bunkerized-nginx/.github/workflows/container-build.yml

name: Build container (REUSABLE)

on:
  workflow_call:
    inputs:
      RELEASE:
        required: true
        type: string
      ARCH:
        required: true
        type: string
      IMAGE:
        required: true
        type: string
      DOCKERFILE:
        required: true
        type: string
      CACHE:
        required: false
        type: boolean
        default: true
      PUSH:
        required: false
        type: boolean
        default: true
      CACHE_SUFFIX:
        required: false
        type: string
        default: ""
    secrets:
      DOCKER_USERNAME:
        required: true
      DOCKER_TOKEN:
        required: true
      ARM_SSH_KEY:
        required: false
      ARM_SSH_IP:
        required: false
      ARM_SSH_CONFIG:
        required: false

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Prepare
      - name: Checkout source code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Replace VERSION
        if: inputs.RELEASE == 'testing'
        run: ./misc/update-version.sh testing
      - name: Setup SSH for ARM node
        if: inputs.CACHE_SUFFIX == 'arm'
        run: |
          mkdir -p ~/.ssh
          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
          chmod 600 ~/.ssh/id_rsa_arm
          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
        env:
          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
          SSH_IP: ${{ secrets.ARM_SSH_IP }}
          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
      - name: Setup Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        if: inputs.CACHE_SUFFIX != 'arm'
      - name: Setup Buildx (ARM)
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        if: inputs.CACHE_SUFFIX == 'arm'
        with:
          endpoint: ssh://root@arm
          platforms: linux/arm64,linux/arm/v7,linux/arm/v6
      - name: Login to Docker Hub
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to ghcr
        if: inputs.PUSH == true
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      # Compute metadata
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0
        with:
          images: bunkerity/${{ inputs.IMAGE }}
      # Build cached image
      - name: Build image
        if: inputs.CACHE == true
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: .
          file: ${{ inputs.DOCKERFILE }}
          platforms: ${{ inputs.ARCH }}
          load: true
          tags: local/${{ inputs.IMAGE }}
          cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
          labels: ${{ steps.meta.outputs.labels }}
      # Build non-cached image
      - name: Build image
        if: inputs.CACHE != true
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: .
          file: ${{ inputs.DOCKERFILE }}
          platforms: ${{ inputs.ARCH }}
          load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
          tags: local/${{ inputs.IMAGE }}
          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
          labels: ${{ steps.meta.outputs.labels }}
      # Check OS vulnerabilities
      - name: Check OS vulnerabilities
        if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master
        with:
          vuln-type: os
          skip-dirs: /root/.cargo
          image-ref: local/${{ inputs.IMAGE }}
          format: table
          exit-code: 1
          ignore-unfixed: false
          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
          trivyignores: .trivyignore
      # Push image
      - name: Push image
        if: inputs.PUSH == true
        run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG
        env:
          IMAGE: "${{ inputs.IMAGE }}"
          TAG: "${{ inputs.RELEASE }}"
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`name: Build container (REUSABLE)`
ci/cd - init work 2023-03-01 17:46:40 +01:00
ci/cd - remove subfolder and continue work on staging 2023-03-02 11:56:14 +01:00			`on:`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`workflow_call:`
			`inputs:`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`RELEASE:`
			`required: true`
			`type: string`
			`ARCH:`
