mirror of
https://github.com/ditkrg/build-image-workflow.git
synced 2026-01-22 22:36:43 +00:00
134 lines
3.8 KiB
YAML
134 lines
3.8 KiB
YAML
---
|
|
name: Build, Scan and Push Image
|
|
|
|
on:
|
|
workflow_call:
|
|
outputs:
|
|
tag:
|
|
value: ${{ jobs.build-push.outputs.tag }}
|
|
tags:
|
|
value: ${{ jobs.build-push.outputs.tags }}
|
|
|
|
inputs:
|
|
image:
|
|
type: string
|
|
required: true
|
|
description: Image name excluding registry
|
|
build-args:
|
|
type: string
|
|
required: false
|
|
description: "List of build-time variables"
|
|
file:
|
|
type: string
|
|
required: false
|
|
registry:
|
|
type: string
|
|
default: reg.dev.krd
|
|
required: false
|
|
|
|
runs-on:
|
|
type: string
|
|
default: "[ 'self-hosted', 'ubuntu-focal' ]"
|
|
required: false
|
|
|
|
# Trivy Options
|
|
trivy:
|
|
type: boolean
|
|
required: false
|
|
default: true
|
|
description: Enable trivy image vulnerability check
|
|
|
|
trivy-exit-code:
|
|
type: number
|
|
required: false
|
|
default: 0
|
|
description: Exit code when vulnerabilities were found
|
|
|
|
trivy-severity:
|
|
type: string
|
|
required: false
|
|
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
description: severities of vulnerabilities to be displayed (comma separated)
|
|
|
|
trivy-format:
|
|
type: string
|
|
required: false
|
|
default: table
|
|
description: How to display the results
|
|
|
|
secrets:
|
|
username:
|
|
required: true
|
|
password:
|
|
required: true
|
|
build-secrets:
|
|
required: false
|
|
|
|
jobs:
|
|
build-push:
|
|
name: Build and Push
|
|
runs-on: ${{ fromJson(inputs.runs-on) }}
|
|
timeout-minutes: 10
|
|
outputs:
|
|
tag: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
- id: meta
|
|
name: Extract Metadata
|
|
uses: docker/metadata-action@v4
|
|
with:
|
|
images: ${{ inputs.registry }}/{{ inputs.image }}
|
|
flavor: latest=false
|
|
tags: |
|
|
# Branches
|
|
type=ref,event=branch
|
|
type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2
|
|
|
|
# Releases
|
|
type=semver,pattern={{major}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{version}},priority=9999 #1
|
|
|
|
- name: Login to Registry
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ secrets.username }}
|
|
password: ${{ secrets.password }}
|
|
|
|
- name: Build Docker images
|
|
if: ${{ inputs.trivy }}
|
|
uses: docker/build-push-action@v3
|
|
with:
|
|
load: true
|
|
file: ${{ inputs.file }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max
|
|
cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache
|
|
build-args: ${{ inputs.build-args }}
|
|
secrets: ${{ secrets.build-secrets }}
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
if: ${{ inputs.trivy }}
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
|
|
format: ${{ inputs.format }}
|
|
exit-code: ${{ inputs.exit-code }}
|
|
severity: ${{ inputs.severity }}
|
|
|
|
- name: Build Docker images
|
|
if: ${{ inputs.trivy }}
|
|
uses: docker/build-push-action@v3
|
|
with:
|
|
load: true
|
|
file: ${{ inputs.file }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max
|
|
cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache
|
|
build-args: ${{ inputs.build-args }}
|
|
secrets: ${{ secrets.build-secrets }}
|