mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
126 lines
3.9 KiB
YAML
126 lines
3.9 KiB
YAML
name: Build container (REUSABLE)
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
RELEASE:
|
|
required: true
|
|
type: string
|
|
ARCH:
|
|
required: true
|
|
type: string
|
|
IMAGE:
|
|
required: true
|
|
type: string
|
|
DOCKERFILE:
|
|
required: true
|
|
type: string
|
|
CACHE:
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
PUSH:
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
CACHE_SUFFIX:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
secrets:
|
|
DOCKER_USERNAME:
|
|
required: true
|
|
DOCKER_TOKEN:
|
|
required: true
|
|
PRIVATE_REGISTRY:
|
|
required: false
|
|
PRIVATE_REGISTRY_TOKEN:
|
|
required: false
|
|
ARM_SSH_KEY:
|
|
required: false
|
|
ARM_SSH_IP:
|
|
required: false
|
|
ARM_SSH_CONFIG:
|
|
required: false
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# Prepare
|
|
- name: Checkout source code
|
|
uses: actions/checkout@v3
|
|
- name: Setup SSH for ARM node
|
|
if: inputs.CACHE_SUFFIX == 'arm'
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
|
chmod 600 ~/.ssh/id_rsa_arm
|
|
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
|
env:
|
|
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
|
SSH_IP: ${{ secrets.ARM_SSH_IP }}
|
|
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
|
- name: Setup Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
if: inputs.CACHE_SUFFIX != 'arm'
|
|
- name: Setup Buildx (ARM)
|
|
uses: docker/setup-buildx-action@v2
|
|
if: inputs.CACHE_SUFFIX == 'arm'
|
|
with:
|
|
endpoint: ssh://root@arm
|
|
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v2
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_TOKEN }}
|
|
- name: Login to private repository
|
|
if: inputs.PUSH == true
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
|
username: registry
|
|
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
|
# Build cached image
|
|
- name: Build image
|
|
if: inputs.CACHE == true
|
|
uses: docker/build-push-action@v3
|
|
with:
|
|
context: .
|
|
file: ${{ inputs.DOCKERFILE }}
|
|
platforms: ${{ inputs.ARCH }}
|
|
load: true
|
|
tags: local/${{ inputs.IMAGE }}
|
|
cache-from: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
|
|
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
|
|
# Build non-cached image
|
|
- name: Build image
|
|
if: inputs.CACHE != true
|
|
uses: docker/build-push-action@v3
|
|
with:
|
|
context: .
|
|
file: ${{ inputs.DOCKERFILE }}
|
|
platforms: ${{ inputs.ARCH }}
|
|
load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
|
tags: local/${{ inputs.IMAGE }}
|
|
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
|
|
# Check OS vulnerabilities
|
|
- name: Check OS vulnerabilities
|
|
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
vuln-type: os
|
|
skip-dirs: /root/.cargo
|
|
image-ref: local/${{ inputs.IMAGE }}
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: false
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
trivyignores: .trivyignore
|
|
# Push image
|
|
- name: Push image
|
|
if: inputs.PUSH == true
|
|
run: docker tag local/${{ inputs.IMAGE }} ${{ secrets.PRIVATE_REGISTRY }}/infra/${{ inputs.IMAGE }}-tests:$TAG && docker push ${{ secrets.PRIVATE_REGISTRY }}/infra/${{ inputs.IMAGE }}-tests:$TAG
|
|
env:
|
|
TAG: "${{ inputs.RELEASE }}"
|