-
Notifications
You must be signed in to change notification settings - Fork 0
198 lines (193 loc) · 7 KB
/
docker.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# Copyright 2024 Zaphiro Technologies
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Docker Build
concurrency:
group: ${{github.repository}}-${{ github.ref_name }}-docker-${{ inputs.image-name || 'default' }}
cancel-in-progress: true
on:
workflow_call:
inputs:
image-name:
required: false
description: Override default image name which is the repo name
type: string
docker-context:
required: false
description: Docker context path
type: string
default: ./
docker-file:
required: false
description: Dockerfile path
type: string
default: .docker/Dockerfile
platforms:
required: false
description: Platform to build for, comma separated
type: string
default: linux/amd64,linux/arm64
vulnerability-scan:
required: false
default: true
type: boolean
description: False to skip vulnerability-scan
go-cache:
required: false
default: false
type: boolean
description: Use go caching mechanism
language-cache:
required: false
type: string
default: ''
description: Use caching mechanism for a given language
# Permissions needed
# permissions:
# contents: read
# packages: write
# pull-requests: read
jobs:
check:
runs-on: ubuntu-latest
if: ${{ github.actor != 'dependabot[bot]' || contains(github.event.pull_request.labels.*.name, 'docker') || github.event_name == 'push' }} # ignore the pull request which comes from user depbot.
steps:
- run: |
echo "docker build is required"
build:
needs: check
runs-on: ubuntu-latest
outputs:
tags: ${{ steps.meta.outputs.tags }}
env:
GH_ACCESS_TOKEN: ${{ secrets.REPO_PRIVATE_READ_PAT }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run pre-build
run: |
if test -f "Makefile"; then
make ci-pre-build
fi
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: ghcr.io/${{github.repository_owner}}/${{ inputs.image-name || github.event.repository.name }}
# generate Docker tags based on the following events/attributes
tags: |
type=edge,branch=main
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
- name: Go Build Cache for Docker
id: cache-go
if: ${{ inputs.go-cache || inputs.language-cache == 'go' }}
uses: actions/cache@v4
with:
path: go-build-cache
key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
- name: inject go-build-cache into docker
if: ${{ inputs.go-cache || inputs.language-cache == 'go' }}
uses: reproducible-containers/[email protected]
with:
cache-map: |
{
"go-build-cache": "/root/.cache/go-build"
}
skip-extraction: ${{ steps.cache-go.outputs.cache-hit }}
- name: Node Build Cache for Docker
id: cache-node
if: ${{ inputs.language-cache == 'javascript' }}
uses: actions/cache@v4
with:
path: |
node-arm64-cache
node-amd64-cache
key: ${{ runner.os }}-node-build-cache-${{ hashFiles('**/yarn.lock') }}
- name: inject node-build-cache into docker
if: ${{ inputs.language-cache == 'javascript' }}
uses: reproducible-containers/[email protected]
with:
cache-map: |
{
"node-arm64-cache": "/root/.cache/yarn-arm64",
"node-amd64-cache": "/root/.cache/yarn-amd64"
}
skip-extraction: ${{ steps.cache-node.outputs.cache-hit }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: ${{ inputs.docker-context }}
file: ${{ inputs.docker-file }}
platforms: ${{ inputs.platforms }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
GIT_REV=${{fromJson(steps.meta.outputs.json).labels['org.opencontainers.image.revision']}}
GIT_VERSION=${{fromJson(steps.meta.outputs.json).labels['org.opencontainers.image.version']}}
GIT_URL=${{fromJson(steps.meta.outputs.json).labels['org.opencontainers.image.source']}}
BUILD_DATE=${{fromJson(steps.meta.outputs.json).labels['org.opencontainers.image.created']}}
vulnerability:
if: ${{ inputs.vulnerability-scan}}
runs-on: ubuntu-latest
needs: build
steps:
- name: Extract first tag
id: extract_tag
run: echo "::set-output name=tag::$(echo "${{ needs.build.outputs.tags }}" | head -n1)"
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.extract_tag.outputs.tag }}
trivy-config:
scanners: "vuln,secret,misconfig"
exit-code: '1'
severity: MEDIUM,HIGH,CRITICAL
cache-dir: "./cache"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db