Add harbor scan report inputs and commenting functionality in action.yml

This update introduces new input parameters for enabling harbor scan report retrieval and commenting on pull requests. The action now includes logic to comment on the PR with scan results, enhancing visibility and feedback during the CI/CD process.

.github/workflows/update-main-version.yaml

@@ -0,0 +1,32 @@
+name: Release
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: version
+        id: version
+        run: |
+          tag=${GITHUB_REF/refs\/tags\//}
+          version=${tag#v}
+          major=${version%%.*}
+          echo "tag=${tag}" >> $GITHUB_OUTPUT
+          echo "version=${version}" >> $GITHUB_OUTPUT
+          echo "major=${major}" >> $GITHUB_OUTPUT
+
+      - name: force update major tag
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+
+          git tag v${{ steps.version.outputs.major }} ${{ steps.version.outputs.tag }} -f
+          git push origin refs/tags/v${{ steps.version.outputs.major }} -f

.github/workflows/workflow.yaml

@@ -25,10 +25,14 @@ on:
         type: string
         default: reg.dev.krd
         required: false
+      timeout:
+        type: number
+        default: 10
+        required: false
 
       runs-on:
         type: string
-        default: "[ 'self-hosted', 'ubuntu-focal' ]"
+        default: "[ 'ubuntu-latest' ]"
         required: false
 
     secrets:
@@ -43,23 +47,23 @@ jobs:
   build-push:
     name: Build and Push
     runs-on: ${{ fromJson(inputs.runs-on) }}
-    timeout-minutes: 10
+    timeout-minutes: ${{ inputs.timeout }}
     outputs:
       tag: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
       tags: ${{ steps.meta.outputs.tags }}
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - id: meta
         name: Extract Metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ inputs.registry }}/${{ inputs.image }}
           flavor: latest=false
           tags: |
             # Cache
-            type=raw,value={{branch}}-cache
+            type=raw,value=${{ github.ref_name }}-cache
 
             # Branches
             type=ref,event=branch
@@ -71,14 +75,14 @@ jobs:
             type=semver,pattern={{version}},priority=9999 #1
 
       - name: Login to Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ inputs.registry }}
           username: ${{ secrets.username }}
           password: ${{ secrets.password }}
 
       - name: Build Docker images
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           push: true
           file: ${{ inputs.file }}

README.md

@@ -1 +1,159 @@
-# build-image-action
+# Build Image Workflow
+
+This GitHub Action automates the process of building and pushing a Docker image to a self-hosted registry. The workflow includes setting up Docker Buildx, extracting metadata, logging in to the registry, and building and pushing the Docker image.
+
+## Inputs
+
+### `image` (required)
+- Description: Image Name
+- Required: true
+
+### `build-args` (optional)
+- Description: Build Arguments
+- Required: false
+
+### `file` (optional)
+- Description: Dockerfile Path
+- Required: false
+
+### `registry` (required)
+- Description: Registry URL
+- Required: true
+- Default: reg.dev.krd
+
+### `username` (required)
+- Description: Username for the registry
+- Required: true
+
+### `password` (required)
+- Description: Password for the registry
+- Required: true
+
+### `build-secrets` (optional)
+- Description: Build Secrets
+- Required: false
+
+## Outputs
+
+### `tag`
+- Description: Image Tag
+- Value: ${{ steps.meta.outputs.tags[0] }}
+
+### `tags`
+- Description: Image Tags
+- Value: ${{ steps.meta.outputs.tags }}
+
+## Workflow Steps
+
+1. **Set up Docker Buildx:**
+   - Uses: docker/setup-buildx-action@v3
+
+2. **Extract Metadata:**
+   - Uses: docker/metadata-action@v5
+   - Inputs:
+     - `images`: ${{ inputs.registry }}/${{ inputs.image }}
+     - `flavor`: latest=false
+     - `tags`:
+       - Cache: `type=raw,value=${{ github.ref_name }}-cache`
+       - Branches: `type=ref,event=branch`, `type=ref,event=branch,suffix=-{{sha}},priority=8888`
+       - Releases: `type=semver,pattern={{major}}`, `type=semver,pattern={{major}}.{{minor}}`, `type=semver,pattern={{version}},priority=9999`
+
+3. **Login to Registry:**
+   - Uses: docker/login-action@v3
+   - Inputs:
+     - `registry`: ${{ inputs.registry }}
+     - `username`: ${{ inputs.username }}
+     - `password`: ${{ inputs.password }}
+
+4. **Build Docker images:**
+   - Uses: docker/build-push-action@v5
+   - Inputs:
+     - `push`: true
+     - `file`: ${{ inputs.file }}
+     - `tags`: ${{ steps.meta.outputs.tags }}
+     - `cache-to`: `type=inline`
+     - `cache-from`: `type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:${{ github.ref_name }}-cache`
+     - `build-args`: ${{ inputs.build-args }}
+     - `secrets`: ${{ inputs.build-secrets }}
+
+## Example Usage
+
+```yaml
+name: Build Image Workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build and Push Image
+        uses: ditkrg/build-image-workflow@v1
+        with:
+          image: "my-docker-image"
+          registry: "my-registry.example.com"
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+          build-args: "EXAMPLE=123"
+          build-secrets: "EXAMPLE=****"
+          file: "path/to/Dockerfile"
+```
+
+If you want to use it with our GitOps Action:
+
+```yaml
+name: Deploy
+
+on:
+  push:
+    branches:
+      - dev
+      - main
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+
+    paths-ignore:
+      - "**.md"
+      - ".vscode/**"
+
+      - ".github/**"
+      - "!.github/workflows/tests-base.yaml"
+      - "!.github/workflows/deploy.yaml"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    concurrency: build-${{ github.ref_name }}
+    outputs:
+      tag: ${{ steps.build-image.outputs.tag }}
+      tags: ${{ steps.build-image.outputs.tags }}
+    steps:
+      - id: build-image
+        name: Build and Push Image
+        uses: ditkrg/build-image-workflow@v1
+        with:
+          image: "my-docker-image"
+          registry: "my-registry.example.com"
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+          build-args: "EXAMPLE=123"
+          build-secrets: "EXAMPLE=****"
+          file: "path/to/Dockerfile"
+
+  update-gitops:
+    runs-on: ubuntu-latest
+    concurrency: pr-${{ github.ref_name }}
+    needs: build
+    steps:
+      - name: Update gitops
+        uses: ditkrg/update-gitops-image@v1
+        with:
+          owner: ditkrg
+          repo: GITOPS_REPO
+          app-id: ${{ secrets.APP_ID }}
+          image-tag: ${{ needs.build.outputs.tag }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          component-name: REPO_NAME
+```

