Wavyzz/ci-workflows
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated docker build publish workflow

Browse Source
This commit is contained in:
estebanthi
2026-01-04 12:21:48 +01:00
parent 6ec59fcaf1
commit 088c4c7403
3 changed files with 114 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
workflows/docker-build-push/README.md → workflows/docker-build-publish/README.md
View File

114
workflows/docker-build-publish/workflow.yml Normal file
View File

@@ -0,0 +1,114 @@
name: Docker Build, Scan & Publish
on:
workflow_call:
inputs:
images:
description: >
JSON array of images to build.
Each item: { name, context, dockerfile, target, cache_ref }
required: true
type: string
registry_host:
required: true
type: string
default_branch:
required: true
type: string
build_args:
required: false
type: string
default: ""
trivy_severity:
required: false
type: string
default: "CRITICAL"
secrets:
registry_user:
required: true
registry_password:
required: true
ci_token:
required: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Determine branch context
id: branch
run: |
if [ "${{ github.ref_name }}" = "${{ inputs.default_branch }}" ]; then
echo "is_default=true" >> "$GITHUB_OUTPUT"
else
echo "is_default=false" >> "$GITHUB_OUTPUT"
fi
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry_host }}
username: ${{ secrets.registry_user }}
password: ${{ secrets.registry_password }}
- name: Build, scan and push images
env:
IMAGES: ${{ inputs.images }}
BUILD_ARGS: ${{ inputs.build_args }}
CI_TOKEN: ${{ secrets.ci_token }}
TRIVY_SEVERITY: ${{ inputs.trivy_severity }}
run: |
set -euo pipefail
echo "$IMAGES" | jq -c '.[]' | while read -r img; do
NAME=$(echo "$img" | jq -r '.name')
CONTEXT=$(echo "$img" | jq -r '.context')
DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
TARGET=$(echo "$img" | jq -r '.target')
CACHE_REF=$(echo "$img" | jq -r '.cache_ref')
echo "==== Building $NAME ===="
TAGS=()
TAGS+=("$NAME:${{ github.ref_name }}")
TAGS+=("$NAME:${{ github.sha }}")
if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
TAGS+=("$NAME:latest")
fi
TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")
docker buildx build \
--file "$DOCKERFILE" \
--target "$TARGET" \
--cache-from "type=registry,ref=$CACHE_REF" \
--cache-to "type=registry,ref=$CACHE_REF,mode=max" \
--load \
$TAG_ARGS \
$(printf -- "--build-arg %s " $BUILD_ARGS) \
"$CONTEXT"
echo "==== Trivy scan for $NAME ===="
trivy image \
--severity "$TRIVY_SEVERITY" \
--exit-code 1 \
"${TAGS[0]}"
echo "==== Pushing $NAME ===="
for tag in "${TAGS[@]}"; do
docker push "$tag"
done
done

81
workflows/docker-build-push/workflow.yml
View File

@@ -1,81 +0,0 @@
name: Build and Push Docker Image
on:
push:
branches:
- '*'
env:
REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
GITHUB_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} # Required for Docker metadata extraction
IMAGE_NAME: "Wavyzz/myimage"
# CACHE_REF: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}:buildcache # (Optional) for build cache
jobs:
build-push:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
# (Optional) checks if current branch is the default branch
- name: Define branch helpers
id: branch
run: |
DEFAULT="${{ github.event.repository.default_branch }}"
CURRENT="${{ github.ref_name }}"
if [ "$DEFAULT" = "$CURRENT" ]; then
echo "is_default_branch=true" >> $GITHUB_OUTPUT
else
echo "is_default_branch=false" >> $GITHUB_OUTPUT
fi
# (Optional) automatically extract tags and labels from git context
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
github-token: ${{ env.GITHUB_TOKEN }}
images: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=tag
type=sha
type=raw,value=latest,enable=${{ steps.branch.outputs.is_default_branch }}
# (Optional) for multi-platform builds
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3
# (Optional but recommended) for advanced builds
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY_HOST }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with: # Adjust as needed
context: .
file: ./Dockerfile
push: true
# platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=registry,ref=${{ env.CACHE_REF }}
# cache-to: type=registry,ref=${{ env.CACHE_REF }},mode=max
- name: Image details
run: |
echo "Image pushed: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_NAME }}"
echo "Labels: ${{ steps.meta.outputs.labels }}"
echo "Tags: ${{ steps.meta.outputs.tags }}"
echo "Digest: ${{ steps.meta.outputs.digest }}"