Build Docker Image #130

Workflow file for this run

.github/workflows/build-image.yml at 722c3b6

	name: Build Docker Image

	on:
	workflow_dispatch:
	push:
	branches:
	- 'trunk'
	pull_request:
	branches:
	- 'trunk'

	concurrency:
	group: docker-${{ github.ref }}
	cancel-in-progress: true

	env:
	SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"

	jobs:
	prep:
	runs-on: ubuntu-latest
	outputs:
	taggedImage: ${{ steps.prep.outputs.tagged_image }}
	shortSha: ${{ steps.prep.outputs.short_sha}}
	branchName: ${{ steps.prep.outputs.branch_name }}
	latestTag: ${{ steps.prep.outputs.latest_tag }}
	repositoryName: ${{ steps.prep.outputs.repository_name }}
	registry: ${{ steps.prep.outputs.registry }}
	steps:
	- name: Git branch name
	id: git-branch-name
	uses: EthanSK/git-branch-name-action@v1
	- name: Prepare info
	id: prep
	run: \|
	SHORT_SHA=$(echo $GITHUB_SHA \| head -c7)
	REPO=$(echo '${{ github.repository }}' \| awk -F '/' '{print $2}')
	TAG=${{ env.GIT_BRANCH_NAME }}-$(echo $GITHUB_SHA \| head -c7)
	IMAGE=ideacrew/$REPO
	echo "tagged_image=${IMAGE}:${TAG}" >> $GITHUB_OUTPUT
	echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
	echo "branch_name=${{ env.GIT_BRANCH_NAME }}" >> $GITHUB_OUTPUT
	echo "repository_name=$REPO" >> $GITHUB_OUTPUT
	echo "latest_tag=${IMAGE}:latest" >> $GITHUB_OUTPUT
	echo "registry=ghcr.io" >> $GITHUB_OUTPUT

	build-and-upload-image:
	needs: [prep]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3

	- name: Add git HEAD info to docker image
	run: git show --quiet HEAD > release.txt

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	with:
	install: true

	- name: Cache Docker layers
	uses: actions/cache@v3
	with:
	path: /tmp/.buildx-cache
	# Key is named differently to avoid collision
	key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-multi-buildx

	- name: Login to GHCR
	uses: docker/login-action@v2
	with:
	registry: ${{ needs.prep.outputs.registry }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build Image
	uses: docker/build-push-action@v3
	with:
	context: .
	builder: ${{ steps.buildx.outputs.name }}
	file: .docker/production/Dockerfile.gha
	# Set the desired build target here
	target: deploy
	# send to public registry if not a pull request
	push: ${{ github.event_name != 'pull_request' }}
	# create local image (for scanning) if it is a pull request
	load: ${{ github.event_name == 'pull_request' }}
	tags: \|
	ghcr.io/${{ needs.prep.outputs.taggedImage }}
	ghcr.io/${{ needs.prep.outputs.latestTag }}
	cache-from: type=local,src=/tmp/.buildx-cache
	# Note the mode=max here
	# More: https://github.com/moby/buildkit#--export-cache-options
	# And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
	cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new

	- name: Setup cache
	uses: actions/cache@v3
	with:
	path: cache
	key: ${{ runner.os }}-cache-${{ hashFiles('/sysdig-cli-scanner', '/latest_version.txt', '/db/main.db.meta.json', '/scanner-cache/inlineScannerCache.db') }}
	restore-keys: ${{ runner.os }}-cache-

	- name: Scan docker image
	if: github.event_name != 'pull_request'
	id: scan
	uses: anchore/scan-action@main
	with:
	image: ghcr.io/${{ needs.prep.outputs.taggedImage }}
	acs-report-enable: true
	fail-build: false
	severity-cutoff: critical

	- name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
	env:
	SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
	run: \|
	curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
	mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
	if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] \|\| [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
	cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
	curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
	chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
	else
	echo "Latest version of sysdig cli scanner is already downloaded"
	fi
	${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
	--apiurl "${SYSDIG_SECURE_ENDPOINT}" \
	ghcr.io/${{ needs.prep.outputs.taggedImage }} \
	--console-log \
	--dbpath="${GITHUB_WORKSPACE}/cache/db/" \
	--cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"

	- name: Upload anchore scan SARIF report
	if: github.event_name != 'pull_request'
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: ${{ steps.scan.outputs.sarif }}

	- name: Move cache
	run: \|
	rm -rf /tmp/.buildx-cache
	mv /tmp/.buildx-cache-new /tmp/.buildx-cache

	notify-slack:
	if: github.event_name != 'pull_request'
	needs: [prep, build-and-upload-image]
	runs-on: ubuntu-latest
	steps:
	- name: Post to a Slack channel
	id: slack
	uses: slackapi/[email protected]
	with:
	channel-id: "docker-images-${{ needs.prep.outputs.repositoryName }}"
	slack-message: "New image pushed: ghcr.io/${{ needs.prep.outputs.taggedImage }} built from <https://github.com/ideacrew/${{ needs.prep.outputs.repositoryName }}/commit/${{ needs.prep.outputs.shortSha }}\|${{ needs.prep.outputs.shortSha }}> on `${{ needs.prep.outputs.branchName }}`"
	env:
	SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build Docker Image #130

Workflow file

Build Docker Image #130

Jobs

Run details

Workflow file for this run