Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: refactor build workflows #565

Merged
merged 12 commits into from
Oct 31, 2023
123 changes: 123 additions & 0 deletions .github/actions/build-docker-image/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
name: Build Docker image
description: Builds a Docker image
inputs:
context:
description: The directory containing the Dockerfile
required: true
file:
description: The Dockerfile to use
required: false
platforms:
description: The platforms to build for
required: false
default: linux/amd64,linux/arm64
push:
description: Whether to push the image to the registry
required: true
primaryTag:
description: The primary tag to use for the image
required: true
tags:
description: The tags to use for the image
required: false
args:
description: List of build-time variables
required: false
cache-from:
description: List of external cache sources for buildx
required: false
cache-to:
description: List of cache export destinations for buildx
required: false
no-cache:
description: Do not use cache when building the image
required: false
default: 'false'
registry:
description: The registry to use
required: false
default: https://ghcr.io
username:
description: The username to use for the registry
required: false
default: ${{ github.actor }}
password:
description: The password to use for the registry
required: false
default: ${{ github.token }}
runs:
using: composite
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to Docker Registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ inputs.password }}
if: ${{ inputs.push }}

- name: Build and push container image
uses: docker/build-push-action@v5
with:
context: ${{ inputs.context }}
file: ${{ inputs.file }}
platforms: ${{ inputs.platforms }}
push: ${{ inputs.push }}
tags: |
${{ inputs.primaryTag }}
${{ inputs.tags }}
build-args: ${{ inputs.args }}
cache-from: ${{ inputs.cache-from }}
cache-to: ${{ inputs.cache-to }}
no-cache: ${{ inputs.no-cache }}

- name: Load image to local Docker
uses: docker/build-push-action@v5
with:
load: true
push: false
context: ${{ inputs.context }}
file: ${{ inputs.file }}
tags: |
${{ inputs.primaryTag }}
${{ inputs.tags }}
build-args: ${{ inputs.args }}
Comment on lines +80 to +90
Copy link
Member Author

@sjinks sjinks Oct 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This second scan will not rebuild the image(s); it will load them from the build cache.

We need this step to feed the built image to the local Docker daemon. The previous step pushes the built image(s) to the registry but does not load them into Docker.

It is impossible to feed a multi-platform image to Docker anyway, so we export only the native version (amd64).


- name: Security Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.primaryTag }}
format: template
template: "@.github/actions/build-docker-image/markdown.tpl"
output: trivy.md
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'

- name: Security Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.primaryTag }}
format: table
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name || github.event.sender.login == 'dependabot[bot]'
Comment on lines +92 to +106
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot post a comment from a PR coming from a "foreign" repo; Dependabot's pull requests also count as coming from a foreign repo.

So:

  • If this is a PR that comes from our repo and not from Dependabot, we generate a markdown output, which we will post as a comment;
  • Otherwise, if this is not a pull request, a PR from a foreign repo, or Dependabot authors this PR, we print scan results to the action log.


- name: Find Trivy Scan Report comment
uses: peter-evans/find-comment@v2
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: ${{ inputs.primaryTag }}
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'

- name: Create or update comment
uses: peter-evans/create-or-update-comment@v3
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body-path: trivy.md
edit-mode: replace
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
33 changes: 33 additions & 0 deletions .github/actions/build-docker-image/markdown.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
## Trivy Scan Report
{{- if . }}
{{- range . }}
## {{ .Target }}
### Vulnerabilities
{{- if (eq (len .Vulnerabilities) 0) }}
No vulnerabilities found.
{{- else }}
| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links |
| ------- | ---------------- | :------: | ----------------- | ------------- | ----- |
{{- range .Vulnerabilities }}
| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} |
{{- end }}

{{- end }} <!-- Vulnerabilities -->

### Misconfigurations
{{- if (eq (len .Misconfigurations ) 0) }}
No misconfigurations found.
{{- else }}
| Type | Misconfiguration ID | Check | Severity | Message |
| ---- | ------------------- | ----- | -------- | ------- |
{{- range .Misconfigurations }}
| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} |
{{- end }}

