-
Notifications
You must be signed in to change notification settings - Fork 368
173 lines (160 loc) · 5.83 KB
/
.reusable-docker-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# reusable workflow
name: Build Docker Image
on:
workflow_call:
inputs:
registry-url:
type: string
description: Github Container Registry base URL
required: false
default: ghcr.io
file:
type: string
description: Path to the Dockerfile
required: false
default: Dockerfile
target:
type: string
description: Sets the target stage to build
required: false
image-name:
type: string
description: Image name
required: true
tags:
type: string
required: false
default: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
build-args:
type: string
description: List of build-time variables
required: false
scan:
type: boolean
description: Whether to scan built image for vulnerabilities
required: false
default: true
ephemeral:
type: boolean
description: Whether to skip push and use Depot's ephemeral registry
required: false
default: false
comment:
type: boolean
description: Whether to update the build status in a PR comment
required: false
default: false
trivy-db-repository:
type: string
description: Trivy Database OCI specifier
required: false
default: ghcr.io/flagsmith/trivy-db:latest
trivy-java-db-repository:
type: string
description: Trivy Java Database OCI specifier
default: ghcr.io/flagsmith/trivy-java-db:latest
outputs:
image:
description: Resulting image specifier
value: ${{ jobs.build.outputs.image }}
secrets:
secrets:
description: List of secrets to expose to the build (e.g., `key=string, GIT_AUTH_TOKEN=mytoken`)
required: false
jobs:
build:
name: Build ${{ inputs.scan && 'and verify ' || '' }}${{ inputs.image-name }} image
runs-on: ubuntu-latest
outputs:
image: ${{ steps.image-tag.outputs.image-tag }}
permissions:
id-token: write
packages: write
pull-requests: write
security-events: write
contents: read
steps:
- name: Cloning repo
uses: actions/checkout@v4
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Login to Github Container Registry
if: ${{ !inputs.ephemeral }}
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry-url }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}
tags: ${{ inputs.tags }}
- name: Build and push image
id: build
uses: depot/build-push-action@v1
with:
context: .
save: ${{ inputs.ephemeral }}
push: ${{ !inputs.ephemeral }}
platforms: linux/amd64,linux/arm64
secrets: ${{ secrets.secrets }}
target: ${{ inputs.target }}
build-args: |
CI_COMMIT_SHA=${{ github.sha }}
${{ inputs.build-args }}
file: ${{ inputs.file }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
provenance: false
- name: Render image tag
id: image-tag
run: >
echo image-tag=${{ inputs.ephemeral && format('registry.depot.dev/{0}:{1}', steps.build.outputs.project-id,
steps.build.outputs.build-id) || format('{0}/flagsmith/{1}:{2}', inputs.registry-url, inputs.image-name,
steps.meta.outputs.version) }} >> $GITHUB_OUTPUT
- name: Render Depot token
id: depot-token
if: inputs.scan && inputs.ephemeral
run: |
export DEPOT_TOKEN=$(depot pull-token)
echo ::add-mask::$DEPOT_TOKEN
echo depot-token=$DEPOT_TOKEN >> $GITHUB_OUTPUT
- name: Report build finish
uses: ./.github/actions/docker-build-report-to-pr
if: inputs.comment && !inputs.scan
with:
image-tag: ${{ steps.image-tag.outputs.image-tag }}
build-status: 'Finished :white_check_mark:'
security-report-status: 'Skipped'
- name: Scan ${{ steps.image-tag.outputs.image-tag }} image
id: trivy
uses: ./.github/actions/trivy-scan-image
if: inputs.scan
with:
image-tag: ${{ steps.image-tag.outputs.image-tag }}
category: ${{ inputs.image-name }}
# `query` value contained path:{image_name} before but not all Trivy findings
# conform to that. There's no category filter at the moment; for the time being,
# produce a shared report URL for all images.
query: ${{ format('pr:{0}', github.event.pull_request.number) }}
trivy-username: ${{ inputs.ephemeral && 'x-token' || github.actor }}
trivy-password: ${{ inputs.ephemeral && steps.depot-token.outputs.depot-token || secrets.GITHUB_TOKEN }}
trivy-db-repository: ${{ inputs.trivy-db-repository }}
trivy-java-db-repository: ${{ inputs.trivy-java-db-repository }}
- name: Report scan results URL
uses: ./.github/actions/docker-build-report-to-pr
if: inputs.comment && inputs.scan
with:
image-tag: ${{ steps.image-tag.outputs.image-tag }}
build-status: 'Finished :white_check_mark:'
security-report-status:
"${{ format('[Results]({0}) {1}', steps.trivy.outputs.scan-results-url, steps.trivy.outputs.scan-outcome ==
'success' && ':white_check_mark:' || ':heavy_exclamation_mark:') }}"