Skip to content

🔧 Fix Terrascan installation on non x86 #72

🔧 Fix Terrascan installation on non x86

🔧 Fix Terrascan installation on non x86 #72

Workflow file for this run

---
name: Images
on:
pull_request:
branches:
- main
paths:
- images/**
push:
branches:
- main
paths:
- images/**
permissions: {}
jobs:
detect-changes:
name: Detect Changes
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
images: ${{ steps.detect_changes.outputs.changes }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Build path-filters file
id: build_path_filters
run: bash scripts/path-filter/configuration-generator.sh images
- name: Detect changes
id: detect_changes
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
with:
filters: .github/path-filters/images.yml
preflight-checks:
needs: [detect-changes]
if: ${{ needs.detect-changes.outputs.images != '[]' && github.ref != 'refs/heads/main' }}
name: Preflight Checks
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJson(needs.detect-changes.outputs.images) }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Check Version
id: check_version
env:
GH_TOKEN: ${{ github.token }}
run: |
echo "${{ env.GH_TOKEN }}" | skopeo login ghcr.io --username ${{ github.actor }} --password-stdin
version=$(jq -r '.version' images/${{ matrix.image }}/config.json)
export version
if skopeo list-tags docker://ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}; then
image_exists=true
else
echo "image_exists=false" >>"${GITHUB_ENV}"
echo "tag_exists=false" >>"${GITHUB_ENV}"
fi
if [[ "${image_exists}" == "true" ]]; then
checkTag=$(skopeo list-tags docker://ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }} | jq -r --arg version "${version}" '.Tags | index($version)')
export checkTag
if [[ -z "${imageTag}" ]]; then
echo "tag_exists=false" >>"${GITHUB_ENV}"
else
echo "tag_exists=true" >>"${GITHUB_ENV}"
fi
fi
- name: Check CHANGELOG Updates
id: check_changelog_updates
env:
GH_TOKEN: ${{ github.token }}
run: |
mainSha=$(gh api --method GET /repos/"${GITHUB_REPOSITORY}"/contents/images/${{ matrix.image }}/CHANGELOG.md --field ref="main" | jq -r '.sha')
branchSha=$(gh api --method GET /repos/"${GITHUB_REPOSITORY}"/contents/images/${{ matrix.image }}/CHANGELOG.md --field ref="${GITHUB_HEAD_REF}" | jq -r '.sha')
if [[ -z "${mainSha}" ]]; then
SHA not found for main branch, assuming CHANGELOG.md does not exist
elif [[ -z "${branchSha}" ]]; then
SHA not found for "${GITHUB_HEAD_REF}" branch, assuming CHANGELOG.md does not exist
"changelog_updated=false" >>"${GITHUB_ENV}"
elif [[ "${mainSha}" == "${branchSha}" ]]; then
echo "CHANGELOG.md matches main branch, needs to be updated"
echo "changelog_updated=false" >>"${GITHUB_ENV}"
elif [[ "${mainSha}" != "${branchSha}" ]]; then
echo "CHANGELOG.md does not match main branch, does not need to be updated"
echo "changelog_updated=true" >>"${GITHUB_ENV}"
fi
- name: Evaluate Checks
id: evaluate_checks
run: |
if [[ "${{ env.tag_exists }}" == "true" ]]; then
echo "::error::FAIL: Container tag already exists"
export failBuild="true"
else
echo "::notice::OK: Container tag does not exist"
export failBuild="false"
fi
if [[ "${{ env.changelog_updated }}" == "true" ]]; then
echo "::notice::OK: CHANGELOG.md has been updated"
export failBuild="false"
elif [[ "${{ env.changelog_updated }}" == "false" ]]; then
echo "::error::FAIL: CHANGELOG.md needs to be updated"
export failBuild="true"
fi
if [[ "${failBuild}" == "true" ]]; then
exit 1
fi
build-test-scan:
needs: [detect-changes]
if: ${{ needs.detect-changes.outputs.images != '[]' && github.ref != 'refs/heads/main' }}
name: Build and Test
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJson(needs.detect-changes.outputs.images) }}
platform: [linux/amd64, linux/arm64]
steps:
- name: Checkout
id: checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Set Up Google Container Structure Test
id: setup_container_structure_test
uses: ./.github/actions/setup-container-structure-test
- name: Set Up QEMU
id: setup_qemu
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set Up Docker Buildx
id: setup_docker_buildx
uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
- name: Build Image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: images/${{ matrix.image }}/Dockerfile
context: images/${{ matrix.image }}
platforms: ${{ matrix.platform }}
load: true
tags: ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}:${{ github.sha }}
- name: Container Structure Test
id: container_structure_test
run: |
container-structure-test test \
--config images/${{ matrix.image }}/test/container-structure-test.yml \
--image ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}:${{ github.sha }}
- name: Scan Image
id: scan_image
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
with:
scan-type: image
image-ref: ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}:${{ github.sha }}
exit-code: 1
severity: HIGH,CRITICAL
ignore-unfixed: true
hide-progress: true
publish:
needs: [detect-changes]
if: ${{ needs.detect-changes.outputs.images != '[]' && github.ref == 'refs/heads/main' }}
name: Publish
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
strategy:
fail-fast: false
matrix:
image: ${{ fromJson(needs.detect-changes.outputs.images) }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Set Up QEMU
id: setup_qemu
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set Up Docker Buildx
id: setup_docker_buildx
uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
- name: Log in to GitHub Container Registry
id: login_ghcr
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Prepare Environment
id: prepare_environment
run: |
version=$(jq -r '.version' images/${{ matrix.image }}/config.json)
echo "version=${version}" >>"${GITHUB_ENV}"
- name: Publish Image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: images/${{ matrix.image }}/Dockerfile
context: images/${{ matrix.image }}
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}:${{ env.version }}
ghcr.io/ministryofjustice/devcontainer-${{ matrix.image }}:latest