diff --git a/.github/actions/docker-build/action.yml b/.github/actions/docker-build/action.yml new file mode 100644 index 0000000..c976c2c --- /dev/null +++ b/.github/actions/docker-build/action.yml @@ -0,0 +1,36 @@ +name: 'Docker Build' +description: 'Docker Build' + +inputs: + folder: + description: 'Folder of the Docker image' + required: true + image_build: + description: 'Name of the build image' + required: true + image_latest: + description: 'Name of the latest image in the repository' + required: true + +outputs: + build_output: + description: 'Output of the build step' + value: ${{ steps.build.outputs.build_output }} + +runs: + using: 'composite' + steps: + - name: 🔨 Building the image + id: build + shell: bash + run: | + output="$(docker build . -f ${{ inputs.folder }}/Dockerfile -t ${{ inputs.image_build }} --cache-from ${{ inputs.image_latest }})" + + # Needed to avoid truncating multilines (https://github.com/actions/toolkit/issues/403) + output="${output//'%'/'%25'}" + output="${output//$'\n'/'%0A'}" + output="${output//$'\r'/'%0D'}" + + # Set output + echo $output + echo "::set-output name=build_output::$output" diff --git a/.github/actions/docker-push-gcr/action.yml b/.github/actions/docker-push-gcr/action.yml new file mode 100644 index 0000000..7aa3d4c --- /dev/null +++ b/.github/actions/docker-push-gcr/action.yml @@ -0,0 +1,44 @@ +name: 'Docker Push to GCR' +description: 'Docker Push to GCR' + +inputs: + image_local: + description: 'Name of the local image built' + required: true + image_remote: + description: 'Name of the remote image to push' + required: true + registry: + description: 'GCR registry' + required: true + version_file: + description: 'Path of the file containing the VERSION number' + required: true + +runs: + using: 'composite' + steps: + - name: 📊 Obtain version + id: obtain_version + shell: bash + run: | + version=$(cat ${{ inputs.version_file }}) + echo "🎉 Found version: ${version}" + echo "::set-output name=tag::$version" + + - name: 🚀 Push image to GitHub Container Registry + id: push + shell: bash + run: | + REMOTE_IMAGE=${{ inputs.registry }}/${{ inputs.image_remote }} + IMAGE_VERSION=${{ steps.obtain_version.outputs.tag }} + + echo "🏷 Tagging image" + docker tag ${{ inputs.image_local }} ${REMOTE_IMAGE}:${IMAGE_VERSION} + docker tag ${{ inputs.image_local }} ${REMOTE_IMAGE}:latest + + echo "⚙️ Pushing ${REMOTE_IMAGE}:${IMAGE_VERSION}" + docker push ${REMOTE_IMAGE}:${IMAGE_VERSION} + + echo "⚙️ Pushing ${REMOTE_IMAGE}:latest" + docker push ${REMOTE_IMAGE}:latest diff --git a/.github/actions/docker-trivy/action.yml b/.github/actions/docker-trivy/action.yml new file mode 100644 index 0000000..7ce0239 --- /dev/null +++ b/.github/actions/docker-trivy/action.yml @@ -0,0 +1,26 @@ +name: 'Trivy' +description: 'Trivy' + +inputs: + image_name: + description: 'Name of the image' + required: true + +runs: + using: 'composite' + steps: + # + # Scan + # + - name: 🛡 Run Trivy vulnerability scanner + # TODO: currently not allowed in composite actions + # continue-on-error: true + uses: aquasecurity/trivy-action@0.0.20 + id: scan + with: + image-ref: ${{ inputs.image_name }} + format: 'table' + # WARN ONLY + exit-code: '0' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/docker_markserv.yml b/.github/workflows/docker_markserv.yml index 313f7f9..d006ff9 100644 --- a/.github/workflows/docker_markserv.yml +++ b/.github/workflows/docker_markserv.yml @@ -21,7 +21,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 env: FOLDER: ${{ github.workspace }}/docker/markserv @@ -33,13 +33,6 @@ jobs: - name: 📂 Checkout repository uses: actions/checkout@v2 - - name: 📊 