updated docker build publish workflow
This commit is contained in:
estebanthi
114
workflows/docker-build-publish/workflow.yml
Normal file
114
workflows/docker-build-publish/workflow.yml
Normal file
@@ -0,0 +1,114 @@
|
||||
name: Docker Build, Scan & Publish
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
images:
|
||||
description: >
|
||||
JSON array of images to build.
|
||||
Each item: { name, context, dockerfile, target, cache_ref }
|
||||
required: true
|
||||
type: string
|
||||
|
||||
registry_host:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
default_branch:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
build_args:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
trivy_severity:
|
||||
required: false
|
||||
type: string
|
||||
default: "CRITICAL"
|
||||
|
||||
secrets:
|
||||
registry_user:
|
||||
required: true
|
||||
registry_password:
|
||||
required: true
|
||||
ci_token:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Determine branch context
|
||||
id: branch
|
||||
run: |
|
||||
if [ "${{ github.ref_name }}" = "${{ inputs.default_branch }}" ]; then
|
||||
echo "is_default=true" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "is_default=false" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Login to registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ inputs.registry_host }}
|
||||
username: ${{ secrets.registry_user }}
|
||||
password: ${{ secrets.registry_password }}
|
||||
|
||||
- name: Build, scan and push images
|
||||
env:
|
||||
IMAGES: ${{ inputs.images }}
|
||||
BUILD_ARGS: ${{ inputs.build_args }}
|
||||
CI_TOKEN: ${{ secrets.ci_token }}
|
||||
TRIVY_SEVERITY: ${{ inputs.trivy_severity }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
echo "$IMAGES" | jq -c '.[]' | while read -r img; do
|
||||
NAME=$(echo "$img" | jq -r '.name')
|
||||
CONTEXT=$(echo "$img" | jq -r '.context')
|
||||
DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
|
||||
TARGET=$(echo "$img" | jq -r '.target')
|
||||
CACHE_REF=$(echo "$img" | jq -r '.cache_ref')
|
||||
|
||||
echo "==== Building $NAME ===="
|
||||
|
||||
TAGS=()
|
||||
TAGS+=("$NAME:${{ github.ref_name }}")
|
||||
TAGS+=("$NAME:${{ github.sha }}")
|
||||
|
||||
if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
|
||||
TAGS+=("$NAME:latest")
|
||||
fi
|
||||
|
||||
TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")
|
||||
|
||||
docker buildx build \
|
||||
--file "$DOCKERFILE" \
|
||||
--target "$TARGET" \
|
||||
--cache-from "type=registry,ref=$CACHE_REF" \
|
||||
--cache-to "type=registry,ref=$CACHE_REF,mode=max" \
|
||||
--load \
|
||||
$TAG_ARGS \
|
||||
$(printf -- "--build-arg %s " $BUILD_ARGS) \
|
||||
"$CONTEXT"
|
||||
|
||||
echo "==== Trivy scan for $NAME ===="
|
||||
trivy image \
|
||||
--severity "$TRIVY_SEVERITY" \
|
||||
--exit-code 1 \
|
||||
"${TAGS[0]}"
|
||||
|
||||
echo "==== Pushing $NAME ===="
|
||||
for tag in "${TAGS[@]}"; do
|
||||
docker push "$tag"
|
||||
done
|
||||
done
|
||||
@@ -1,81 +0,0 @@
|
||||
name: Build and Push Docker Image
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '*'
|
||||
|
||||
env:
|
||||
REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
|
||||
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
|
||||
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
GITHUB_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} # Required for Docker metadata extraction
|
||||
IMAGE_NAME: "Wavyzz/myimage"
|
||||
# CACHE_REF: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}:buildcache # (Optional) for build cache
|
||||
|
||||
jobs:
|
||||
build-push:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v5
|
||||
|
||||
# (Optional) checks if current branch is the default branch
|
||||
- name: Define branch helpers
|
||||
id: branch
|
||||
run: |
|
||||
DEFAULT="${{ github.event.repository.default_branch }}"
|
||||
CURRENT="${{ github.ref_name }}"
|
||||
if [ "$DEFAULT" = "$CURRENT" ]; then
|
||||
echo "is_default_branch=true" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "is_default_branch=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
# (Optional) automatically extract tags and labels from git context
|
||||
- name: Extract Docker metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
github-token: ${{ env.GITHUB_TOKEN }}
|
||||
images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}
|
||||
tags: |
|
||||
type=ref,event=branch
|
||||
type=ref,event=tag
|
||||
type=sha
|
||||
type=raw,value=latest,enable=${{ steps.branch.outputs.is_default_branch }}
|
||||
|
||||
# (Optional) for multi-platform builds
|
||||
# - name: Set up QEMU
|
||||
# uses: docker/setup-qemu-action@v3
|
||||
|
||||
# (Optional but recommended) for advanced builds
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Log in to registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ env.REGISTRY_HOST }}
|
||||
username: ${{ env.REGISTRY_USER }}
|
||||
password: ${{ env.REGISTRY_PASSWORD }}
|
||||
|
||||
- name: Build and push Docker image
|
||||
uses: docker/build-push-action@v5
|
||||
with: # Adjust as needed
|
||||
context: .
|
||||
file: ./Dockerfile
|
||||
push: true
|
||||
# platforms: linux/amd64,linux/arm64
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
# cache-from: type=registry,ref=${{ env.CACHE_REF }}
|
||||
# cache-to: type=registry,ref=${{ env.CACHE_REF }},mode=max
|
||||
|
||||
- name: Image details
|
||||
run: |
|
||||
echo "Image pushed: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}"
|
||||
echo "Labels: ${{ steps.meta.outputs.labels }}"
|
||||
echo "Tags: ${{ steps.meta.outputs.tags }}"
|
||||
echo "Digest: ${{ steps.meta.outputs.digest }}"
|
||||
Reference in New Issue
Block a user