diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml new file mode 100644 index 00000000..7d8655d3 --- /dev/null +++ b/.github/actions/build-docker-image/action.yml @@ -0,0 +1,123 @@ +name: Build Docker image +description: Builds a Docker image +inputs: + context: + description: The directory containing the Dockerfile + required: true + file: + description: The Dockerfile to use + required: false + platforms: + description: The platforms to build for + required: false + default: linux/amd64,linux/arm64 + push: + description: Whether to push the image to the registry + required: true + primaryTag: + description: The primary tag to use for the image + required: true + tags: + description: The tags to use for the image + required: false + args: + description: List of build-time variables + required: false + cache-from: + description: List of external cache sources for buildx + required: false + cache-to: + description: List of cache export destinations for buildx + required: false + no-cache: + description: Do not use cache when building the image + required: false + default: 'false' + registry: + description: The registry to use + required: false + default: https://ghcr.io + username: + description: The username to use for the registry + required: false + default: ${{ github.actor }} + password: + description: The password to use for the registry + required: false + default: ${{ github.token }} +runs: + using: composite + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Registry + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registry }} + username: ${{ inputs.username }} + password: ${{ inputs.password }} + if: ${{ inputs.push }} + + - name: Build and push container image + uses: docker/build-push-action@v5 + with: + context: ${{ inputs.context }} + file: ${{ inputs.file }} + platforms: ${{ inputs.platforms }} + push: ${{ inputs.push }} + tags: | + ${{ inputs.primaryTag }} + ${{ inputs.tags }} + build-args: ${{ inputs.args }} + cache-from: ${{ inputs.cache-from }} + cache-to: ${{ inputs.cache-to }} + no-cache: ${{ inputs.no-cache }} + + - name: Load image to local Docker + uses: docker/build-push-action@v5 + with: + load: true + push: false + context: ${{ inputs.context }} + file: ${{ inputs.file }} + tags: | + ${{ inputs.primaryTag }} + ${{ inputs.tags }} + build-args: ${{ inputs.args }} + + - name: Security Scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ inputs.primaryTag }} + format: template + template: "@.github/actions/build-docker-image/markdown.tpl" + output: trivy.md + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' + + - name: Security Scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ inputs.primaryTag }} + format: table + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name || github.event.sender.login == 'dependabot[bot]' + + - name: Find Trivy Scan Report comment + uses: peter-evans/find-comment@v2 + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + body-includes: ${{ inputs.primaryTag }} + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' + + - name: Create or update comment + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + body-path: trivy.md + edit-mode: replace + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' diff --git a/.github/actions/build-docker-image/markdown.tpl b/.github/actions/build-docker-image/markdown.tpl new file mode 100644 index 00000000..b7e1c954 --- /dev/null +++ b/.github/actions/build-docker-image/markdown.tpl @@ -0,0 +1,33 @@ +## Trivy Scan Report +{{- if . }} +{{- range . }} +## {{ .Target }} +### Vulnerabilities +{{- if (eq (len .Vulnerabilities) 0) }} +No vulnerabilities found. +{{- else }} +| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links | +| ------- | ---------------- | :------: | ----------------- | ------------- | ----- | +{{- range .Vulnerabilities }} +| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} | +{{- end }} + +{{- end }} + +### Misconfigurations +{{- if (eq (len .Misconfigurations ) 0) }} +No misconfigurations found. +{{- else }} +| Type | Misconfiguration ID | Check | Severity | Message | +| ---- | ------------------- | ----- | -------- | ------- | +{{- range .Misconfigurations }} +| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}
