forked from PeterDaveHello/docker-azcopy
-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (155 loc) · 4.95 KB
/
build-docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: build-docker
on:
workflow_call:
inputs:
build-args:
default: null
description: Build arguments
type: string
context:
default: "."
description: Context of the Dockerfile
type: string
image-name:
description: Image name
required: true
type: string
image-extra-tags:
default: ""
description: Image tags
type: string
image-target:
default: null
description: Target stage of the Dockerfile
type: string
platforms:
default: linux/amd64
description: Platforms to build for
type: string
push:
default: true
description: Whether or not to push image to registry
type: boolean
ref:
default: ${{ github.ref }}
description: Ref to checkout
type: string
runner:
default: ubuntu-latest
description: Runner to use
type: string
scout-cves:
default: true
description: Whether or not to run scout CVEs
type: boolean
scout-compare:
default: false
description: Whether or not to run scout compare
type: boolean
scout-comment-pr:
default: false
description: Whether or not to comment on PR
type: boolean
outputs:
digest:
description: Image digest
value: ${{ jobs.build.outputs.digest }}
imageid:
description: Image ID
value: ${{ jobs.build.outputs.imageid }}
metadata:
description: Build result metadata
value: ${{ jobs.build.outputs.metadata }}
secrets:
DOCKERHUB_USERNAME:
required: true
description: Used to push the image to the Docker Hub registry and/or scan the image with scout
DOCKERHUB_PASSWORD:
required: true
description: Used to push the image to the Docker Hub registry and/or scan the image with scout
jobs:
build:
outputs:
digest: ${{ steps.build-push.outputs.digest }}
imageid: ${{ steps.build-push.outputs.image-id }}
metadata: ${{ steps.build-push.outputs.metadata }}
runs-on: ${{ inputs.runner }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
username: ${{ github.actor }}
- name: Login to Docker hub
uses: docker/login-action@v3
with:
password: ${{ secrets.DOCKERHUB_PASSWORD }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
- id: meta
name: Docker metadata
uses: docker/metadata-action@v5
with:
images: |
${{ inputs.image-name }}
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
- id: build-push
name: Build and push
uses: docker/build-push-action@v6
with:
build-args: ${{ inputs.build-args }}
cache-from: type=gha
cache-to: type=gha,mode=max
context: ${{ inputs.context }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ inputs.platforms }}
push: ${{ inputs.push }}
tags: |
${{ steps.meta.outputs.tags }}
${{ inputs.image-extra-tags }}
target: ${{ inputs.image-target }}
- if: inputs.scout-compare
name: Docker Scout - compare
uses: docker/scout-action@v1
with:
command: compare
github-token: ${{ secrets.GITHUB_TOKEN }}
ignore-unchanged: true
image: ${{ steps.meta.outputs.tags }}
only-severities: critical,high,medium
to: ${{ inputs.image-name }}:latest
write-comment: ${{ inputs.scout-comment-pr }}
- if: inputs.scout-cves
name: Docker Scout - cves
uses: docker/scout-action@v1
with:
command: cves
ignore-unchanged: true
image: ${{ steps.meta.outputs.tags }}
only-fixed: true
only-severities: medium,high,critical
sarif-file: sarif.output.json
summary: true
- name: Create unique job identifier
id: job-id
run: |
four_character_timestamp=$(date +%s | sha256sum | base64 | head -c 4)
run_id=$(echo ${{ github.run_id }} | sha256sum | base64 | head -c 4)
job_id="${four_character_timestamp}${run_id}"
echo "job-id=$job_id" >> $GITHUB_OUTPUT
- if: inputs.scout-cves
name: Upload artifact
uses: actions/upload-artifact@v4
with:
if-no-files-found: warn
name: scout-results-${{ steps.job-id.outputs.job-id }}
path: sarif.output.json