-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yaml
118 lines (108 loc) · 3.31 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
inputs:
IMAGE_REPOSITORY:
required: true
BUILD_CONTEXT:
required: true
BUILD_TARGET:
description: "Sets the target stage to build"
required: false
IMAGE_NAME:
required: true
REGISTRY_JSON_KEY:
required: true
SECURITY_SCAN:
type: "boolean"
default: "true"
BUILD_ARGS:
description: All build args
required: false
SKIP_CHECKOUT:
description: "Allows to skip checkout to generate Dockerfile manually"
type: "boolean"
default: "false"
runs:
using: "composite"
steps:
- name: Check inputs
shell: bash
run: |
if [ -z "${{inputs.IMAGE_REPOSITORY}}" ]; then echo "inputs.IMAGE_REPOSITORY is missing"; exit=1; fi
if [ -z "${{inputs.BUILD_CONTEXT}}" ]; then echo "inputs.BUILD_CONTEXT is missing"; exit=1; fi
if [ -z "${{inputs.IMAGE_NAME}}" ]; then echo "inputs.IMAGE_NAME is missing"; exit=1; fi
if [ -z "${{inputs.REGISTRY_JSON_KEY}}" ]; then echo "inputs.REGISTRY_JSON_KEY is missing"; exit=1; fi
if [ -n "$exit" ]; then exit 1; fi
- name: Checkout code
if: inputs.SKIP_CHECKOUT == 'false'
uses: actions/[email protected]
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ inputs.IMAGE_REPOSITORY }}/${{inputs.IMAGE_NAME}}
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
- name: Set up Docker Buildx
id: buildx
uses: docker/[email protected]
- name: Login to registry
uses: docker/login-action@v1
with:
registry: ${{ inputs.IMAGE_REPOSITORY }}
username: _json_key
password: ${{ inputs.REGISTRY_JSON_KEY }}
# Only if SECURITY_SCAN :
# build and pull result
# scan
- name: Build image localy first
if: inputs.SECURITY_SCAN == 'true'
uses: docker/[email protected]
id: docker_build
with:
context: ${{inputs.BUILD_CONTEXT}}
tags: local
pull: true
build-args: ${{ inputs.BUILD_ARGS }}
target: ${{ inputs.BUILD_TARGET }}
load: true
cache-from: |
type=gha,scope=${{github.ref}}
type=gha,scope=refs/heads/main
cache-to: |
type=gha,scope=${{github.ref}},mode=max
- name: create empty .trivyignore if file is missing
if: inputs.SECURITY_SCAN == 'true'
shell: bash
run: touch .trivyignore
- name: Run Trivy vulnerability scanner
if: inputs.SECURITY_SCAN == 'true'
uses: aquasecurity/trivy-action@master
with:
image-ref: local
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
trivyignores: .trivyignore
# if SECURITY_SCAN was done, image is already build, else we build it now
- name: Build image and push to registry
uses: docker/[email protected]
id: docker_build_push
with:
context: ${{inputs.BUILD_CONTEXT}}
tags: ${{ steps.meta.outputs.tags }}
target: ${{ inputs.BUILD_TARGET }}
push: true
cache-from: |
type=gha,scope=${{github.ref}}
type=gha,scope=refs/heads/main
cache-to: |
type=gha,scope=${{github.ref}},mode=max
- name: Image digest
shell: bash
run: echo ${{ steps.docker_build_push.outputs.digest }}