ci/cd - fix typo in staging.yml 2023-04-29 15:22:42 +02:00			`required: true`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`type: string`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`IMAGE:`
			`required: true`
			`type: string`
			`DOCKERFILE:`
			`required: true`
			`type: string`
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux 2023-04-29 16:47:28 +02:00			`CACHE:`
			`required: false`
			`type: boolean`
			`default: true`
			`PUSH:`
			`required: false`
			`type: boolean`
			`default: true`
ci/cd - fix wrong cache name in container build workflow 2023-04-30 00:24:35 +02:00			`CACHE_SUFFIX:`
			`required: false`
ci/cd - fix typo in container build workflow 2023-04-30 00:27:38 +02:00			`type: string`
ci/cd - fix wrong cache name in container build workflow 2023-04-30 00:24:35 +02:00			`default: ""`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`secrets:`
			`DOCKER_USERNAME:`
			`required: true`
			`DOCKER_TOKEN:`
			`required: true`
ci/cd - fix wrong cache name in container build workflow 2023-04-30 00:24:35 +02:00			`ARM_SSH_KEY:`
			`required: false`
ci/cd - dynamic arm build node 2023-04-30 03:07:26 +02:00			`ARM_SSH_IP:`
			`required: false`
ci/cd - fix wrong cache name in container build workflow 2023-04-30 00:24:35 +02:00			`ARM_SSH_CONFIG:`
			`required: false`
ci/cd - init work 2023-03-01 17:46:40 +01:00
			`jobs:`
			`build:`
			`runs-on: ubuntu-latest`
			`steps:`
			`# Prepare`
			`- name: Checkout source code`
deps/gha: bump actions/checkout from 4.1.0 to 4.1.1 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2023-10-18 06:15:57 +02:00			`uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1`
ci/cd - update VERSION file for testing release 2023-08-15 20:32:03 +02:00			`- name: Replace VERSION`
			`if: inputs.RELEASE == 'testing'`
ci/cd - replace version string for testing release 2023-08-15 21:28:17 +02:00			`run: ./misc/update-version.sh testing`
add missing dependencies when prebuilt crypto package is not present 2023-04-30 00:58:37 +02:00			`- name: Setup SSH for ARM node`
			`if: inputs.CACHE_SUFFIX == 'arm'`
			`run: \|`
			`mkdir -p ~/.ssh`
			`echo "$SSH_KEY" > ~/.ssh/id_rsa_arm`
			`chmod 600 ~/.ssh/id_rsa_arm`
ci/cd - dynamic arm build node 2023-04-30 03:07:26 +02:00			`echo "$SSH_CONFIG" \| sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config`
add missing dependencies when prebuilt crypto package is not present 2023-04-30 00:58:37 +02:00			`env:`
			`SSH_KEY: ${{ secrets.ARM_SSH_KEY }}`
ci/cd - dynamic arm build node 2023-04-30 03:07:26 +02:00			`SSH_IP: ${{ secrets.ARM_SSH_IP }}`
ci/cd - various fixes for arm build 2023-04-30 03:56:19 +02:00			`SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`- name: Setup Buildx`
Use hashes instead of versions in github workflows 2023-10-02 18:30:17 +02:00			`uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0`
add missing dependencies when prebuilt crypto package is not present 2023-04-30 00:58:37 +02:00			`if: inputs.CACHE_SUFFIX != 'arm'`
			`- name: Setup Buildx (ARM)`
Use hashes instead of versions in github workflows 2023-10-02 18:30:17 +02:00			`uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0`
add missing dependencies when prebuilt crypto package is not present 2023-04-30 00:58:37 +02:00			`if: inputs.CACHE_SUFFIX == 'arm'`
			`with:`
ci/cd - dynamic arm build node 2023-04-30 03:07:26 +02:00			`endpoint: ssh://root@arm`
add missing dependencies when prebuilt crypto package is not present 2023-04-30 00:58:37 +02:00			`platforms: linux/arm64,linux/arm/v7,linux/arm/v6`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`- name: Login to Docker Hub`
Use hashes instead of versions in github workflows 2023-10-02 18:30:17 +02:00			`uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`with:`
			`username: ${{ secrets.DOCKER_USERNAME }}`
			`password: ${{ secrets.DOCKER_TOKEN }}`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`- name: Login to ghcr`
ci/cd - fix wrong condition for container-build workflow 2023-04-29 16:53:33 +02:00			`if: inputs.PUSH == true`
Use hashes instead of versions in github workflows 2023-10-02 18:30:17 +02:00			`uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`with:`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`registry: ghcr.io`
