Skip to content

Commit

Permalink
feat: Update container build, scanning, and publishing
Browse files Browse the repository at this point in the history
  • Loading branch information
@GeekMasher
GeekMasher committed Nov 18, 2024
1 parent ec9a16e commit bd08e71
Show file tree
Hide file tree
Showing 3 changed files with 256 additions and 125 deletions.
124 changes: 124 additions & 0 deletions .github/workflows/container-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
name: Container Build and Release

on:
workflow_call:
inputs:
version:
description: "Semantic version of the image"
required: true
type: string

container-file:
description: "Path to the Dockerfile"
type: string
default: "Dockerfile"

container-name:
description: "Name of the container"
type: string
default: "${{ github.repository }}"

sbom:
description: "Generate and upload SBOM"
type: string
default: "true"

signing:
description: "Sign the image"
type: string
default: "false"

env:
REGISTRY: ghcr.io

jobs:
publish-image:
runs-on: ubuntu-latest

permissions:
# to upload SBOM
id-token: write
contents: write
# to upload Docker image
packages: write

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set Container Metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ inputs.container-name }}
tags: |
# latest / main
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
# SemVer
type=semver,pattern={{version}},value=${{ inputs.version }}
type=semver,pattern=v{{version}},value=${{ inputs.version }}
type=semver,pattern=v{{major}},value=${{ inputs.version }}
type=semver,pattern=v{{major}}.{{minor}},value=${{ inputs.version }}
- name: Build & Publish Container ${{ inputs.container-name }}
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
if: ${{ steps.set-version.outputs.release == 'true' }}
id: build
with:
file: "${{ inputs.container-file }}"
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# SBOM Settings
sbom: true

# Upload Software Bill of Materials (SBOM) to GitHub
- name: Upload SBOM
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
if: ${{ inputs.sbom == 'true' }}
with:
filePath: '.'
filePattern: '*.spdx.json'

sign-image:
runs-on: ubuntu-latest
needs: publish-image
# Sign the image only if it is being published
if: ${{ inputs.signing == 'true' && inputs.publish == 'true' }}

permissions:
# read the image from GitHub Container Registry
packages: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Sign the published container
# This step uses the identity token to provision an ephemeral certificate against
# the sigstore community Fulcio instance.
run: |
cosign sign --yes \
${{ env.IMAGE_NAME }}@${{ needs.build-publish-image.outputs.digest }}
72 changes: 72 additions & 0 deletions .github/workflows/container-security.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Container Security Scanning

on:
workflow_call:
inputs:
version:
description: "Semantic version of the image"
type: string

container-file:
description: "Path to the Dockerfile"
type: string
default: "Dockerfile"

container-name:
description: "Name of the container"
type: string
default: "${{ github.repository }}"

scanning-block:
description: "Block the build if vulnerabilities are found"
type: string
default: "false"

env:
REGISTRY: ghcr.io

jobs:
scan-image:
runs-on: ubuntu-latest

permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build Initial Container ${{ inputs.container-name }}
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: build
with:
file: "${{ inputs.container-file }}"
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

# Scan the image for vulnerabilities
- name: Run the Anchore / Grype scan action
if: ${{ inputs.scanning == 'true' }}
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
id: scan
with:
image: "${{ env.REGISTRY }}/${{ inputs.container-name }}:${{ steps.build.outputs.digest }}"
only-fixed: true
fail-build: ${{ inputs.scanning-block }}

- name: Upload vulnerability report
if: ${{ inputs.scanning == 'true' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
Loading

0 comments on commit bd08e71

Please sign in to comment.