action.yml

@@ -0,0 +1,181 @@
+name: "Build, Scan and Push Image"
+description: "Build, Scan and Push Image to Self Hosted Registry"
+inputs:
+  push:
+    description: "Push to Registry"
+    required: false
+    default: "true"
+  image:
+    description: "Image Name"
+    required: true
+  build-args:
+    description: "Build Arguments"
+    required: false
+  file:
+    description: "Dockerfile Path"
+    required: false
+  registry:
+    description: "Registry URL"
+    required: true
+    default: reg.dev.krd
+
+  username:
+    required: true
+    description: "Username for registry"
+  password:
+    required: true
+    description: "Password for registry"
+  build-secrets:
+    required: false
+    description: "Build Secrets"
+
+  harbor-scan-report:
+    required: false
+    default: "true"
+    description: "Should try to get harbor scan report"
+
+  comment-harbor-scan-report:
+    required: false
+    default: "true"
+    description: "Should comment harbor scan report on PR"
+
+  harbor-scan-report-comment-marker:
+    required: false
+    default: '<!-- actions-comment-pull-request "build-and-push" -->'
+    description: "Comment marker for harbor scan report"
+
+outputs:
+  digest:
+    description: "Digest"
+    value: ${{ steps.build-and-push.outputs.digest }}
+  tag:
+    description: "Image Tag"
+    value: ${{ steps.set_tag.outputs.tag }}
+  tags:
+    description: "Image Tags"
+    value: ${{ steps.meta.outputs.tags }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - id: meta
+      name: Extract Metadata
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ inputs.registry }}/${{ inputs.image }}
+        flavor: latest=false
+        tags: |
+          # Pull Request
+          type=ref,event=pr
+          type=ref,event=pr,suffix=-{{sha}},priority=8887 # 2
+
+          # Branches
+          type=ref,event=branch
+          type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2
+
+          # Releases
+          type=semver,pattern={{major}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{version}},priority=9999 #1
+
+    - name: Login to Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+
+    - name: Build Docker images
+      uses: docker/build-push-action@v6
+      id: build-and-push
+      with:
+        push: ${{ inputs.push }}
+        file: ${{ inputs.file }}
+        tags: ${{ steps.meta.outputs.tags }}
+        cache-to: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache,mode=max
+        cache-from: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache
+        build-args: ${{ inputs.build-args }}
+        secrets: ${{ inputs.build-secrets }}
+
+    - name: Set Tag
+      id: set_tag
+      shell: bash
+      run: |
+
+        extracted_tag=$(echo "$json" | jq -r '.tags | .[0]')
+        echo "tag=$extracted_tag" >> $GITHUB_OUTPUT
+
+      env:
+        tags: ${{ steps.meta.outputs.tags }}
+        json: ${{ steps.meta.outputs.json }}
+
+    - name: Harbor Scan Results
+      id: harbor-scan-results
+      if: ${{ inputs.harbor-scan-report }} == 'true'
+      uses: ditkrg/harbor-scan-results-action@main
+      with:
+        image: ${{ steps.set_tag.outputs.tag }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+        digest: ${{ steps.build-and-push.outputs.digest }}
+
+    - name: Comment on active branch PR
+      uses: actions/github-script@v7
+      if: ${{ inputs.comment-harbor-scan-report }} == 'true'
+      env:
+        COMMENT_MARKER: ${{ inputs.harbor-scan-report-comment-marker }}
+        TRIVY_SCAN_RESULTS: ${{ steps.harbor-scan-results.outputs.report-markdown }}
+      with:
+        script: |
+          const prs = await github.rest.pulls.list({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            head: `${context.repo.owner}:${context.ref.replace('refs/heads/', '')}`
+          });
+
+          if (prs.data.length <= 0) {
+            console.log('No open PR found for the current branch');
+            return;
+          }
+
+          const pr = prs.data[0];
+          // Check if there's already a comment from this workflow
+          const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number
+            });
+            
+            const comment_marker = process.env.COMMENT_MARKER;
+            const buildComment = comments.data.find(comment => 
+              comment.body.includes(comment_marker)
+            );
+
+            const commentBody = `${comment_marker}
+            ${process.env.TRIVY_SCAN_RESULTS}
+            `;
+            
+            if (buildComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: buildComment.id,
+                body: commentBody
+              });
+
+              console.log(`Updated comment to PR #${pr.number}`);
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body: commentBody
+              });
+
+              console.log(`Added comment to PR #${pr.number}`);
+            }