marco-lancini · marco-lancini · Sep 24, 2021 · Sep 24, 2021
@@ -0,0 +1,36 @@
+name: 'Docker Build'
+description: 'Docker Build'
+
+inputs:
+  folder:
+    description: 'Folder of the Docker image'
+    required: true
+  image_build:
+    description: 'Name of the build image'
+    required: true
+  image_latest:
+    description: 'Name of the latest image in the repository'
+    required: true
+
+outputs:
+  build_output:
+    description: 'Output of the build step'
+    value: ${{ steps.build.outputs.build_output }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 🔨 Building the image
+      id: build
+      shell: bash
+      run: |
+        output="$(docker build . -f ${{ inputs.folder }}/Dockerfile -t ${{ inputs.image_build }} --cache-from ${{ inputs.image_latest }})"
+
+        # Needed to avoid truncating multilines (https://github.com/actions/toolkit/issues/403)
+        output="${output//'%'/'%25'}"
+        output="${output//$'\n'/'%0A'}"
+        output="${output//$'\r'/'%0D'}"
+
+        # Set output
+        echo $output
+        echo "::set-output name=build_output::$output"
@@ -0,0 +1,44 @@
+name: 'Docker Push to GCR'
+description: 'Docker Push to GCR'
+
+inputs:
+  image_local:
+    description: 'Name of the local image built'
+    required: true
+  image_remote:
+    description: 'Name of the remote image to push'
+    required: true
+  registry:
+    description: 'GCR registry'
+    required: true
+  version_file:
+    description: 'Path of the file containing the VERSION number'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 📊 Obtain version
+      id: obtain_version
+      shell: bash
+      run: |
+        version=$(cat ${{ inputs.version_file }})
+        echo "🎉 Found version: ${version}"
+        echo "::set-output name=tag::$version"
+
+    - name: 🚀 Push image to GitHub Container Registry
+      id: push
+      shell: bash
+      run: |
+        REMOTE_IMAGE=${{ inputs.registry }}/${{ inputs.image_remote }}
+        IMAGE_VERSION=${{ steps.obtain_version.outputs.tag }}
+
+        echo "🏷 Tagging image"
+        docker tag ${{ inputs.image_local }} ${REMOTE_IMAGE}:${IMAGE_VERSION}
+        docker tag ${{ inputs.image_local }} ${REMOTE_IMAGE}:latest
+
+        echo "⚙️ Pushing ${REMOTE_IMAGE}:${IMAGE_VERSION}"
+        docker push ${REMOTE_IMAGE}:${IMAGE_VERSION}
+
+        echo "⚙️ Pushing ${REMOTE_IMAGE}:latest"
+        docker push ${REMOTE_IMAGE}:latest
@@ -0,0 +1,26 @@
+name: 'Trivy'
+description: 'Trivy'
+
+inputs:
+  image_name:
+    description: 'Name of the image'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    #
+    # Scan
+    #
+    - name: 🛡 Run Trivy vulnerability scanner
+      # TODO: currently not allowed in composite actions
+      # continue-on-error: true
+      uses: aquasecurity/trivy-action@0.0.20
+      id: scan
+      with:
+        image-ref: ${{ inputs.image_name }}
+        format: 'table'
+        # WARN ONLY
+        exit-code: '0'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
@@ -21,7 +21,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     env:
       FOLDER: ${{ github.workspace }}/docker/markserv
@@ -33,13 +33,6 @@ jobs:
       - name: 📂 Checkout repository
         uses: actions/checkout@v2
 
-      - name: 📊 Obtain version
-        id: obtain_version
-        run: |
-          version=$(cat ${FOLDER}/${VERSION_FILE})
-          echo "🎉 Found version: ${version}"
-          echo "::set-output name=tag::$version"
-
       - name: 🎫 Login to GitHub Container Registry
         uses: docker/login-action@v1
         id: login
@@ -49,35 +42,35 @@ jobs:
           # Create a PAT with `read:packages` and `write:packages` scopes and save it as an Actions secret `GHCR_TOKEN`
           password: ${{ secrets.GHCR_TOKEN }}
 
