Skip to content

add workflows for container builds #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
airkewld wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

add workflows for container builds #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
fe5b23b
add workflows for container builds
Jun 17, 2022
4b539a4
scan needs build job
Jun 17, 2022
d271217
temp for testing with ttl.sh
Jun 17, 2022
0d2d017
right tagging
Jun 17, 2022
9b1c67a
build one for ttl.sh
Jun 17, 2022
ea300eb
no need to cd anywhere
Jun 17, 2022
cd11208
save the random gen uui
Jun 17, 2022
0f13014
change file name
Jun 17, 2022
a58a754
right path where file is created
Jun 17, 2022
9777a5e
save it to pwd
Jun 17, 2022
c456f80
debug
Jun 17, 2022
7f8adfc
save to pwd not new dir
Jun 17, 2022
2bad528
working now
Jun 17, 2022
b08ad72
push for prod use
Jun 17, 2022
e0fa689
empty line
Jun 17, 2022
cc9275f
also a secret
Jun 17, 2022
7d99c45
needed
Jun 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions .github/workflows/docker-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
on:
workflow_call:
inputs:
dockerfilePath:
description: "Path to Dockerfile."
required: true
type: string
buildArgs:
description: "Build args to be used to build the container image."
required: false
type: string
ociRegistry:
description: "Registry to push the image to."
required: false
type: string
imageName:
description: "Desired name for container image."
required: false
type: string
imageTag:
description: "Desired tag for container image."
required: false
type: string
secrets:
oci_registry_user:
description: "Username to authn"
required: false
oci_registry_password:
description: "User password to authn"
required: false

jobs:

build:
runs-on: ubuntu-latest

steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: Build container image
run: |
cd ${{ inputs.dockerfilePath }}
docker build . ${{ inputs.buildArgs }} -t ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:${{ inputs.imageTag }}
docker build . ${{ inputs.buildArgs }} -t ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:latest
# Push to ttl.sh for scanning
IMAGE_NAME=$(uuidgen)
echo $IMAGE_NAME > random_uuid
docker build . ${{ inputs.buildArgs }} -t ttl.sh/${IMAGE_NAME}:1h
docker push ttl.sh/${IMAGE_NAME}:1h

- name: Upload temp tag
uses: actions/upload-artifact@v3
with:
name: random_uuid
path: ${{ inputs.dockerfilePath }}/random_uuid
retention-days: 1

scan:
runs-on: ubuntu-latest
container:
image: aquasec/trivy:latest
needs: [build]

steps:

- name: Download tag artifact
uses: actions/download-artifact@v3
with:
name: random_uuid
path: ./

- name: Scan image artifact
run: |
IMAGE_NAME=$(cat random_uuid)
trivy image --ignore-unfixed -s CRITICAL -s HIGH ttl.sh/${IMAGE_NAME}:1h
90 changes: 90 additions & 0 deletions .github/workflows/docker-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
on:
workflow_call:
inputs:
dockerfilePath:
description: "Path to Dockerfile."
required: true
type: string
buildArgs:
description: "Build args to be used to build the container image."
required: false
type: string
imageName:
description: "Desired name for container image."
required: false
type: string
imageTag:
description: "Desired tag for container image."
required: false
type: string
secrets:
ociRegistry:
description: "Registry to push the image to."
required: false
oci_registry_user:
description: "Username to authn"
required: false
oci_registry_password:
description: "User password to authn"
required: false

jobs:

build:
runs-on: ubuntu-latest

steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: Build container image
run: |
cd ${{ inputs.dockerfilePath }}
# Push to ttl.sh for scanning
IMAGE_NAME=$(uuidgen)
echo $IMAGE_NAME > random_uuid
docker build . ${{ inputs.buildArgs }} -t ttl.sh/${IMAGE_NAME}:1h
docker push ttl.sh/${IMAGE_NAME}:1h

- name: Upload temp tag
uses: actions/upload-artifact@v3
with:
name: random_uuid
path: ${{ inputs.dockerfilePath }}/random_uuid
retention-days: 1

scan:
runs-on: ubuntu-latest
container:
image: aquasec/trivy:latest
needs: [build]

steps:

- name: Download tag artifact
uses: actions/download-artifact@v3
with:
name: random_uuid
path: ./

- name: Scan image artifact
run: |
IMAGE_NAME=$(cat random_uuid)
trivy image --ignore-unfixed -s CRITICAL -s HIGH ttl.sh/${IMAGE_NAME}:1h

push:
runs-on: ubuntu-latest
needs: [scan]

steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: Build container image
run: |
cd ${{ inputs.dockerfilePath }}
docker login -p ${{ secrets.oci_registry_password }} -u ${{ secrets.oci_registry_user }} ${{ inputs.ociRegistry }}
docker build . ${{ inputs.buildArgs }} -t ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:${{ inputs.imageTag }}
docker build . ${{ inputs.buildArgs }} -t ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:latest
docker push ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:${{ inputs.imageTag }}
docker push ${{ inputs.ociRegistry}}/${{ inputs.imageName }}:latest