-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: refactor build workflows #565
Merged
Merged
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
d20f161
ci: refactor build workflows
sjinks da4d149
ci: post Trivy Scan Report as a comment
sjinks 5c883d7
ci: add support for multiple images
sjinks 22d320e
ci: refactor dev-tools.yml
sjinks bbb3b22
ci: refactor mu-plugins.yml
sjinks 3ba4386
ci: refactor nginx.yml
sjinks 121dc30
ci: refactor photon.yml
sjinks a7dfd60
ci: refactor php-fpm.yml
sjinks 3a71519
ci: refactor skeleton.yml
sjinks bfe7f3c
ci: refactor traefik.yml
sjinks 159b7f8
ci: refactor wordpress.yml
sjinks e7f7291
ci: remove fields with default values
sjinks File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
name: Build Docker image | ||
description: Builds a Docker image | ||
inputs: | ||
context: | ||
description: The directory containing the Dockerfile | ||
required: true | ||
file: | ||
description: The Dockerfile to use | ||
required: false | ||
platforms: | ||
description: The platforms to build for | ||
required: false | ||
default: linux/amd64,linux/arm64 | ||
push: | ||
description: Whether to push the image to the registry | ||
required: true | ||
primaryTag: | ||
description: The primary tag to use for the image | ||
required: true | ||
tags: | ||
description: The tags to use for the image | ||
required: false | ||
args: | ||
description: List of build-time variables | ||
required: false | ||
cache-from: | ||
description: List of external cache sources for buildx | ||
required: false | ||
cache-to: | ||
description: List of cache export destinations for buildx | ||
required: false | ||
no-cache: | ||
description: Do not use cache when building the image | ||
required: false | ||
default: 'false' | ||
registry: | ||
description: The registry to use | ||
required: false | ||
default: https://ghcr.io | ||
username: | ||
description: The username to use for the registry | ||
required: false | ||
default: ${{ github.actor }} | ||
password: | ||
description: The password to use for the registry | ||
required: false | ||
default: ${{ github.token }} | ||
runs: | ||
using: composite | ||
steps: | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Log in to Docker Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ inputs.registry }} | ||
username: ${{ inputs.username }} | ||
password: ${{ inputs.password }} | ||
if: ${{ inputs.push }} | ||
|
||
- name: Build and push container image | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: ${{ inputs.context }} | ||
file: ${{ inputs.file }} | ||
platforms: ${{ inputs.platforms }} | ||
push: ${{ inputs.push }} | ||
tags: | | ||
${{ inputs.primaryTag }} | ||
${{ inputs.tags }} | ||
build-args: ${{ inputs.args }} | ||
cache-from: ${{ inputs.cache-from }} | ||
cache-to: ${{ inputs.cache-to }} | ||
no-cache: ${{ inputs.no-cache }} | ||
|
||
- name: Load image to local Docker | ||
uses: docker/build-push-action@v5 | ||
with: | ||
load: true | ||
push: false | ||
context: ${{ inputs.context }} | ||
file: ${{ inputs.file }} | ||
tags: | | ||
${{ inputs.primaryTag }} | ||
${{ inputs.tags }} | ||
build-args: ${{ inputs.args }} | ||
|
||
- name: Security Scan | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: ${{ inputs.primaryTag }} | ||
format: template | ||
template: "@.github/actions/build-docker-image/markdown.tpl" | ||
output: trivy.md | ||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' | ||
|
||
- name: Security Scan | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: ${{ inputs.primaryTag }} | ||
format: table | ||
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name || github.event.sender.login == 'dependabot[bot]' | ||
Comment on lines
+92
to
+106
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We cannot post a comment from a PR coming from a "foreign" repo; Dependabot's pull requests also count as coming from a foreign repo. So:
|
||
|
||
- name: Find Trivy Scan Report comment | ||
uses: peter-evans/find-comment@v2 | ||
id: fc | ||
with: | ||
issue-number: ${{ github.event.pull_request.number }} | ||
body-includes: ${{ inputs.primaryTag }} | ||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' | ||
|
||
- name: Create or update comment | ||
uses: peter-evans/create-or-update-comment@v3 | ||
with: | ||
comment-id: ${{ steps.fc.outputs.comment-id }} | ||
issue-number: ${{ github.event.pull_request.number }} | ||
body-path: trivy.md | ||
edit-mode: replace | ||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
## Trivy Scan Report | ||
{{- if . }} | ||
{{- range . }} | ||
## {{ .Target }} | ||
### Vulnerabilities | ||
{{- if (eq (len .Vulnerabilities) 0) }} | ||
No vulnerabilities found. | ||
{{- else }} | ||
| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links | | ||
| ------- | ---------------- | :------: | ----------------- | ------------- | ----- | | ||
{{- range .Vulnerabilities }} | ||
| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} | | ||
{{- end }} | ||
|
||
{{- end }} <!-- Vulnerabilities --> | ||
|
||
### Misconfigurations | ||
{{- if (eq (len .Misconfigurations ) 0) }} | ||
No misconfigurations found. | ||
{{- else }} | ||
| Type | Misconfiguration ID | Check | Severity | Message | | ||
| ---- | ------------------- | ----- | -------- | ------- | | ||
{{- range .Misconfigurations }} | ||
| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} | | ||
{{- end }} | ||
|
||
{{- end }} <!-- Misconfigurations --> | ||
|
||
{{- end }} <!-- Targets --> | ||
|
||
{{- else }} | ||
Trivy Returned Empty Report | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This second scan will not rebuild the image(s); it will load them from the build cache.
We need this step to feed the built image to the local Docker daemon. The previous step pushes the built image(s) to the registry but does not load them into Docker.
It is impossible to feed a multi-platform image to Docker anyway, so we export only the native version (amd64).