-
Notifications
You must be signed in to change notification settings - Fork 0
85 lines (72 loc) · 2.53 KB
/
reusable-workflow-docker-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Reusable workflow - build docker image
on:
workflow_call:
inputs:
image-name:
required: true
type: string
docker-dir:
required: true
type: string
platform:
required: true
type: string
secrets:
ACR_USERNAME:
required: true
ACR_PASSWORD:
required: true
REGISTRY:
required: true
jobs:
build-container-image:
runs-on: self-hosted
env:
REGISTRY: ${{ secrets.REGISTRY }}
PLATFORM: ${{ inputs.platform }}
IMAGE_NAME: ${{ inputs.image-name }}
IMAGE_TAG: "${{ github.run_number }}"
DOCKER_DIR: ${{ inputs.docker-dir }}
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Input Validation
run: |
if [[ "$PLATFORM" != "amd64" ]] && \
[[ "$PLATFORM" != "arm64" ]]; then
echo "Invalid environment: $PLATFORM"
exit 1
fi
- name: Log in to Azure Container Registry
uses: azure/docker-login@v1
with:
login-server: ${{ secrets.REGISTRY }}
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
- name: Build Container Image
run: |
echo "Building image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
podman build --platform linux/$PLATFORM -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG $DOCKER_DIR
- name: Push Container Image
run: |
echo "Pushing image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
podman push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
- name: Tag and push Docker image as latest
# if: github.ref == 'refs/heads/main' # TODO: uncomment once we are done with development
run: |
echo "Pushing image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG with as latest"
podman tag $REGISTRY/$IMAGE_NAME:$IMAGE_TAG $REGISTRY/$IMAGE_NAME:latest
podman push $REGISTRY/$IMAGE_NAME:latest
- name: Scan image for vulnerabilites
run: |
mkdir build-artifacts
trivy image $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/vuln-scan.txt
- name: Generate SBOM
run: |
trivy image --format spdx $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/sbom-spdx.txt
trivy image --format cyclonedx $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/sbom-cyclonedx.txt
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: image-scan-results
path: build-artifacts/*