diff --git a/.github/workflows/docker-build-alpine.yml b/.github/workflows/docker-build-alpine.yml index ffa64ac9..8e57dd23 100644 --- a/.github/workflows/docker-build-alpine.yml +++ b/.github/workflows/docker-build-alpine.yml @@ -2,104 +2,18 @@ name: build and push image (Alpine version) on: push: - branches: - - "master" + # branches: + # - "master" paths: - Dockerfile - .github/workflows/docker-build-alpine.yml - renew*.py - requirements.txt -env: - IMAGE_NAME: "simaofsilva/noip-renewer" - PIP_VERSION: "23.3.2" # renovate: datasource=pypi depName=pip versioning=pep440 - jobs: build-alpine: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4.1.1 - - - name: Get commit short hash - id: short_digest - run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - - name: Build image for tests - uses: docker/build-push-action@v5.1.0 - with: - context: . - platforms: linux/amd64 - load: true - tags: ${{ env.IMAGE_NAME }}:test-alpine - file: Dockerfile - build-args: | - PIP_VERSION=${{ env.PIP_VERSION }} - - - name: Set up Trivy - run: | - docker run --rm aquasec/trivy --version - docker volume create trivy-db - docker run --rm -v trivy-db:/root/.cache/ aquasec/trivy image --download-db-only - - - name: Run Trivy vulnerability scanner - run: | - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock:ro \ - -v ./scan-results:/scan-results \ - -v trivy-db:/root/.cache/ \ - aquasec/trivy image \ - --exit-code 1 \ - --ignore-unfixed \ - --vuln-type os,library \ - --severity MEDIUM,CRITICAL,HIGH \ - --format sarif \ - --output /scan-results/trivy-alpine-image-scan.sarif \ - --skip-files /usr/lib/librav1e.so.0.6.6 \ - ${{ env.IMAGE_NAME }}:test-alpine - - - name: Upload Trivy scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3.23.0 - if: always() - with: - # Path to SARIF file relative to the root of the repository - sarif_file: scan-results/trivy-alpine-image-scan.sarif - # Optional category for the results - # Used to differentiate multiple results for one commit - category: alpine-image-scan - - - name: Login to DockerHub - uses: docker/login-action@v3.0.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build and push for Docker Hub - id: docker_build - uses: docker/build-push-action@v5.1.0 - with: - context: . - platforms: linux/amd64,linux/arm64/v8 - push: true - tags: | - ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-alpine - ${{ env.IMAGE_NAME }}:alpine - ${{ env.IMAGE_NAME }}:latest - file: Dockerfile - build-args: | - PIP_VERSION=${{ env.PIP_VERSION }} - - validate-Dockerfile: - uses: ./.github/workflows/hadolint.yml + uses: ./.github/workflows/docker-build-and-push.yml with: - filename: Dockerfile + variant: alpine + dockerfile: Dockerfile + platforms: linux/amd64,linux/arm64/v8 diff --git a/.github/workflows/docker-build-debian.yml b/.github/workflows/docker-build-debian.yml index e6b13158..c55e92df 100644 --- a/.github/workflows/docker-build-debian.yml +++ b/.github/workflows/docker-build-debian.yml @@ -2,106 +2,18 @@ name: build and push image (Debian version) on: push: - branches: - - "master" + # branches: + # - "master" paths: - Dockerfile.debian - .github/workflows/docker-build-debian.yml - renew*.py - requirements.txt -env: - IMAGE_NAME: "simaofsilva/noip-renewer" - PIP_VERSION: "23.3.2" # renovate: datasource=pypi depName=pip versioning=pep440 - GECKODRIVER_VERSION: "v0.34.0" # renovate: datasource=github-tags depName=mozilla/geckodriver - jobs: build-debian: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4.1.1 - - - name: Get commit short hash - id: short_digest - run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - - name: Build image for tests - uses: docker/build-push-action@v5.1.0 - with: - context: . - platforms: linux/amd64 - load: true - tags: ${{ env.IMAGE_NAME }}:test-debian - file: Dockerfile.debian - build-args: | - PIP_VERSION=${{ env.PIP_VERSION }} - GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.16.1 - with: - image-ref: ${{ env.IMAGE_NAME }}:test-debian - format: "sarif" - output: "trivy-debian-image-scan.sarif" - exit-code: "1" - ignore-unfixed: true - vuln-type: "os,library" - severity: "MEDIUM,CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3.23.0 - if: always() - with: - # Path to SARIF file relative to the root of the repository - sarif_file: trivy-debian-image-scan.sarif - # Optional category for the results - # Used to differentiate multiple results for one commit - category: debian-image-scan - - - name: Login to DockerHub - uses: docker/login-action@v3.0.