-      - name: 🔨 Building the image
-        id: build
-        continue-on-error: true
-        run: |
-          output="$(docker build . -f ${FOLDER}/Dockerfile -t ${IMAGE_NAME}:build --cache-from ${REGISTRY}/${{ github.repository_owner }}/$IMAGE_NAME:latest)"
-
-          # Needed to avoid truncating multilines (https://github.com/actions/toolkit/issues/403)
-          output="${output//'%'/'%25'}"
-          output="${output//$'\n'/'%0A'}"
-          output="${output//$'\r'/'%0D'}"
-
-          # Set output for following steps
-          echo $output
-          echo "::set-output name=build-output::$output"
+      #
+      # Build Image
+      #
+      - name: 🔨 Build the image
+        id: docker_build
+        uses: ./.github/actions/docker-build
+        with:
+          folder: ${{ env.FOLDER }}
+          image_build: ${{ env.IMAGE_NAME }}:build
+          image_latest: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
 
+      #
+      # Run Trivy
+      #
       - name: 🛡 Run Trivy vulnerability scanner
-        continue-on-error: true
-        uses: aquasecurity/trivy-action@0.0.8
-        id: trivy
+        if: github.event_name == 'pull_request'
+        id: docker_trivy
+        uses: ./.github/actions/docker-trivy
         with:
-          image-ref: ${{ env.IMAGE_NAME }}:build
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
+          image_name: ${{ env.IMAGE_NAME }}:build
 
+      #
+      # PR Output
+      #
       - name: 📄 Show Build Output
-        uses: actions/github-script@v3
         if: github.event_name == 'pull_request'
+        uses: actions/github-script@v4.0.2
+        env:
+          BUILD: ${{ steps.docker_build.outputs.build_output }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -86,18 +79,15 @@ jobs:
             |     | Step        | Result                                       |
             | --- | ----------  | -------------------------------------------- |
             | 🎫  | **Login**   | \`${{ steps.login.outcome }}\`               |
-            | 📊  | **Version** | \`${{ steps.obtain_version.outputs.tag }}\`  |
-            | 📖  | **Build**   | \`${{ steps.build.outcome }}\`               |
-            | 🛡  | **Trivy**   | \`${{ steps.trivy.outcome }}\`               |
+            | 📖  | **Build**   | \`${{ steps.docker_build.outcome }}\`               |
+            | 🛡  | **Trivy**   | \`${{ steps.docker_trivy.outcome }}\`               |
 
-            <details>
-              <summary>Show Build Output</summary>
+            ### Build:
 
-              \`\`\`
-              ${{ steps.build.outputs.build-output }}
-              \`\`\`
+            \`\`\`${process.env.BUILD}
+            \`\`\`
 
-            </details>
+            ---
 
             *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
 
@@ -108,20 +98,15 @@ jobs:
               body: output
             })
 
-      - name: ❓ Build Status
-        if: steps.build.outcome == 'failure' || steps.trivy.outcome == 'failure'
-        run: exit 1
-
+      #
+      # Push image to GCR
+      #
       - name: 🚀 Push image to GitHub Container Registry
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-        run: |
-          IMAGE_VERSION=${{ steps.obtain_version.outputs.tag }}
-          REMOTE_IMAGE=${REGISTRY}/${{ github.repository_owner }}/$IMAGE_NAME
-
-          echo "⚙️ Pushing ${REMOTE_IMAGE}:${IMAGE_VERSION}"
-          docker tag ${IMAGE_NAME}:build ${REMOTE_IMAGE}:${IMAGE_VERSION}
-          docker push ${REMOTE_IMAGE}:${IMAGE_VERSION}
-
-          echo "⚙️ Pushing ${REMOTE_IMAGE}:latest"
-          docker tag ${IMAGE_NAME}:build ${REMOTE_IMAGE}:latest
-          docker push ${REMOTE_IMAGE}:latest
+        id: docker_push
+        uses: ./.github/actions/docker-push-gcr
+        with:
+          image_local: ${{ env.IMAGE_NAME }}:build
+          image_remote: ${{ env.IMAGE_NAME }}
+          registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}
+          version_file: ${{ env.FOLDER }}/${{ env.VERSION_FILE }}
@@ -1 +1 @@
-1
+1.1