generated from cloudoperators/repository-template
-
Notifications
You must be signed in to change notification settings - Fork 0
156 lines (138 loc) · 6.13 KB
/
build-push-greenhouse-image.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Run it locally with act
# 1. Install act: https://github.com/nektos/act/releases
# 2. Create a .secret file in the root of this repository with the following content:
# `GITHUB_TOKEN=your_github_token` and `ACT=true`
# Note: to create a token...
# * Log in to your GitHub account and go to your profile settings.
# * In the left sidebar, click on "Developer settings".
# * Select "Personal access tokens" from the menu.
# * Click on "Generate new token" (classic or fine-grained). and choose `public_repoAccess`
# * Copy the token and use it in the .secrets file
# 3. Trigger the workflow with act:
# `act workflow_dispatch --container-architecture linux/amd64 -P default=catthehacker/ubuntu:act-latest -W .github/workflows/build-push-greenhouse-image.yaml`
name: Build Greenhouse Dashboard 💚
on:
workflow_dispatch: {}
push:
branches:
- main
paths:
- apps/greenhouse/CHANGELOG.md
env:
REGISTRY: ghcr.io
IMAGE_NAME: "juno-app-greenhouse"
PACKAGE_PATH: "apps/greenhouse"
jobs:
build-and-push-greenhouse-image:
name: Build and Push Greenhouse Dashboard Image
runs-on: [default]
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Read version from package.json
id: read_version
working-directory: ${{ env.PACKAGE_PATH }}
run: |
# Extract the first version number that appears after "## "
GREENHOUSE_VERSION=$(jq -r '.version' package.json)
echo "Greenhouse version is $GREENHOUSE_VERSION"
echo "IMAGE_VERSION=$GREENHOUSE_VERSION" >> $GITHUB_OUTPUT
- name: Read description from README.md
id: description
working-directory: ${{ env.PACKAGE_PATH }}
run: |
# Concatenate CHANGELOG.md
echo "DESCRIPTION=$(head -c 512 apps/greenhouse/README.md)" >> $GITHUB_OUTPUT
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# and check if the image with the same version already exists
- name: Check if image exists ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ steps.read_version.outputs.IMAGE_VERSION }} in registry
id: check-image
run: |
# If the image with this tag already exists, this command will exit with status code 1.
if docker pull ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ steps.read_version.outputs.IMAGE_VERSION }}; then
echo "Image ${{ env.IMAGE_NAME }}:${{ steps.read_version.outputs.IMAGE_VERSION }} already exists in the registry"
exit 1
fi
# This action enables you to SIGN and VERIFY container images using cosign
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: "v2.4.0"
# Set up BuildKit Docker container builder to be able to build MULTI-platform images and export cache
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
image=moby/buildkit:latest
- name: Generate Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
# value is a template that will be evaluated at runtime
# this will generate a list of tags like:
# ghcr.io/cloudoperators/juno-app-greenhouse:0.2.1
# ghcr.io/cloudoperators/juno-app-greenhouse:latest
tags: |
type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ steps.read_version.outputs.IMAGE_VERSION }}
# Debugging step to print the tags
#- name: print tags
# run: |
# echo "${{ steps.meta.outputs.tags }}"
# exit 1
# Build and load to Docker
- name: Build and export to Docker ${{ steps.meta.outputs.tags }}
id: build-image
uses: docker/build-push-action@v6
with:
context: .
file: ${{ env.PACKAGE_PATH }}/docker/Dockerfile
load: true # load the image into the docker daemon to make the image available for the next steps in the workflow
tags: ${{ steps.meta.outputs.tags }}
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ steps.description.outputs.DESCRIPTION }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
format: "sarif"
exit-code: "0"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && !env.ACT }}
with:
sarif_file: trivy-results.sarif
- name: Push Docker image
if: ${{ !env.ACT }}
run: |
# upload all images to the registry
TAGS=$(echo "${{ steps.meta.outputs.tags }}")
printf '%s\n' "$TAGS" | while IFS= read -r tag; do
echo "Upload image: $tag"
docker push $tag
done
- name: Sign the published Docker image
if: ${{ !env.ACT }}
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-image.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}