-
Notifications
You must be signed in to change notification settings - Fork 6
191 lines (167 loc) · 6.34 KB
/
build_images.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
name: Build, Scan, and Lint Images
# If scanning fails, you can delete the cache and have it rebuild from scratch.
# This _may_ fix the vulnerability. Delete the caches prefixed with Linux-buildx-cas,
# specifically, if you look in the failed action at the Cache Docker Layers step, the
# layer listed under `Cache restored from key:`
# https://github.com/greenriver/boston-cas/actions/caches?query=linux-buildx
on:
push:
branches:
- "*"
- "**/*"
# Branch pushes will cancel any running jobs to the same branch
concurrency:
group: ${{ github.ref }}-newbuild
cancel-in-progress: true
jobs:
build:
name: Build
runs-on: ubuntu-22.04
# Supports OIDC to fetch/push images from/to ECR
permissions:
contents: read
id-token: write
pull-requests: write
strategy:
fail-fast: false
matrix:
include:
- name: Open Path CAS
context: .
dockerfile: docker/app/Dockerfile
keep_latest_tag: true
cache_key: cas
hadolint_ignore: DL3018,DL3013
trivy_skip_files: /app/config/key.pem,/app/docker/sftp/ssh_host_ed25519_key,/app/docker/sftp/ssh_host_rsa_key
target: prod-build
build-args: |
BUILD_TAG=3.1.6-alpine3.20
BUNDLER_VERSION=2.5.17
USER_ID=10000
GROUP_ID=10000
tags: |
type=sha,prefix=githash-
type=ref,event=branch,prefix=branch-
type=raw,event=branch,value=branch-{{branch}}-{{sha}}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dockerfile Lint
shell: bash
run: |
docker run -v $(pwd)/.hadolint.yaml:/.hadolint.yaml \
-e HADOLINT_IGNORE=${{ matrix.hadolint_ignore }} \
-v $(pwd)/${{ matrix.dockerfile }}:/Dockerfile \
--rm -i ghcr.io/hadolint/hadolint:latest-alpine hadolint /Dockerfile
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ matrix.cache_key }}-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-buildx-${{ matrix.cache_key }}
- name: Configure AWS credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-session-name: warehouse-github-action
- name: Prepare
id: prep
env:
SHA: ${{ github.sha }}
BRANCH: ${{ github.ref_name }}
run: |
echo $SHA > docker/app/REVISION
echo $BRANCH > docker/app/GIT_BRANCH
bin/error_if_githash_is_latest.rb base
# https://github.com/docker/metadata-action#images-input
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
env:
DOCKER_METADATA_SHORT_SHA_LENGTH: 7
with:
images: ${{ secrets.ECR_REPOSITORY_URI }}
flavor: ${{ matrix.flavor }}
tags: ${{ matrix.tags }}
- name: Log in to ECR
shell: bash
env:
image: ${{ secrets.ECR_REPOSITORY_URI }}
run: |
username=AWS
export AWS_REGION=us-east-1
echo Getting password for ECR
password=$(aws ecr get-login-password --region us-east-1)
host=$(echo $image | cut -d/ -f1)
echo Logging in to $host
echo $password | docker login $host -u $username --password-stdin
# https://github.com/docker/build-push-action
- name: Build image
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
builder: ${{ steps.buildx.outputs.name }}
labels: ${{ steps.meta.outputs.labels }}
target: ${{ matrix.target }}
file: ${{ matrix.dockerfile }}
load: true
tags: ${{ secrets.ECR_REPOSITORY_URI }}
build-args: ${{ matrix.build-args }}
cache-from: type=local,src=/tmp/.buildx-cache/${{ matrix.cache_key }}
cache-to: type=local,dest=/tmp/.buildx-cache/${{ matrix.cache_key }},mode=max
- name: Push image with tags
env:
image: ${{ secrets.ECR_REPOSITORY_URI }}
run: |
echo "${{ steps.meta.outputs.tags }}" | xargs -I TAG -n1 docker tag ${image} TAG
# docker image ls
if [[ "${{ matrix.keep_latest_tag }}" != "true" ]]
then
docker image rm ${image}:latest
fi
docker push --all-tags ${image}
- name: Check trivy db sha
id: trivy-db
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> $GITHUB_OUTPUT
- name: Cache trivy db
uses: actions/cache@v4
with:
path: .trivy
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
# https://github.com/aquasecurity/trivy-action
- name: Run vulnerability scan
id: vuln_scan
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
with:
image-ref: ${{ secrets.ECR_REPOSITORY_URI }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
cache-dir: .trivy
skip-files: ${{ matrix.trivy_skip_files }}
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
# Not completely sure this remains private
# - name: Report
# shell: bash
# run: |
# echo "### Tags" >> $GITHUB_STEP_SUMMARY
# echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
# echo '' >> $GITHUB_STEP_SUMMARY