diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..7faaa88 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +--- +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + reviewers: + - "ditkrg/devops" diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml new file mode 100644 index 0000000..920d38f --- /dev/null +++ b/.github/workflows/workflow.yaml @@ -0,0 +1,124 @@ +--- +name: Build, Scan and Push Image + +on: + workflow_call: + inputs: + image: + type: string + required: true + description: Image name excluding registry + build-args: + type: string + required: false + description: "List of build-time variables" + file: + type: string + required: false + registry: + type: string + default: reg.dev.krd + required: false + + runs-on: + type: string + default: "[ 'self-hosted', 'ubuntu-focal' ]" + required: false + + # Trivy Options + trivy: + type: boolean + required: false + default: true + description: Enable trivy image vulnerability check + + trivy-exit-code: + type: number + required: false + default: 0 + description: Exit code when vulnerabilities were found + + trivy-severity: + type: string + required: false + default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + description: severities of vulnerabilities to be displayed (comma separated) + + trivy-format: + type: string + required: false + default: table + description: How to display the results + + secrets: + username: + required: true + password: + required: true + build-secrets: + required: false + +jobs: + build-push: + name: Build and Push + runs-on: ${{ fromJson(inputs.runs-on) }} + timeout-minutes: 10 + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - id: meta + name: Extract Metadata + uses: docker/metadata-action@v4 + with: + images: ${{ inputs.registry }}/{{ inputs.image }} + flavor: latest=false + tags: | + # Branches + type=ref,event=branch + type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2 + + # Releases + type=semver,pattern={{major}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{version}},priority=9999 #1 + + - name: Login to Registry + uses: docker/login-action@v2 + with: + registry: ${{ inputs.registry }} + username: ${{ secrets.username }} + password: ${{ secrets.password }} + + - name: Build Docker images + if: ${{ inputs.trivy }} + uses: docker/build-push-action@v3 + with: + load: true + file: ${{ inputs.file }} + tags: ${{ steps.meta.outputs.tags }} + cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max + cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache + build-args: ${{ inputs.build-args }} + secrets: ${{ secrets.build-secrets }} + + - name: Run Trivy vulnerability scanner + if: ${{ inputs.trivy }} + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ fromJson(steps.meta.outputs.json).tags[0] }} + format: ${{ inputs.format }} + exit-code: ${{ inputs.exit-code }} + severity: ${{ inputs.severity }} + + - name: Build Docker images + if: ${{ inputs.trivy }} + uses: docker/build-push-action@v3 + with: + load: true + file: ${{ inputs.file }} + tags: ${{ steps.meta.outputs.tags }} + cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max + cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache + build-args: ${{ inputs.build-args }} + secrets: ${{ secrets.build-secrets }}