ci/cd - edit username for ghcr auth 2023-08-24 17:04:44 +02:00			`username: ${{ github.actor }}`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`password: ${{ secrets.GITHUB_TOKEN }}`
			`# Compute metadata`
			`- name: Extract metadata`
			`id: meta`
deps/gha: bump docker/metadata-action from 5.0.0 to 5.2.0 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.0.0 to 5.2.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/96383f45573cb7f253c731d3b3ab81c87ef81934...e6428a5c4e294a61438ed7f43155db912025b6b3) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2023-12-01 09:10:51 +01:00			`uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`with:`
			`images: bunkerity/${{ inputs.IMAGE }}`
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux 2023-04-29 16:47:28 +02:00			`# Build cached image`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`- name: Build image`
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux 2023-04-29 16:47:28 +02:00			`if: inputs.CACHE == true`
deps/gha: bump docker/build-push-action from 5.0.0 to 5.1.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/0565240e2d4ab88bba5387d719585280857ece09...4a13e500e55cf31b7a5d59a38ab2040ab0f42f56) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2023-11-20 09:15:46 +01:00			`uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`with:`
			`context: .`
			`file: ${{ inputs.DOCKERFILE }}`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`platforms: ${{ inputs.ARCH }}`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`load: true`
			`tags: local/${{ inputs.IMAGE }}`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}`
			`cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min`
			`labels: ${{ steps.meta.outputs.labels }}`
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux 2023-04-29 16:47:28 +02:00			`# Build non-cached image`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`- name: Build image`
ci/cd fix typo in container-build workflow 2023-04-29 16:48:34 +02:00			`if: inputs.CACHE != true`
deps/gha: bump docker/build-push-action from 5.0.0 to 5.1.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/0565240e2d4ab88bba5387d719585280857ece09...4a13e500e55cf31b7a5d59a38ab2040ab0f42f56) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2023-11-20 09:15:46 +01:00			`uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`with:`
			`context: .`
			`file: ${{ inputs.DOCKERFILE }}`
			`platforms: ${{ inputs.ARCH }}`
ci/cd - remove load image in buildkit for ARM archs because of docker limitation 2023-04-30 11:47:44 +02:00			`load: ${{ inputs.CACHE_SUFFIX != 'arm' }}`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`tags: local/${{ inputs.IMAGE }}`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min`
			`labels: ${{ steps.meta.outputs.labels }}`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`# Check OS vulnerabilities`
			`- name: Check OS vulnerabilities`
ci/cd - remove load image in buildkit for ARM archs because of docker limitation 2023-04-30 11:47:44 +02:00			`if: ${{ inputs.CACHE_SUFFIX != 'arm' }}`
Use hashes instead of versions in github workflows 2023-10-02 18:30:17 +02:00			`uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`with:`
			`vuln-type: os`
ci/cd - ignore /root/.cargo dir for security checks, use fixed sha1 commit for scw actions and add missing deps for ui/arm 2023-04-30 03:34:06 +02:00			`skip-dirs: /root/.cargo`
ci/cd - init work 2023-03-01 17:46:40 +01:00			`image-ref: local/${{ inputs.IMAGE }}`
			`format: table`
			`exit-code: 1`
			`ignore-unfixed: false`
			`severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`
			`trivyignores: .trivyignore`
			`# Push image`
			`- name: Push image`
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux 2023-04-29 16:47:28 +02:00			`if: inputs.PUSH == true`
ci/cd - fix tests image names 2023-08-24 17:23:36 +02:00			`run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`env:`
ci/cd - use gh cache for docker cache and pushes to ghcr.io 2023-08-24 16:48:45 +02:00			`IMAGE: "${{ inputs.IMAGE }}"`
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script 2023-04-29 15:21:30 +02:00			`TAG: "${{ inputs.RELEASE }}"`