135 lines
4.5 KiB
YAML
135 lines
4.5 KiB
YAML
name: Build container (REUSABLE)
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
RELEASE:
|
|
required: true
|
|
type: string
|
|
ARCH:
|
|
required: true
|
|
type: string
|
|
IMAGE:
|
|
required: true
|
|
type: string
|
|
DOCKERFILE:
|
|
required: true
|
|
type: string
|
|
CACHE:
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
PUSH:
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
CACHE_SUFFIX:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
secrets:
|
|
DOCKER_USERNAME:
|
|
required: true
|
|
DOCKER_TOKEN:
|
|
required: true
|
|
ARM_SSH_KEY:
|
|
required: false
|
|
ARM_SSH_IP:
|
|
required: false
|
|
ARM_SSH_CONFIG:
|
|
required: false
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# Prepare
|
|
- name: Checkout source code
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
- name: Replace VERSION
|
|
if: inputs.RELEASE == 'testing'
|
|
run: ./misc/update-version.sh testing
|
|
- name: Setup SSH for ARM node
|
|
if: inputs.CACHE_SUFFIX == 'arm'
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
|
chmod 600 ~/.ssh/id_rsa_arm
|
|
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
|
env:
|
|
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
|
SSH_IP: ${{ secrets.ARM_SSH_IP }}
|
|
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
|
- name: Setup Buildx
|
|
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
|
if: inputs.CACHE_SUFFIX != 'arm'
|
|
- name: Setup Buildx (ARM)
|
|
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
|
if: inputs.CACHE_SUFFIX == 'arm'
|
|
with:
|
|
endpoint: ssh://root@arm
|
|
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_TOKEN }}
|
|
- name: Login to ghcr
|
|
if: inputs.PUSH == true
|
|
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
# Compute metadata
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0
|
|
with:
|
|
images: bunkerity/${{ inputs.IMAGE }}
|
|
# Build cached image
|
|
- name: Build image
|
|
if: inputs.CACHE == true
|
|
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
|
|
with:
|
|
context: .
|
|
file: ${{ inputs.DOCKERFILE }}
|
|
platforms: ${{ inputs.ARCH }}
|
|
load: true
|
|
tags: local/${{ inputs.IMAGE }}
|
|
cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
|
|
cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
# Build non-cached image
|
|
- name: Build image
|
|
if: inputs.CACHE != true
|
|
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
|
|
with:
|
|
context: .
|
|
file: ${{ inputs.DOCKERFILE }}
|
|
platforms: ${{ inputs.ARCH }}
|
|
load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
|
tags: local/${{ inputs.IMAGE }}
|
|
cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
# Check OS vulnerabilities
|
|
- name: Check OS vulnerabilities
|
|
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
|
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master
|
|
with:
|
|
vuln-type: os
|
|
skip-dirs: /root/.cargo
|
|
image-ref: local/${{ inputs.IMAGE }}
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: false
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
trivyignores: .trivyignore
|
|
# Push image
|
|
- name: Push image
|
|
if: inputs.PUSH == true
|
|
run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG
|
|
env:
|
|
IMAGE: "${{ inputs.IMAGE }}"
|
|
TAG: "${{ inputs.RELEASE }}"
|