Merge pull request #565 from Automattic/refactor/build

ci: refactor build workflows
Automattic · Oct 31, 2023 · 14a8adf · 14a8adf
2 parents 60d2e75 + e7f7291
commit 14a8adf
Show file tree

Hide file tree

Showing 11 changed files with 222 additions and 175 deletions.
diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
@@ -0,0 +1,123 @@
+name: Build Docker image
+description: Builds a Docker image
+inputs:
+  context:
+    description: The directory containing the Dockerfile
+    required: true
+  file:
+    description: The Dockerfile to use
+    required: false
+  platforms:
+    description: The platforms to build for
+    required: false
+    default: linux/amd64,linux/arm64
+  push:
+    description: Whether to push the image to the registry
+    required: true
+  primaryTag:
+    description: The primary tag to use for the image
+    required: true
+  tags:
+    description: The tags to use for the image
+    required: false
+  args:
+    description: List of build-time variables
+    required: false
+  cache-from:
+    description: List of external cache sources for buildx
+    required: false
+  cache-to:
+    description: List of cache export destinations for buildx
+    required: false
+  no-cache:
+    description: Do not use cache when building the image
+    required: false
+    default: 'false'
+  registry:
+    description: The registry to use
+    required: false
+    default: https://ghcr.io
+  username:
+    description: The username to use for the registry
+    required: false
+    default: ${{ github.actor }}
+  password:
+    description: The password to use for the registry
+    required: false
+    default: ${{ github.token }}
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Docker Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+      if: ${{ inputs.push }}
+
+    - name: Build and push container image
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        platforms: ${{ inputs.platforms }}
+        push: ${{ inputs.push }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+        cache-from: ${{ inputs.cache-from }}
+        cache-to: ${{ inputs.cache-to }}
+        no-cache: ${{ inputs.no-cache }}
+
+    - name: Load image to local Docker
+      uses: docker/build-push-action@v5
+      with:
+        load: true
+        push: false
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+
+    - name: Security Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.primaryTag }}
+        format: template
+        template: "@.github/actions/build-docker-image/markdown.tpl"
+        output: trivy.md
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
+
+    - name: Security Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.primaryTag }}
+        format: table
+      if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name || github.event.sender.login == 'dependabot[bot]'
+
+    - name: Find Trivy Scan Report comment
+      uses: peter-evans/find-comment@v2
+      id: fc
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        body-includes: ${{ inputs.primaryTag }}
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
+
+    - name: Create or update comment
+      uses: peter-evans/create-or-update-comment@v3
+      with:
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body-path: trivy.md
+        edit-mode: replace
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
diff --git a/.github/actions/build-docker-image/markdown.tpl b/.github/actions/build-docker-image/markdown.tpl
@@ -0,0 +1,33 @@
+## Trivy Scan Report
+{{- if . }}
+{{- range . }}
+## {{ .Target }}
+### Vulnerabilities
+{{- if (eq (len .Vulnerabilities) 0) }}
+No vulnerabilities found.
+{{- else }}
+| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links |
+| ------- | ---------------- | :------: | ----------------- | ------------- | ----- |
+{{- range .Vulnerabilities }}
+| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Vulnerabilities -->
+
+### Misconfigurations
+{{- if (eq (len .Misconfigurations ) 0) }}
+No misconfigurations found.
+{{- else }}
+| Type | Misconfiguration ID | Check | Severity | Message |
+| ---- | ------------------- | ----- | -------- | ------- |
+{{- range .Misconfigurations }}
+| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Misconfigurations -->
+
+{{- end }} <!-- Targets -->
+
+{{- else }}
+Trivy Returned Empty Report
+{{- end }}
diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "alpine/**"
       - ".github/workflows/alpine.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "alpine/**"
       - ".github/workflows/alpine.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,35 +28,21 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
-        run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
+        run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: alpine
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=alpine
           cache-to: type=gha,mode=max,scope=alpine
-          tags: |
-            ghcr.io/automattic/vip-container-images/alpine:latest
-            ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
+          primaryTag: ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/alpine:latest
diff --git a/.github/workflows/dev-tools.yml b/.github/workflows/dev-tools.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "dev-tools/**"
       - ".github/workflows/dev-tools.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "dev-tools/**"
       - ".github/workflows/dev-tools.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,31 +28,17 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: dev-tools
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=dev-tools
           cache-to: type=gha,mode=max,scope=dev-tools
-          tags: |
-            ghcr.io/automattic/vip-container-images/dev-tools:latest
-            ghcr.io/automattic/vip-container-images/dev-tools:0.9
+          primaryTag: ghcr.io/automattic/vip-container-images/dev-tools:0.9
+          tags: ghcr.io/automattic/vip-container-images/dev-tools:0.9
diff --git a/.github/workflows/mu-plugins.yml b/.github/workflows/mu-plugins.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "mu-plugins/**"
       - ".github/workflows/mu-plugins.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "mu-plugins/**"
       - ".github/workflows/mu-plugins.yml"
+      - ".github/actions/build-docker-image/**"
   workflow_dispatch:
   repository_dispatch:
     types:
@@ -30,30 +32,15 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-        if: github.event_name != 'pull_request'
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: mu-plugins
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/mu-plugins:latest
-            ghcr.io/automattic/vip-container-images/mu-plugins:0.1
+          primaryTag: ghcr.io/automattic/vip-container-images/mu-plugins:0.1
+          tags: ghcr.io/automattic/vip-container-images/mu-plugins:latest
diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "nginx/**"
       - ".github/workflows/nginx.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "nginx/**"
       - ".github/workflows/nginx.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,35 +28,21 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
-        run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
+        run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: nginx
-          platforms: linux/amd64,linux/arm64
+          push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=nginx
           cache-to: type=gha,mode=max,scope=nginx
-          push: ${{ github.base_ref == null }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/nginx:latest
-            ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
+          primaryTag: ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/nginx:latest