Wavyzz/ci-workflows
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated docker build publish workflow

Browse Source
This commit is contained in:
estebanthi
2026-01-04 12:21:48 +01:00
parent 6ec59fcaf1
commit 088c4c7403
3 changed files with 114 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
workflows/docker-build-publish/README.md Normal file
View File

@@ -0,0 +1,90 @@
# docker-build-push
This GitHub Actions workflow builds and pushes Docker images to a container registry.
It serves as a base workflow and is usable this way, but it may be customized depending on the exact use case.
## Use cases
### Build and push Docker images for CI/CD
This workflow can be used in CI/CD pipelines to automate the process of building and pushing Docker images whenever code is pushed to the repository or a pull request is created.
I use it with [watchtower](https://github.com/containrrr/watchtower) to automatically update running containers with the latest images.
### Build an upstream
You may want to build an upstream image from another repository and push it to your own container registry.
You can do this this by modifying the checkout step to pull from the external repository and pass the correct build context to the Docker build step.
```yaml
- name: Checkout external repository to ./external-src
uses: actions/checkout@v5
with:
repository: owner/repo-name
ref: main
server-url: ${{ github.server_url }}
path: external-src
fetch-depth: 0 # Fetch all history for all branches and tags
# ...
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: ./external-src
# ...
```
### When SSH access is needed during build
If your Docker build process requires SSH access (for example, to clone private repositories), you can enable SSH agent, and configure the Docker build step to use it.
You will also need to change the Dockerfile to use the SSH mount.
```yaml
- name: Start ssh-agent
uses: https://github.com/webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: ${{ secrets.CI_SSH_PRIVATE_KEY }}
# ...
- name: Build & push
uses: docker/build-push-action@v5
with:
ssh: default
build-args: |
GITEA_HOSTKEY=${{ secrets.SSH_GITEA_HOSTKEY }} # Pass host key as build-arg
```
And modify your Dockerfile like this:
```Dockerfile
# Install dependencies
RUN apt-get update && \
apt-get install -y --no-install-recommends \
git \
openssh-client \
ca-certificates \
libnss3 \
nss-plugin-pem \
libbrotli1 && \
rm -rf /var/lib/apt/lists/*
# Add Gitea host key to known_hosts
ARG GITEA_HOSTKEY
RUN set -eux; \
mkdir -p /etc/ssh; \
printf '%s\n' "$GITEA_HOSTKEY" > /etc/ssh/ssh_known_hosts; \
chmod 644 /etc/ssh/ssh_known_hosts; \
ssh-keygen -l -E sha256 -f /etc/ssh/ssh_known_hosts
# Clone private repository using SSH during build
RUN --mount=type=ssh git clone git@your-gitea-server:your-repo.git /path/to/destination
# You can do whatever you need with SSH by using the --mount=type=ssh flag
# RUN --mount=type=ssh \
# GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ssh/ssh_known_hosts' \
# pip install --no-cache-dir -r requirements.txt
```

114
workflows/docker-build-publish/workflow.yml Normal file
View File

@@ -0,0 +1,114 @@
name: Docker Build, Scan & Publish
on:
workflow_call:
inputs:
images:
description: >
JSON array of images to build.
Each item: { name, context, dockerfile, target, cache_ref }
required: true
type: string
registry_host:
required: true
type: string
default_branch:
required: true
type: string
build_args:
required: false
type: string
default: ""
trivy_severity:
required: false
type: string
default: "CRITICAL"
secrets:
registry_user:
required: true
registry_password:
required: true
ci_token:
required: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Determine branch context
id: branch
run: |
if [ "${{ github.ref_name }}" = "${{ inputs.default_branch }}" ]; then
echo "is_default=true" >> "$GITHUB_OUTPUT"
else
echo "is_default=false" >> "$GITHUB_OUTPUT"
fi
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry_host }}
username: ${{ secrets.registry_user }}
password: ${{ secrets.registry_password }}
- name: Build, scan and push images
env:
IMAGES: ${{ inputs.images }}
BUILD_ARGS: ${{ inputs.build_args }}
CI_TOKEN: ${{ secrets.ci_token }}
TRIVY_SEVERITY: ${{ inputs.trivy_severity }}
run: |
set -euo pipefail
echo "$IMAGES" | jq -c '.[]' | while read -r img; do
NAME=$(echo "$img" | jq -r '.name')
CONTEXT=$(echo "$img" | jq -r '.context')
DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
TARGET=$(echo "$img" | jq -r '.target')
CACHE_REF=$(echo "$img" | jq -r '.cache_ref')
echo "==== Building $NAME ===="
TAGS=()
TAGS+=("$NAME:${{ github.ref_name }}")
TAGS+=("$NAME:${{ github.sha }}")
if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
TAGS+=("$NAME:latest")
fi
TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")
docker buildx build \
--file "$DOCKERFILE" \
--target "$TARGET" \
--cache-from "type=registry,ref=$CACHE_REF" \
--cache-to "type=registry,ref=$CACHE_REF,mode=max" \
--load \
$TAG_ARGS \
$(printf -- "--build-arg %s " $BUILD_ARGS) \
"$CONTEXT"
echo "==== Trivy scan for $NAME ===="
trivy image \
--severity "$TRIVY_SEVERITY" \
--exit-code 1 \
"${TAGS[0]}"
echo "==== Pushing $NAME ===="
for tag in "${TAGS[@]}"; do
docker push "$tag"
done
done