bunkerized-nginx/.github/workflows/container-build.yml

126 lines
3.9 KiB
YAML

name: Build container (REUSABLE)
on:
workflow_call:
inputs:
RELEASE:
required: true
type: string
ARCH:
required: true
type: string
IMAGE:
required: true
type: string
DOCKERFILE:
required: true
type: string
CACHE:
required: false
type: boolean
default: true
PUSH:
required: false
type: boolean
default: true
CACHE_SUFFIX:
required: false
type: string
default: ""
secrets:
DOCKER_USERNAME:
required: true
DOCKER_TOKEN:
required: true
PRIVATE_REGISTRY:
required: false
PRIVATE_REGISTRY_TOKEN:
required: false
ARM_SSH_KEY:
required: false
ARM_SSH_IP:
required: false
ARM_SSH_CONFIG:
required: false
jobs:
build:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup SSH for ARM node
if: inputs.CACHE_SUFFIX == 'arm'
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_IP: ${{ secrets.ARM_SSH_IP }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
if: inputs.CACHE_SUFFIX != 'arm'
- name: Setup Buildx (ARM)
uses: docker/setup-buildx-action@v2
if: inputs.CACHE_SUFFIX == 'arm'
with:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
if: inputs.PUSH == true
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build cached image
- name: Build image
if: inputs.CACHE == true
uses: docker/build-push-action@v3
with:
context: .
file: ${{ inputs.DOCKERFILE }}
platforms: ${{ inputs.ARCH }}
load: true
tags: local/${{ inputs.IMAGE }}
cache-from: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
# Build non-cached image
- name: Build image
if: inputs.CACHE != true
uses: docker/build-push-action@v3
with:
context: .
file: ${{ inputs.DOCKERFILE }}
platforms: ${{ inputs.ARCH }}
load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
tags: local/${{ inputs.IMAGE }}
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
# Check OS vulnerabilities
- name: Check OS vulnerabilities
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
uses: aquasecurity/trivy-action@master
with:
vuln-type: os
skip-dirs: /root/.cargo
image-ref: local/${{ inputs.IMAGE }}
format: table
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivyignores: .trivyignore
# Push image
- name: Push image
if: inputs.PUSH == true
run: docker tag local/${{ inputs.IMAGE }} ${{ secrets.PRIVATE_REGISTRY }}/infra/${{ inputs.IMAGE }}-tests:$TAG && docker push ${{ secrets.PRIVATE_REGISTRY }}/infra/${{ inputs.IMAGE }}-tests:$TAG
env:
TAG: "${{ inputs.RELEASE }}"