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build for ARM v7 (caching) - uses: docker/build-push-action@v5.1.0 - with: - context: . - platforms: linux/arm/v7 - load: true - tags: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-armv7 - file: Dockerfile.debian - build-args: | - PIP_VERSION=${{ env.PIP_VERSION }} - GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }} - - - name: Build and push all to Docker Hub - uses: docker/build-push-action@v5.1.0 - with: - context: . - platforms: linux/arm/v7,linux/amd64,linux/arm64/v8 - push: true - tags: | - ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-debian - ${{ env.IMAGE_NAME }}:debian - file: Dockerfile.debian - build-args: | - PIP_VERSION=${{ env.PIP_VERSION }} - GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }} - - validate-Dockerfile: - uses: ./.github/workflows/hadolint.yml + uses: ./.github/workflows/docker-build-and-push.yml with: - filename: Dockerfile.debian + variant: debian + dockerfile: Dockerfile.debian + platforms: linux/arm/v7,linux/amd64,linux/arm64/v8 diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml new file mode 100644 index 00000000..3c25cbac --- /dev/null +++ b/.github/workflows/docker-build-push.yml @@ -0,0 +1,125 @@ +name: build and push image + +on: + workflow_call: + secrets: + DOCKERHUB_USERNAME: + required: true + DOCKERHUB_TOKEN: + required: true + inputs: + variant: + required: true + type: string + dockerfile: + required: true + type: string + platforms: + required: true + type: string + +env: + IMAGE_NAME: "simaofsilva/noip-renewer" + +jobs: + build-and-push: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.1.1 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + + - name: Get commit short hash + id: short_digest + run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Build image for tests + uses: docker/build-push-action@v5.1.0 + with: + context: . + platforms: linux/amd64 + load: true + tags: ${{ env.IMAGE_NAME }}:test-${{ inputs.variant }} + file: ${{ inputs.dockerfile }} + + - name: Set up Trivy + run: | + docker run --rm aquasec/trivy --version + docker volume create trivy-db + docker run --rm -v trivy-db:/root/.cache/ aquasec/trivy image --download-db-only + + - name: Run Trivy vulnerability scanner + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + -v ./scan-results:/scan-results \ + -v trivy-db:/root/.cache/ \ + aquasec/trivy image \ + --exit-code 1 \ + --ignore-unfixed \ + --vuln-type os,library \ + --severity MEDIUM,CRITICAL,HIGH \ + --format sarif \ + --output /scan-results/trivy-${{ inputs.variant }}-image-scan.sarif \ + --skip-files /usr/lib/librav1e.so.0.6.6 \ + ${{ env.IMAGE_NAME }}:test-${{ inputs.variant }} + + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3.23.0 + if: always() + with: + # Path to SARIF file relative to the root of the repository + sarif_file: scan-results/trivy-${{ inputs.variant }}-image-scan.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: ${{ inputs.variant }}-image-scan + + - name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build for ARM v7 (caching) + if: contains(inputs.platforms, 'linux/arm/v7') + uses: docker/build-push-action@v5.1.0 + with: + context: . + platforms: linux/arm/v7 + load: true + tags: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-armv7 + file: ${{ inputs.dockerfile }} + + - name: Build and push for Docker Hub + uses: docker/build-push-action@v5.1.0 + with: + context: . + platforms: ${{ inputs.platforms }} + push: true + tags: | + ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-${{ inputs.variant }} + ${{ env.IMAGE_NAME }}:${{ inputs.variant }} + file: ${{ inputs.dockerfile }} + + - name: Set latest tag + if: inputs.variant == 'alpine' + uses: Noelware/docker-manifest-action@0.4.1 + with: + ammend: true + push: true + inputs: ${{ env.IMAGE_NAME }}:latest + images: ${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-${{ inputs.variant }},${{ env.IMAGE_NAME }}:${{ inputs.variant }} + + validate-Dockerfile: + uses: ./.github/workflows/hadolint.yml + with: + dockerfile: ${{ inputs.dockerfile }}