updated wf
This commit is contained in:
estebanthi
28
.github/workflows/docker-build-publish.yml
vendored
28
.github/workflows/docker-build-publish.yml
vendored
@@ -56,6 +56,11 @@ jobs:
|
|||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
- name: Install Trivy
|
||||||
|
run: |
|
||||||
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
|
||||||
|
trivy --version
|
||||||
|
|
||||||
- name: Login to registry
|
- name: Login to registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
@@ -79,12 +84,13 @@ jobs:
|
|||||||
CONTEXT=$(echo "$img" | jq -r '.context')
|
CONTEXT=$(echo "$img" | jq -r '.context')
|
||||||
DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
|
DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
|
||||||
TARGET=$(echo "$img" | jq -r '.target')
|
TARGET=$(echo "$img" | jq -r '.target')
|
||||||
CACHE_REF=$(echo "$img" | jq -r '.cache_ref')
|
RAW_REF_NAME="${{ github.ref_name }}"
|
||||||
|
SAFE_REF_NAME=$(echo "$RAW_REF_NAME" | sed -E 's#[^A-Za-z0-9_.-]#-#g')
|
||||||
|
|
||||||
|
echo "==== Building $FULL_IMAGE ===="
|
||||||
|
|
||||||
echo "==== Building $NAME ===="
|
|
||||||
|
|
||||||
TAGS=()
|
TAGS=()
|
||||||
TAGS+=("$FULL_IMAGE:${{ github.ref_name }}")
|
TAGS+=("$FULL_IMAGE:$SAFE_REF_NAME")
|
||||||
TAGS+=("$FULL_IMAGE:${{ github.sha }}")
|
TAGS+=("$FULL_IMAGE:${{ github.sha }}")
|
||||||
|
|
||||||
if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
|
if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
|
||||||
@@ -92,24 +98,28 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")
|
TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")
|
||||||
|
BUILD_ARG_FLAGS=""
|
||||||
|
if [ -n "$BUILD_ARGS" ]; then
|
||||||
|
BUILD_ARG_FLAGS=$(printf -- "--build-arg %s " $BUILD_ARGS)
|
||||||
|
fi
|
||||||
|
|
||||||
docker buildx build \
|
docker buildx build \
|
||||||
--file "$DOCKERFILE" \
|
--file "$DOCKERFILE" \
|
||||||
--target "$TARGET" \
|
--target "$TARGET" \
|
||||||
--cache-from "type=registry,ref=$CACHE_REF"
|
--cache-from "type=registry,ref=$CACHE_REF" \
|
||||||
--cache-to "type=registry,ref=$CACHE_REF,mode=max"
|
--cache-to "type=registry,ref=$CACHE_REF,mode=max" \
|
||||||
--load \
|
--load \
|
||||||
$TAG_ARGS \
|
$TAG_ARGS \
|
||||||
$(printf -- "--build-arg %s " $BUILD_ARGS) \
|
$BUILD_ARG_FLAGS \
|
||||||
"$CONTEXT"
|
"$CONTEXT"
|
||||||
|
|
||||||
echo "==== Trivy scan for $NAME ===="
|
echo "==== Trivy scan for $FULL_IMAGE ===="
|
||||||
trivy image \
|
trivy image \
|
||||||
--severity "$TRIVY_SEVERITY" \
|
--severity "$TRIVY_SEVERITY" \
|
||||||
--exit-code 1 \
|
--exit-code 1 \
|
||||||
"${TAGS[0]}"
|
"${TAGS[0]}"
|
||||||
|
|
||||||
echo "==== Pushing $NAME ===="
|
echo "==== Pushing $FULL_IMAGE ===="
|
||||||
for tag in "${TAGS[@]}"; do
|
for tag in "${TAGS[@]}"; do
|
||||||
docker push "$tag"
|
docker push "$tag"
|
||||||
done
|
done
|
||||||
|
|||||||
Reference in New Issue
Block a user