{{ .PrimaryURL }} | +{{- end }} + +{{- end }} + +{{- end }} + +{{- else }} +Trivy Returned Empty Report +{{- end }} diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml index dc8efc8a..06b3063a 100644 --- a/.github/workflows/alpine.yml +++ b/.github/workflows/alpine.yml @@ -7,10 +7,12 @@ on: paths: - "alpine/**" - ".github/workflows/alpine.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "alpine/**" - ".github/workflows/alpine.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,35 +28,21 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Get image version id: getversion - run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT + run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}" - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: alpine - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} cache-from: type=gha,scope=alpine cache-to: type=gha,mode=max,scope=alpine - tags: | - ghcr.io/automattic/vip-container-images/alpine:latest - ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }} + primaryTag: ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }} + tags: ghcr.io/automattic/vip-container-images/alpine:latest diff --git a/.github/workflows/dev-tools.yml b/.github/workflows/dev-tools.yml index c63f38be..acf86608 100644 --- a/.github/workflows/dev-tools.yml +++ b/.github/workflows/dev-tools.yml @@ -7,10 +7,12 @@ on: paths: - "dev-tools/**" - ".github/workflows/dev-tools.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "dev-tools/**" - ".github/workflows/dev-tools.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,31 +28,17 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: dev-tools - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} cache-from: type=gha,scope=dev-tools cache-to: type=gha,mode=max,scope=dev-tools - tags: | - ghcr.io/automattic/vip-container-images/dev-tools:latest - ghcr.io/automattic/vip-container-images/dev-tools:0.9 + primaryTag: ghcr.io/automattic/vip-container-images/dev-tools:0.9 + tags: ghcr.io/automattic/vip-container-images/dev-tools:0.9 diff --git a/.github/workflows/mu-plugins.yml b/.github/workflows/mu-plugins.yml index 6624aecd..2c42b3c9 100644 --- a/.github/workflows/mu-plugins.yml +++ b/.github/workflows/mu-plugins.yml @@ -7,10 +7,12 @@ on: paths: - "mu-plugins/**" - ".github/workflows/mu-plugins.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "mu-plugins/**" - ".github/workflows/mu-plugins.yml" + - ".github/actions/build-docker-image/**" workflow_dispatch: repository_dispatch: types: @@ -30,30 +32,15 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name != 'pull_request' - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: mu-plugins - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} - tags: | - ghcr.io/automattic/vip-container-images/mu-plugins:latest - ghcr.io/automattic/vip-container-images/mu-plugins:0.1 + primaryTag: ghcr.io/automattic/vip-container-images/mu-plugins:0.1 + tags: ghcr.io/automattic/vip-container-images/mu-plugins:latest diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 5c52ea57..8f39053f 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -7,10 +7,12 @@ on: paths: - "nginx/**" - ".github/workflows/nginx.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "nginx/**" - ".github/workflows/nginx.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,35 +28,21 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Get image version id: getversion - run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT + run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}" - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: nginx - platforms: linux/amd64,linux/arm64 + push: ${{ github.base_ref == null }} cache-from: type=gha,scope=nginx cache-to: type=gha,mode=max,scope=nginx - push: ${{ github.base_ref == null }} - tags: | - ghcr.io/automattic/vip-container-images/nginx:latest - ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }} + primaryTag: ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }} + tags: ghcr.io/automattic/vip-container-images/nginx:latest diff --git a/.github/workflows/photon.yml b/.github/workflows/photon.yml index c99a1709..38a968fd 100644 --- a/.github/workflows/photon.yml +++ b/.github/workflows/photon.yml @@ -7,10 +7,12 @@ on: paths: - "photon/**" - ".github/workflows/photon.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "photon/**" - ".github/workflows/photon.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,30 +28,16 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: photon - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} cache-from: type=gha,scope=photon cache-to: type=gha,mode=max,scope=photon - tags: | - ghcr.io/automattic/vip-container-images/photon:latest + primaryTag: ghcr.io/automattic/vip-container-images/photon:latest diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml index 18805684..8beae6e4 100644 --- a/.github/workflows/php-fpm.yml +++ b/.github/workflows/php-fpm.yml @@ -7,10 +7,12 @@ on: paths: - "php-fpm/**" - ".github/workflows/php-fpm.