185 lines
6.2 KiB
YAML
185 lines
6.2 KiB
YAML
name: Build Base Images
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
registry:
|
|
description: "Target registry"
|
|
type: string
|
|
required: true
|
|
|
|
org:
|
|
description: "Target organization"
|
|
type: string
|
|
required: true
|
|
|
|
push_images:
|
|
description: "Push images instead of building locally"
|
|
type: boolean
|
|
default: true
|
|
|
|
dockerhub_namespace:
|
|
description: "Docker Hub namespace (user/org)"
|
|
type: string
|
|
default: "cloudneutral"
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
registry:
|
|
description: "Target registry"
|
|
type: string
|
|
default: "ghcr.io"
|
|
org:
|
|
description: "Target organization"
|
|
type: string
|
|
default: "cloud-neutral-toolkit"
|
|
push_images:
|
|
description: "Push images instead of building locally"
|
|
type: boolean
|
|
default: true
|
|
dockerhub_namespace:
|
|
description: "Docker Hub namespace (user/org)"
|
|
type: string
|
|
default: "cloudneutral"
|
|
|
|
push:
|
|
paths:
|
|
- "deploy/base-images/**"
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
|
|
env:
|
|
REGISTRY: ${{ inputs.registry || github.event.inputs.registry || 'ghcr.io' }}
|
|
ORG: ${{ inputs.org || github.event.inputs.org || 'cloud-neutral-toolkit' }}
|
|
|
|
# Push control
|
|
PUSH_IMAGES: ${{ github.event_name == 'push'
|
|
|| (github.event_name == 'workflow_call' && inputs.push_images)
|
|
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') }}
|
|
|
|
jobs:
|
|
build:
|
|
strategy:
|
|
matrix:
|
|
image:
|
|
- { name: openresty-geoip, file: deploy/base-images/openresty-geoip.Dockerfile }
|
|
- { name: postgres-runtime, file: deploy/base-images/postgres-runtime-wth-extensions.Dockerfile }
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Generate Auto Tags
|
|
id: meta
|
|
uses: ./.github/actions/auto-tag
|
|
with:
|
|
image: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}
|
|
|
|
- uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
|
|
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
|
|
- uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
|
|
id: build
|
|
with:
|
|
context: .
|
|
file: ${{ matrix.image.file }}
|
|
platforms: linux/amd64,linux/arm64
|
|
push: ${{ (github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch') && inputs.push_images || github.event_name == 'push' }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
|
|
# -------------------------------------------------------------
|
|
# Push to Docker Hub (optional)
|
|
# -------------------------------------------------------------
|
|
- name: Login to Docker Hub
|
|
if: env.PUSH_IMAGES == 'true'
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: docker.io
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
# -------------------------------------------------------------
|
|
# Re-tag & Push service image to Docker Hub
|
|
# -------------------------------------------------------------
|
|
- name: Re-tag & Push Image (Docker Hub)
|
|
if: env.PUSH_IMAGES == 'true'
|
|
env:
|
|
TARGET_NS: ${{ inputs.dockerhub_namespace || github.event.inputs.dockerhub_namespace || 'cloudneutral' }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
SERVICE="${{ matrix.image.name }}"
|
|
ORIGIN_IMG="${{ env.REGISTRY }}/${{ env.ORG }}/${SERVICE}@${{ steps.build.outputs.digest }}"
|
|
TARGET_REPO="docker.io/${TARGET_NS}/${SERVICE}"
|
|
|
|
TAG="latest"
|
|
docker pull "$ORIGIN_IMG"
|
|
docker tag "$ORIGIN_IMG" "$TARGET_REPO:$TAG"
|
|
docker push "$TARGET_REPO:$TAG"
|
|
|
|
Security-service:
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
|
|
strategy:
|
|
matrix:
|
|
image:
|
|
- { name: openresty-geoip, file: deploy/base-images/openresty-geoip.Dockerfile }
|
|
- { name: postgres-runtime, file: deploy/base-images/postgres-runtime-wth-extensions.Dockerfile }
|
|
|
|
steps:
|
|
# -------------------------------------------------------------
|
|
# Checkout source
|
|
# -------------------------------------------------------------
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Resolve short sha tag
|
|
id: vars
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
echo "sha_short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
|
|
|
|
|
|
- uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
|
|
with:
|
|
image: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}:${{ steps.vars.outputs.sha_short }}
|
|
output-file: sbom.spdx.json
|
|
|
|
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
|
with:
|
|
name: sbom-${{ matrix.image.name }}
|
|
path: sbom.spdx.json
|
|
|
|
# -------------------------------------------------------------
|
|
# Trivy Vulnerability Scan
|
|
# -------------------------------------------------------------
|
|
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
|
with:
|
|
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}:${{ steps.vars.outputs.sha_short }}
|
|
severity: HIGH,CRITICAL
|
|
exit-code: '1'
|
|
|
|
- uses: sigstore/cosign-installer@2e2f661cd4be3a4b891a882064e49d0fed4b7b88 # v3.9.0
|
|
with:
|
|
cosign-release: 'v2.4.1'
|
|
|
|
- name: Sign Image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: |
|
|
COSIGN_IMAGE=${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}:${{ steps.vars.outputs.sha_short }}
|
|
cosign sign --yes "$COSIGN_IMAGE"
|