Skip to content

Build Docker Image #112

Build Docker Image

Build Docker Image #112

Workflow file for this run

name: Build Docker Image
on:
workflow_dispatch:
push:
branches:
- 'trunk'
pull_request:
branches:
- 'trunk'
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
env:
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
jobs:
prep:
runs-on: ubuntu-latest
outputs:
taggedImage: ${{ steps.prep.outputs.tagged_image }}
shortSha: ${{ steps.prep.outputs.short_sha}}
branchName: ${{ steps.prep.outputs.branch_name }}
latestTag: ${{ steps.prep.outputs.latest_tag }}
repositoryName: ${{ steps.prep.outputs.repository_name }}
registry: ${{ steps.prep.outputs.registry }}
steps:
- name: Git branch name
id: git-branch-name
uses: EthanSK/git-branch-name-action@v1
- name: Prepare info
id: prep
run: |
SHORT_SHA=$(echo $GITHUB_SHA | head -c7)
REPO=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')
TAG=${{ env.GIT_BRANCH_NAME }}-$(echo $GITHUB_SHA | head -c7)
IMAGE=ideacrew/$REPO
echo "tagged_image=${IMAGE}:${TAG}" >> $GITHUB_OUTPUT
echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
echo "branch_name=${{ env.GIT_BRANCH_NAME }}" >> $GITHUB_OUTPUT
echo "repository_name=$REPO" >> $GITHUB_OUTPUT
echo "latest_tag=${IMAGE}:latest" >> $GITHUB_OUTPUT
echo "registry=ghcr.io" >> $GITHUB_OUTPUT
build-and-upload-image:
needs: [prep]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Add git HEAD info to docker image
run: git show --quiet HEAD > release.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
install: true
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
# Key is named differently to avoid collision
key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-multi-buildx
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ needs.prep.outputs.registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Image
uses: docker/build-push-action@v3
with:
context: .
builder: ${{ steps.buildx.outputs.name }}
file: .docker/production/Dockerfile.gha
# Set the desired build target here
target: deploy
# send to public registry if not a pull request
push: ${{ github.event_name != 'pull_request' }}
# create local image (for scanning) if it is a pull request
load: ${{ github.event_name == 'pull_request' }}
tags: |
ghcr.io/${{ needs.prep.outputs.taggedImage }}
ghcr.io/${{ needs.prep.outputs.latestTag }}
cache-from: type=local,src=/tmp/.buildx-cache
# Note the mode=max here
# More: https://github.com/moby/buildkit#--export-cache-options
# And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
- name: Setup cache
uses: actions/cache@v3
with:
path: cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
restore-keys: ${{ runner.os }}-cache-
- name: Scan docker image
if: github.event_name != 'pull_request'
id: scan
uses: anchore/scan-action@main
with:
image: ghcr.io/${{ needs.prep.outputs.taggedImage }}
acs-report-enable: true
fail-build: false
severity-cutoff: critical
- name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
env:
SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
run: |
curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
else
echo "Latest version of sysdig cli scanner is already downloaded"
fi
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl "${SYSDIG_SECURE_ENDPOINT}" \
ghcr.io/${{ needs.prep.outputs.taggedImage }} \
--console-log \
--dbpath="${GITHUB_WORKSPACE}/cache/db/" \
--cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
- name: Upload anchore scan SARIF report
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
notify-slack:
if: github.event_name != 'pull_request'
needs: [prep, build-and-upload-image]
runs-on: ubuntu-latest
steps:
- name: Post to a Slack channel
id: slack
uses: slackapi/[email protected]
with:
channel-id: "docker-images-${{ needs.prep.outputs.repositoryName }}"
slack-message: "New image pushed: ghcr.io/${{ needs.prep.outputs.taggedImage }} built from <https://github.com/ideacrew/${{ needs.prep.outputs.repositoryName }}/commit/${{ needs.prep.outputs.shortSha }}|${{ needs.prep.outputs.shortSha }}> on `${{ needs.prep.outputs.branchName }}`"
env:
SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}