-
-
Notifications
You must be signed in to change notification settings - Fork 40
155 lines (135 loc) · 5.28 KB
/
reusable-docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Reusable workflow - Docker
on:
workflow_call:
inputs:
FOLDER:
required: true
type: string
DOCKERFILE_NAME:
required: false
type: string
default: 'Dockerfile'
REGISTRY:
required: true
type: string
IMAGE_NAME:
required: true
type: string
IMAGE_TAG:
required: false
type: string
default: 'latest'
secrets:
GHCR_USER:
required: true
GHCR_TOKEN:
required: true
jobs:
# ============================================================================
# BUILD
# ============================================================================
build:
name: build
runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
id-token: write
outputs:
digest: ${{ steps.build-and-push-step.outputs.digest }}
steps:
- name: 📂 Checkout repository
uses: actions/checkout@v4.1.1
# ========================================================================
# Install Tooling
# ========================================================================
# Setup docker build
- name: 🔻 Setup Docker buildx
uses: docker/setup-buildx-action@v3
# ========================================================================
# Authenticate to GHCR
# ========================================================================
- name: 🎫 Login to GitHub Container Registry
uses: docker/login-action@v3
id: login
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USER }}
# Create a PAT with `write:packages` scopes and save it as an Actions secret `GHCR_TOKEN`
password: ${{ secrets.GHCR_TOKEN }}
# ========================================================================
# Build locally and run Trivy (only in PR)
# ========================================================================
- name: 🚧 Build locally
if: github.event_name == 'pull_request'
id: build_local
uses: docker/build-push-action@master
with:
push: false
file: ${{ inputs.FOLDER }}/${{ inputs.DOCKERFILE_NAME }}
tags: ${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
# Needed for trivy
outputs: type=docker
- name: 🛡 Run Trivy vulnerability scanner
if: github.event_name == 'pull_request'
id: docker_trivy
uses: aquasecurity/trivy-action@0.28.0
continue-on-error: true
with:
image-ref: ${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
format: 'table'
# WARN ONLY
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# ========================================================================
# PR Output (only in PR)
# ========================================================================
- name: 📄 Show Build Output
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
env:
BUILD: ${{ steps.build_local.outputs.metadata }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Image: 📋 \`${{ inputs.IMAGE_NAME }}\`
| | Step | Result |
| --- | ---------- | -------------------------------------------- |
| 📖 | **Build** | \`${{ steps.build_local.outcome }}\` |
| 🛡 | **Trivy** | \`${{ steps.docker_trivy.outcome }}\` |
### Build:
<details>
<summary>Build output</summary>
\`\`\`${process.env.BUILD}
\`\`\`
</details>
---
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# ========================================================================
# Build Image and push to GHCR (except on PR)
# ========================================================================
# Extract metadata (tags, labels) for Docker
- name: 📭 Extract Docker metadata
if: github.event_name != 'pull_request'
id: meta
uses: docker/metadata-action@v5.5.1
with:
images: ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}
# Build and push container image with Buildx (don't push on PR)
- name: 🔨 Build and push container image
if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
id: build-and-push-step
uses: docker/build-push-action@master
with:
push: ${{ github.event_name != 'pull_request' }}
file: ${{ inputs.FOLDER }}/${{ inputs.DOCKERFILE_NAME }}
labels: ${{ steps.meta.outputs.labels }}
# Use tags: ${{ steps.meta.outputs.tags }} if you want to tag the image with branch name
tags: ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}