Add Container build and release workflow (#5)

GeekMasher · web-flow · commit 8014458e0211 · 2024-03-15T13:57:52.000Z
* feat: Add Container build and release workflow
* docs: add container workflow to README
* feat: SBOM update
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -0,0 +1,176 @@
+name: Conatiner Build and Release
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: "Semantic version of the image"
+        type: string
+        required: true
+
+      container-file:
+        description: "Path to the Dockerfile"
+        type: string
+        default: "Dockerfile"
+      
+      signing:
+        description: "Sign the image"
+        type: string
+        default: "true"
+
+      publish:
+        description: "Publish the image to the registry"
+        type: string
+        default: "true"
+
+      sbom:
+        description: "Generate and upload SBOM"
+        type: string
+        default: "true"
+      
+      scanning:
+        description: "Scan the image"
+        type: string
+        default: "true"
+      
+      scanning-block:
+        description: "Block the build if vulnerabilities are found"
+        type: string
+        default: "false"
+
+      tags:
+        description: "Comma-separated list of tags"
+        type: string
+        default: "latest"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-publish-image:
+    runs-on: ubuntu-latest
+
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+
+    permissions:
+      # to upload SBOM
+      id-token: write
+      contents: write
+      # to upload Docker image
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # latest / main
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            # SemVer
+            type=semver,pattern={{version}},value=${{ inputs.version }}
+            # SemVer, major only
+            type=semver,pattern=v{{major}},value=${{ inputs.version }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5.3.0
+        id: build
+        with:
+          file: "${{ inputs.docker-file }}"
+          context: .
+          push: ${{ inputs.publish }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # SBOM Settings
+          sbom: true
+
+      # Upload Software Bill of Materials (SBOM) to GitHub
+      - name: Upload SBOM
+        uses: advanced-security/spdx-dependency-submission-action@v0.0.1
+        if: ${{ inputs.sbom == 'true' }}
+        with:
+          filePath: '.'
+          filePattern: '*.spdx.json'
+
+  scanning:
+    runs-on: ubuntu-latest
+    needs: build-publish-image
+    # Scan the image only if it is being published
+    if: ${{ inputs.scanning == 'true' && inputs.publish == 'true' }}
+
+    permissions:
+      contents: read
+      # read the image from GitHub Container Registry
+      packages: read
+      # to scan the Docker image
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Scan the image for vulnerabilities
+      - name: Run the Anchore Grype scan action
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.version }}@${{ needs.build-publish-image.outputs.digest }}"
+          only-fixed: true
+          fail-build: ${{ inputs.scanning-block }}
+
+      - name: Upload vulnerability report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+  signing:
+    runs-on: ubuntu-latest
+    needs: build-publish-image
+    # Sign the image only if it is being published
+    if: ${{ inputs.signing == 'true' && inputs.publish == 'true'  }}
+
+    permissions:
+      # read the image from GitHub Container Registry
+      packages: read
+
+    steps:
+      - uses: sigstore/cosign-installer@v3.3.0
+        with:
+          cosign-release: 'v2.2.2'
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the published container
+        # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio instance.
+        run: |
+          cosign sign --yes \
+            ${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+  
diff --git a/README.md b/README.md
@@ -46,6 +46,43 @@ secrets: inherit
 
 </details>
 
+### [Container - Build / Publish][workflow-python-build]
+
+This workflow will build and publish a container image to the GitHub Container Registry.
+This workflow does the following:
+
+- Setup Docker / Buildx
+- Configure GitHub Container Registry and tagging image
+- Build and push the container image
+- Generate a SBOM (Software Bill of Materials) for the container image and upload them to GitHub
+
+<details>
+<summary>Usage</summary>
+
+**Simple:**
+
+```yaml
+uses: advanced-security/reusable-workflows/.github/workflows/container.yml@main
+secrets: inherit
+with:
+  # This is used for tagging the container image.
+  # It will automatically also set `latest` / `main` + major version `v1` tags.
+  version: v1.0.0
+```
+
+**With Settings:**
+
+```yaml
+uses: advanced-security/reusable-workflows/.github/workflows/container.yml@main
+secrets: inherit
+with:
+  # This is used for tagging the container image
+  version: v1.0.0
+  # Select the Dockerfile to use
+  container-file: Dockerfile     # Defaults to `Dockerfile`
+  
+```
+
 ### [Markdown - Linting][workflow-markdown-lint]
 
 Lint markdown files in your repository.
