-
Notifications
You must be signed in to change notification settings - Fork 0
159 lines (142 loc) · 6.09 KB
/
build-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Build Docker Image
on:
workflow_dispatch:
push:
branches:
- 'trunk'
pull_request:
branches:
- 'trunk'
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
env:
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
jobs:
prep:
runs-on: ubuntu-latest
outputs:
taggedImage: ${{ steps.prep.outputs.tagged_image }}
shortSha: ${{ steps.prep.outputs.short_sha}}
branchName: ${{ steps.prep.outputs.branch_name }}
latestTag: ${{ steps.prep.outputs.latest_tag }}
repositoryName: ${{ steps.prep.outputs.repository_name }}
registry: ${{ steps.prep.outputs.registry }}
steps:
- name: Git branch name
id: git-branch-name
uses: EthanSK/git-branch-name-action@v1
- name: Prepare info
id: prep
run: |
SHORT_SHA=$(echo $GITHUB_SHA | head -c7)
REPO=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')
TAG=${{ env.GIT_BRANCH_NAME }}-$(echo $GITHUB_SHA | head -c7)
IMAGE=ideacrew/$REPO
echo "tagged_image=${IMAGE}:${TAG}" >> $GITHUB_OUTPUT
echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
echo "branch_name=${{ env.GIT_BRANCH_NAME }}" >> $GITHUB_OUTPUT
echo "repository_name=$REPO" >> $GITHUB_OUTPUT
echo "latest_tag=${IMAGE}:latest" >> $GITHUB_OUTPUT
echo "registry=ghcr.io" >> $GITHUB_OUTPUT
build-and-upload-image:
needs: [prep]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Add git HEAD info to docker image
run: git show --quiet HEAD > release.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
install: true
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
# Key is named differently to avoid collision
key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-multi-buildx
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ needs.prep.outputs.registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Image
uses: docker/build-push-action@v3
with:
context: .
builder: ${{ steps.buildx.outputs.name }}
file: .docker/production/Dockerfile.gha
# Set the desired build target here
target: deploy
# send to public registry if not a pull request
push: ${{ github.event_name != 'pull_request' }}
# create local image (for scanning) if it is a pull request
load: ${{ github.event_name == 'pull_request' }}
tags: |
ghcr.io/${{ needs.prep.outputs.taggedImage }}
ghcr.io/${{ needs.prep.outputs.latestTag }}
cache-from: type=local,src=/tmp/.buildx-cache
# Note the mode=max here
# More: https://github.com/moby/buildkit#--export-cache-options
# And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
- name: Setup cache
uses: actions/cache@v3
with:
path: cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
restore-keys: ${{ runner.os }}-cache-
- name: Scan docker image
if: github.event_name != 'pull_request'
id: scan
uses: anchore/scan-action@main
with:
image: ghcr.io/${{ needs.prep.outputs.taggedImage }}
acs-report-enable: true
fail-build: false
severity-cutoff: critical
- name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
env:
SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
run: |
curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
else
echo "Latest version of sysdig cli scanner is already downloaded"
fi
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl "${SYSDIG_SECURE_ENDPOINT}" \
ghcr.io/${{ needs.prep.outputs.taggedImage }} \
--console-log \
--dbpath="${GITHUB_WORKSPACE}/cache/db/" \
--cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
- name: Upload anchore scan SARIF report
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
notify-slack:
if: github.event_name != 'pull_request'
needs: [prep, build-and-upload-image]
runs-on: ubuntu-latest
steps:
- name: Post to a Slack channel
id: slack
uses: slackapi/[email protected]
with:
channel-id: "docker-images-${{ needs.prep.outputs.repositoryName }}"
slack-message: "New image pushed: ghcr.io/${{ needs.prep.outputs.taggedImage }} built from <https://github.com/ideacrew/${{ needs.prep.outputs.repositoryName }}/commit/${{ needs.prep.outputs.shortSha }}|${{ needs.prep.outputs.shortSha }}> on `${{ needs.prep.outputs.branchName }}`"
env:
SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}