Obtain version - id: obtain_version - run: | - version=$(cat ${FOLDER}/${VERSION_FILE}) - echo "🎉 Found version: ${version}" - echo "::set-output name=tag::$version" - - name: 🎫 Login to GitHub Container Registry uses: docker/login-action@v1 id: login @@ -49,35 +42,35 @@ jobs: # Create a PAT with `read:packages` and `write:packages` scopes and save it as an Actions secret `GHCR_TOKEN` password: ${{ secrets.GHCR_TOKEN }} - - name: 🔨 Building the image - id: build - continue-on-error: true - run: | - output="$(docker build . -f ${FOLDER}/Dockerfile -t ${IMAGE_NAME}:build --cache-from ${REGISTRY}/${{ github.repository_owner }}/$IMAGE_NAME:latest)" - - # Needed to avoid truncating multilines (https://github.com/actions/toolkit/issues/403) - output="${output//'%'/'%25'}" - output="${output//$'\n'/'%0A'}" - output="${output//$'\r'/'%0D'}" - - # Set output for following steps - echo $output - echo "::set-output name=build-output::$output" + # + # Build Image + # + - name: 🔨 Build the image + id: docker_build + uses: ./.github/actions/docker-build + with: + folder: ${{ env.FOLDER }} + image_build: ${{ env.IMAGE_NAME }}:build + image_latest: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest + # + # Run Trivy + # - name: 🛡 Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@0.0.8 - id: trivy + if: github.event_name == 'pull_request' + id: docker_trivy + uses: ./.github/actions/docker-trivy with: - image-ref: ${{ env.IMAGE_NAME }}:build - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' + image_name: ${{ env.IMAGE_NAME }}:build + # + # PR Output + # - name: 📄 Show Build Output - uses: actions/github-script@v3 if: github.event_name == 'pull_request' + uses: actions/github-script@v4.0.2 + env: + BUILD: ${{ steps.docker_build.outputs.build_output }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -86,18 +79,15 @@ jobs: | | Step | Result | | --- | ---------- | -------------------------------------------- | | 🎫 | **Login** | \`${{ steps.login.outcome }}\` | - | 📊 | **Version** | \`${{ steps.obtain_version.outputs.tag }}\` | - | 📖 | **Build** | \`${{ steps.build.outcome }}\` | - | 🛡 | **Trivy** | \`${{ steps.trivy.outcome }}\` | + | 📖 | **Build** | \`${{ steps.docker_build.outcome }}\` | + | 🛡 | **Trivy** | \`${{ steps.docker_trivy.outcome }}\` | -
- Show Build Output + ### Build: - \`\`\` - ${{ steps.build.outputs.build-output }} - \`\`\` + \`\`\`${process.env.BUILD} + \`\`\` -
+ --- *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; @@ -108,20 +98,15 @@ jobs: body: output }) - - name: ❓ Build Status - if: steps.build.outcome == 'failure' || steps.trivy.outcome == 'failure' - run: exit 1 - + # + # Push image to GCR + # - name: 🚀 Push image to GitHub Container Registry if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: | - IMAGE_VERSION=${{ steps.obtain_version.outputs.tag }} - REMOTE_IMAGE=${REGISTRY}/${{ github.repository_owner }}/$IMAGE_NAME - - echo "⚙️ Pushing ${REMOTE_IMAGE}:${IMAGE_VERSION}" - docker tag ${IMAGE_NAME}:build ${REMOTE_IMAGE}:${IMAGE_VERSION} - docker push ${REMOTE_IMAGE}:${IMAGE_VERSION} - - echo "⚙️ Pushing ${REMOTE_IMAGE}:latest" - docker tag ${IMAGE_NAME}:build ${REMOTE_IMAGE}:latest - docker push ${REMOTE_IMAGE}:latest + id: docker_push + uses: ./.github/actions/docker-push-gcr + with: + image_local: ${{ env.IMAGE_NAME }}:build + image_remote: ${{ env.IMAGE_NAME }} + registry: ${{ env.REGISTRY }}/${{ github.repository_owner }} + version_file: ${{ env.FOLDER }}/${{ env.VERSION_FILE }} diff --git a/docker/markserv/VERSION b/docker/markserv/VERSION index d00491f..9459d4b 100644 --- a/docker/markserv/VERSION +++ b/docker/markserv/VERSION @@ -1 +1 @@ -1 +1.1