{{- end }} <!-- Misconfigurations -->

{{- end }} <!-- Targets -->

{{- else }}
Trivy Returned Empty Report
{{- end }}
28 changes: 8 additions & 20 deletions .github/workflows/alpine.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ on:
paths:
- "alpine/**"
- ".github/workflows/alpine.yml"
- ".github/actions/build-docker-image/**"
pull_request:
paths:
- "alpine/**"
- ".github/workflows/alpine.yml"
- ".github/actions/build-docker-image/**"

permissions:
contents: read
Expand All @@ -26,35 +28,21 @@ jobs:
permissions:
packages: write
contents: read
pull-requests: write
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Docker Registry
uses: docker/login-action@v3
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Get image version
id: getversion
run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"

- name: Build container image
uses: docker/build-push-action@v5
- name: Build and push image
uses: ./.github/actions/build-docker-image
with:
context: alpine
platforms: linux/amd64,linux/arm64
push: ${{ github.base_ref == null }}
cache-from: type=gha,scope=alpine
cache-to: type=gha,mode=max,scope=alpine
tags: |
ghcr.io/automattic/vip-container-images/alpine:latest
ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
primaryTag: ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
tags: ghcr.io/automattic/vip-container-images/alpine:latest
26 changes: 7 additions & 19 deletions .github/workflows/dev-tools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ on:
paths:
- "dev-tools/**"
- ".github/workflows/dev-tools.yml"
- ".github/actions/build-docker-image/**"
pull_request:
paths:
- "dev-tools/**"
- ".github/workflows/dev-tools.yml"
- ".github/actions/build-docker-image/**"

permissions:
contents: read
Expand All @@ -26,31 +28,17 @@ jobs:
permissions:
packages: write
contents: read
pull-requests: write
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Docker Registry
uses: docker/login-action@v3
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build container image
uses: docker/build-push-action@v5
- name: Build and push image
uses: ./.github/actions/build-docker-image
with:
context: dev-tools
platforms: linux/amd64,linux/arm64
push: ${{ github.base_ref == null }}
cache-from: type=gha,scope=dev-tools
cache-to: type=gha,mode=max,scope=dev-tools
tags: |
ghcr.io/automattic/vip-container-images/dev-tools:latest
ghcr.io/automattic/vip-container-images/dev-tools:0.9
primaryTag: ghcr.io/automattic/vip-container-images/dev-tools:0.9
tags: ghcr.io/automattic/vip-container-images/dev-tools:0.9
27 changes: 7 additions & 20 deletions .github/workflows/mu-plugins.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ on:
paths:
- "mu-plugins/**"
- ".github/workflows/mu-plugins.yml"
- ".github/actions/build-docker-image/**"
pull_request:
paths:
- "mu-plugins/**"
- ".github/workflows/mu-plugins.yml"
- ".github/actions/build-docker-image/**"
workflow_dispatch:
repository_dispatch:
types:
Expand All @@ -30,30 +32,15 @@ jobs:
permissions:
packages: write
contents: read
pull-requests: write
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Docker Registry
uses: docker/login-action@v3
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'

- name: Build container image
uses: docker/build-push-action@v5
- name: Build and push image
uses: ./.github/actions/build-docker-image
with:
context: mu-plugins
platforms: linux/amd64,linux/arm64
push: ${{ github.base_ref == null }}
tags: |
ghcr.io/automattic/vip-container-images/mu-plugins:latest
ghcr.io/automattic/vip-container-images/mu-plugins:0.1
primaryTag: ghcr.io/automattic/vip-container-images/mu-plugins:0.1
tags: ghcr.io/automattic/vip-container-images/mu-plugins:latest
30 changes: 9 additions & 21 deletions .github/workflows/nginx.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ on:
paths:
- "nginx/**"
- ".github/workflows/nginx.yml"
- ".github/actions/build-docker-image/**"
pull_request:
paths:
- "nginx/**"
- ".github/workflows/nginx.yml"
- ".github/actions/build-docker-image/**"

permissions:
contents: read
Expand All @@ -26,35 +28,21 @@ jobs:
permissions:
packages: write
contents: read
pull-requests: write
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Docker Registry
uses: docker/login-action@v3
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Get image version
id: getversion
run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"

- name: Build container image
uses: docker/build-push-action@v5
- name: Build and push image
uses: ./.github/actions/build-docker-image
with:
context: nginx
platforms: linux/amd64,linux/arm64
push: ${{ github.base_ref == null }}
cache-from: type=gha,scope=nginx
cache-to: type=gha,mode=max,scope=nginx
push: ${{ github.base_ref == null }}
tags: |
ghcr.io/automattic/vip-container-images/nginx:latest
ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
primaryTag: ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
tags: ghcr.io/automattic/vip-container-images/nginx:latest
Loading