mirror of
https://github.com/ditkrg/build-image-workflow.git
synced 2026-01-22 22:36:43 +00:00
Shkar T. Noori
95127ca9d2
This update introduces new input parameters for enabling harbor scan report retrieval and commenting on pull requests. The action now includes logic to comment on the PR with scan results, enhancing visibility and feedback during the CI/CD process.
182 lines
5.4 KiB
YAML
182 lines
5.4 KiB
YAML
name: "Build, Scan and Push Image"
|
|
description: "Build, Scan and Push Image to Self Hosted Registry"
|
|
inputs:
|
|
push:
|
|
description: "Push to Registry"
|
|
required: false
|
|
default: "true"
|
|
image:
|
|
description: "Image Name"
|
|
required: true
|
|
build-args:
|
|
description: "Build Arguments"
|
|
required: false
|
|
file:
|
|
description: "Dockerfile Path"
|
|
required: false
|
|
registry:
|
|
description: "Registry URL"
|
|
required: true
|
|
default: reg.dev.krd
|
|
|
|
username:
|
|
required: true
|
|
description: "Username for registry"
|
|
password:
|
|
required: true
|
|
description: "Password for registry"
|
|
build-secrets:
|
|
required: false
|
|
description: "Build Secrets"
|
|
|
|
harbor-scan-report:
|
|
required: false
|
|
default: "true"
|
|
description: "Should try to get harbor scan report"
|
|
|
|
comment-harbor-scan-report:
|
|
required: false
|
|
default: "true"
|
|
description: "Should comment harbor scan report on PR"
|
|
|
|
harbor-scan-report-comment-marker:
|
|
required: false
|
|
default: '<!-- actions-comment-pull-request "build-and-push" -->'
|
|
description: "Comment marker for harbor scan report"
|
|
|
|
outputs:
|
|
digest:
|
|
description: "Digest"
|
|
value: ${{ steps.build-and-push.outputs.digest }}
|
|
tag:
|
|
description: "Image Tag"
|
|
value: ${{ steps.set_tag.outputs.tag }}
|
|
tags:
|
|
description: "Image Tags"
|
|
value: ${{ steps.meta.outputs.tags }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- id: meta
|
|
name: Extract Metadata
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ inputs.registry }}/${{ inputs.image }}
|
|
flavor: latest=false
|
|
tags: |
|
|
# Pull Request
|
|
type=ref,event=pr
|
|
type=ref,event=pr,suffix=-{{sha}},priority=8887 # 2
|
|
|
|
# Branches
|
|
type=ref,event=branch
|
|
type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2
|
|
|
|
# Releases
|
|
type=semver,pattern={{major}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{version}},priority=9999 #1
|
|
|
|
- name: Login to Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ inputs.username }}
|
|
password: ${{ inputs.password }}
|
|
|
|
- name: Build Docker images
|
|
uses: docker/build-push-action@v6
|
|
id: build-and-push
|
|
with:
|
|
push: ${{ inputs.push }}
|
|
file: ${{ inputs.file }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
cache-to: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache,mode=max
|
|
cache-from: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache
|
|
build-args: ${{ inputs.build-args }}
|
|
secrets: ${{ inputs.build-secrets }}
|
|
|
|
- name: Set Tag
|
|
id: set_tag
|
|
shell: bash
|
|
run: |
|
|
|
|
extracted_tag=$(echo "$json" | jq -r '.tags | .[0]')
|
|
echo "tag=$extracted_tag" >> $GITHUB_OUTPUT
|
|
|
|
env:
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
json: ${{ steps.meta.outputs.json }}
|
|
|
|
- name: Harbor Scan Results
|
|
id: harbor-scan-results
|
|
if: ${{ inputs.harbor-scan-report }} == 'true'
|
|
uses: ditkrg/harbor-scan-results-action@main
|
|
with:
|
|
image: ${{ steps.set_tag.outputs.tag }}
|
|
username: ${{ inputs.username }}
|
|
password: ${{ inputs.password }}
|
|
digest: ${{ steps.build-and-push.outputs.digest }}
|
|
|
|
- name: Comment on active branch PR
|
|
uses: actions/github-script@v7
|
|
if: ${{ inputs.comment-harbor-scan-report }} == 'true'
|
|
env:
|
|
COMMENT_MARKER: ${{ inputs.harbor-scan-report-comment-marker }}
|
|
TRIVY_SCAN_RESULTS: ${{ steps.harbor-scan-results.outputs.report-markdown }}
|
|
with:
|
|
script: |
|
|
const prs = await github.rest.pulls.list({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
head: `${context.repo.owner}:${context.ref.replace('refs/heads/', '')}`
|
|
});
|
|
|
|
if (prs.data.length <= 0) {
|
|
console.log('No open PR found for the current branch');
|
|
return;
|
|
}
|
|
|
|
const pr = prs.data[0];
|
|
// Check if there's already a comment from this workflow
|
|
const comments = await github.rest.issues.listComments({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: pr.number
|
|
});
|
|
|
|
const comment_marker = process.env.COMMENT_MARKER;
|
|
const buildComment = comments.data.find(comment =>
|
|
comment.body.includes(comment_marker)
|
|
);
|
|
|
|
const commentBody = `${comment_marker}
|
|
${process.env.TRIVY_SCAN_RESULTS}
|
|
`;
|
|
|
|
if (buildComment) {
|
|
// Update existing comment
|
|
await github.rest.issues.updateComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
comment_id: buildComment.id,
|
|
body: commentBody
|
|
});
|
|
|
|
console.log(`Updated comment to PR #${pr.number}`);
|
|
} else {
|
|
// Create new comment
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: pr.number,
|
|
body: commentBody
|
|
});
|
|
|
|
console.log(`Added comment to PR #${pr.number}`);
|
|
}
|