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "php-fpm/**" - ".github/workflows/php-fpm.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,6 +28,7 @@ jobs: permissions: packages: write contents: read + pull-requests: write strategy: fail-fast: false matrix: @@ -44,27 +47,13 @@ jobs: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: php-fpm - platforms: linux/amd64,linux/arm64 file: php-fpm/Dockerfile.${{ matrix.php.suffix }} push: ${{ github.base_ref == null }} - pull: true cache-from: type=gha,scope=php-fpm-${{ matrix.php.suffix }} cache-to: type=gha,mode=max,scope=php-fpm-${{ matrix.php.suffix }} - tags: ghcr.io/automattic/vip-container-images/php-fpm-alt:${{ matrix.php.name }}, ghcr.io/automattic/vip-container-images/php-fpm:${{ matrix.php.name }} + primaryTag: ghcr.io/automattic/vip-container-images/php-fpm:${{ matrix.php.name }} + tags: ghcr.io/automattic/vip-container-images/php-fpm-alt:${{ matrix.php.name }} diff --git a/.github/workflows/skeleton.yml b/.github/workflows/skeleton.yml index 90be73f4..b0477589 100644 --- a/.github/workflows/skeleton.yml +++ b/.github/workflows/skeleton.yml @@ -7,10 +7,12 @@ on: paths: - "skeleton/**" - ".github/workflows/skeleton.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "skeleton/**" - ".github/workflows/skeleton.yml" + - ".github/actions/build-docker-image/**" workflow_dispatch: permissions: @@ -27,28 +29,14 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: skeleton - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} - tags: | - ghcr.io/automattic/vip-container-images/skeleton:latest + primaryTag: ghcr.io/automattic/vip-container-images/skeleton:latest diff --git a/.github/workflows/traefik.yml b/.github/workflows/traefik.yml index 177fb450..1efd4f03 100644 --- a/.github/workflows/traefik.yml +++ b/.github/workflows/traefik.yml @@ -7,10 +7,12 @@ on: paths: - "traefik/**" - ".github/workflows/traefik.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "traefik/**" - ".github/workflows/traefik.yml" + - ".github/actions/build-docker-image/**" permissions: contents: read @@ -26,35 +28,21 @@ jobs: permissions: packages: write contents: read + pull-requests: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Get image version id: getversion - run: echo "version=$(head -n 1 traefik/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT + run: echo "version=$(head -n 1 traefik/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}" - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: traefik - platforms: linux/amd64,linux/arm64 push: ${{ github.base_ref == null }} cache-from: type=gha,scope=traefik cache-to: type=gha,mode=max,scope=traefik - tags: | - ghcr.io/automattic/vip-container-images/traefik_openssl:${{ steps.getversion.outputs.version }} - ghcr.io/automattic/vip-container-images/traefik_openssl:latest + primaryTag: ghcr.io/automattic/vip-container-images/traefik_openssl:${{ steps.getversion.outputs.version }} + tags: ghcr.io/automattic/vip-container-images/traefik_openssl:latest diff --git a/.github/workflows/wordpress.yml b/.github/workflows/wordpress.yml index c329ba61..3e58735c 100644 --- a/.github/workflows/wordpress.yml +++ b/.github/workflows/wordpress.yml @@ -7,10 +7,12 @@ on: paths: - "wordpress/**" - ".github/workflows/wordpress.yml" + - ".github/actions/build-docker-image/**" pull_request: paths: - "wordpress/**" - ".github/workflows/wordpress.yml" + - ".github/actions/build-docker-image/**" workflow_dispatch: permissions: @@ -44,6 +46,7 @@ jobs: permissions: contents: read packages: write + pull-requests: write strategy: fail-fast: false matrix: @@ -61,30 +64,14 @@ jobs: echo "tags=" >> $GITHUB_OUTPUT fi - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - if: ${{ github.base_ref == null }} - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build WordPress image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: - platforms: linux/amd64,linux/arm64 context: wordpress push: ${{ github.base_ref == null }} - build-args: WP_GIT_REF=${{ matrix.wp.ref }} + args: WP_GIT_REF=${{ matrix.wp.ref }} cache-from: type=gha,scope=wordpress-${{ matrix.wp.ref }} cache-to: type=gha,mode=max,scope=wordpress-${{ matrix.wp.ref }} no-cache: ${{ matrix.wp.cacheable == false }} - tags: | - ghcr.io/automattic/vip-container-images/wordpress:${{ matrix.wp.tag }} - ${{ steps.extra-tags.outputs.tags }} + primaryTag: ghcr.io/automattic/vip-container-images/wordpress:${{ matrix.wp.tag }} + tags: ${{ steps.extra-tags.outputs.tags }}