debian
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }}
- name: Build and push all to Docker Hub
uses: docker/[email protected]
with:
context: .
platforms: linux/arm/v7,linux/amd64,linux/arm64/v8
push: true
tags: |
${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-debian
${{ env.IMAGE_NAME }}:debian
file: Dockerfile.debian
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }}
validate-Dockerfile:
uses: ./.github/workflows/hadolint.yml
uses: ./.github/workflows/docker-build-and-push.yml
with:
filename: Dockerfile.debian
variant: debian
dockerfile: Dockerfile.debian
platforms: linux/arm/v7,linux/amd64,linux/arm64/v8
125 changes: 125 additions & 0 deletions .github/workflows/docker-build-push.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
name: build and push image

on:
workflow_call:
secrets:
DOCKERHUB_USERNAME:
required: true
DOCKERHUB_TOKEN:
required: true
inputs:
variant:
required: true
type: string
dockerfile:
required: true
type: string
platforms:
required: true
type: string

env:
IMAGE_NAME: "simaofsilva/noip-renewer"

jobs:
build-and-push:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]

- name: Set up QEMU
uses: docker/[email protected]

- name: Set up Docker Buildx
uses: docker/[email protected]

- name: Get commit short hash
id: short_digest
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- name: Build image for tests
uses: docker/[email protected]
with:
context: .
platforms: linux/amd64
load: true
tags: ${{ env.IMAGE_NAME }}:test-${{ inputs.variant }}
file: ${{ inputs.dockerfile }}

- name: Set up Trivy
run: |
docker run --rm aquasec/trivy --version
docker volume create trivy-db
docker run --rm -v trivy-db:/root/.cache/ aquasec/trivy image --download-db-only
- name: Run Trivy vulnerability scanner
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v ./scan-results:/scan-results \
-v trivy-db:/root/.cache/ \
aquasec/trivy image \
--exit-code 1 \
--ignore-unfixed \
--vuln-type os,library \
--severity MEDIUM,CRITICAL,HIGH \
--format sarif \
--output /scan-results/trivy-${{ inputs.variant }}-image-scan.sarif \
--skip-files /usr/lib/librav1e.so.0.6.6 \
${{ env.IMAGE_NAME }}:test-${{ inputs.variant }}
- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/[email protected]
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: scan-results/trivy-${{ inputs.variant }}-image-scan.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: ${{ inputs.variant }}-image-scan

- name: Login to DockerHub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build for ARM v7 (caching)
if: contains(inputs.platforms, 'linux/arm/v7')
uses: docker/[email protected]
with:
context: .
platforms: linux/arm/v7
load: true
tags: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-armv7
file: ${{ inputs.dockerfile }}

- name: Build and push for Docker Hub
uses: docker/[email protected]
with:
context: .
platforms: ${{ inputs.platforms }}
push: true
tags: |
${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-${{ inputs.variant }}
${{ env.IMAGE_NAME }}:${{ inputs.variant }}
file: ${{ inputs.dockerfile }}

- name: Set latest tag
if: inputs.variant == 'alpine'
uses: Noelware/[email protected]
with:
ammend: true
push: true
inputs: ${{ env.IMAGE_NAME }}:latest
images: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-${{ inputs.variant }},${{ env.IMAGE_NAME }}:${{ inputs.variant }}

validate-Dockerfile:
uses: ./.github/workflows/hadolint.yml
with:
dockerfile: ${{ inputs.dockerfile }}

0 comments on commit 43113a6

Please sign in to comment.