From 088c4c740355e78464fc9e4280f63423e3a701cf Mon Sep 17 00:00:00 2001 From: estebanthi Date: Sun, 4 Jan 2026 12:21:48 +0100 Subject: [PATCH] updated docker build publish workflow --- .../README.md | 0 workflows/docker-build-publish/workflow.yml | 114 ++++++++++++++++++ workflows/docker-build-push/workflow.yml | 81 ------------- 3 files changed, 114 insertions(+), 81 deletions(-) rename workflows/{docker-build-push => docker-build-publish}/README.md (100%) create mode 100644 workflows/docker-build-publish/workflow.yml delete mode 100644 workflows/docker-build-push/workflow.yml diff --git a/workflows/docker-build-push/README.md b/workflows/docker-build-publish/README.md similarity index 100% rename from workflows/docker-build-push/README.md rename to workflows/docker-build-publish/README.md diff --git a/workflows/docker-build-publish/workflow.yml b/workflows/docker-build-publish/workflow.yml new file mode 100644 index 0000000..5fc2d35 --- /dev/null +++ b/workflows/docker-build-publish/workflow.yml @@ -0,0 +1,114 @@ +name: Docker Build, Scan & Publish + +on: + workflow_call: + inputs: + images: + description: > + JSON array of images to build. + Each item: { name, context, dockerfile, target, cache_ref } + required: true + type: string + + registry_host: + required: true + type: string + + default_branch: + required: true + type: string + + build_args: + required: false + type: string + default: "" + + trivy_severity: + required: false + type: string + default: "CRITICAL" + + secrets: + registry_user: + required: true + registry_password: + required: true + ci_token: + required: true + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Determine branch context + id: branch + run: | + if [ "${{ github.ref_name }}" = "${{ inputs.default_branch }}" ]; then + echo "is_default=true" >> "$GITHUB_OUTPUT" + else + echo "is_default=false" >> "$GITHUB_OUTPUT" + fi + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registry_host }} + username: ${{ secrets.registry_user }} + password: ${{ secrets.registry_password }} + + - name: Build, scan and push images + env: + IMAGES: ${{ inputs.images }} + BUILD_ARGS: ${{ inputs.build_args }} + CI_TOKEN: ${{ secrets.ci_token }} + TRIVY_SEVERITY: ${{ inputs.trivy_severity }} + run: | + set -euo pipefail + + echo "$IMAGES" | jq -c '.[]' | while read -r img; do + NAME=$(echo "$img" | jq -r '.name') + CONTEXT=$(echo "$img" | jq -r '.context') + DOCKERFILE=$(echo "$img" | jq -r '.dockerfile') + TARGET=$(echo "$img" | jq -r '.target') + CACHE_REF=$(echo "$img" | jq -r '.cache_ref') + + echo "==== Building $NAME ====" + + TAGS=() + TAGS+=("$NAME:${{ github.ref_name }}") + TAGS+=("$NAME:${{ github.sha }}") + + if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then + TAGS+=("$NAME:latest") + fi + + TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}") + + docker buildx build \ + --file "$DOCKERFILE" \ + --target "$TARGET" \ + --cache-from "type=registry,ref=$CACHE_REF" \ + --cache-to "type=registry,ref=$CACHE_REF,mode=max" \ + --load \ + $TAG_ARGS \ + $(printf -- "--build-arg %s " $BUILD_ARGS) \ + "$CONTEXT" + + echo "==== Trivy scan for $NAME ====" + trivy image \ + --severity "$TRIVY_SEVERITY" \ + --exit-code 1 \ + "${TAGS[0]}" + + echo "==== Pushing $NAME ====" + for tag in "${TAGS[@]}"; do + docker push "$tag" + done + done diff --git a/workflows/docker-build-push/workflow.yml b/workflows/docker-build-push/workflow.yml deleted file mode 100644 index 7c24605..0000000 --- a/workflows/docker-build-push/workflow.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: Build and Push Docker Image - -on: - push: - branches: - - '*' - -env: - REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }} - REGISTRY_USER: ${{ secrets.REGISTRY_USER }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} - GITHUB_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} # Required for Docker metadata extraction - IMAGE_NAME: "Wavyzz/myimage" - # CACHE_REF: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}:buildcache # (Optional) for build cache - -jobs: - build-push: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - # (Optional) checks if current branch is the default branch - - name: Define branch helpers - id: branch - run: | - DEFAULT="${{ github.event.repository.default_branch }}" - CURRENT="${{ github.ref_name }}" - if [ "$DEFAULT" = "$CURRENT" ]; then - echo "is_default_branch=true" >> $GITHUB_OUTPUT - else - echo "is_default_branch=false" >> $GITHUB_OUTPUT - fi - - # (Optional) automatically extract tags and labels from git context - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - github-token: ${{ env.GITHUB_TOKEN }} - images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=tag - type=sha - type=raw,value=latest,enable=${{ steps.branch.outputs.is_default_branch }} - - # (Optional) for multi-platform builds - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - # (Optional but recommended) for advanced builds - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - - - name: Build and push Docker image - uses: docker/build-push-action@v5 - with: # Adjust as needed - context: . - file: ./Dockerfile - push: true - # platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - # cache-from: type=registry,ref=${{ env.CACHE_REF }} - # cache-to: type=registry,ref=${{ env.CACHE_REF }},mode=max - - - name: Image details - run: | - echo "Image pushed: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}" - echo "Labels: ${{ steps.meta.outputs.labels }}" - echo "Tags: ${{ steps.meta.outputs.tags }}" - echo "Digest: ${{ steps.meta.outputs.digest }}"