From e6fab9aaa3299b18098c778145e270e32b677cf0 Mon Sep 17 00:00:00 2001
From: Bruno <15909838+thetoolsmith@users.noreply.github.com>
Date: Mon, 23 Dec 2024 15:19:21 -0500
Subject: [PATCH] add unique image tagging, update contributing doc

---
 .../workflows/build_and_publish_images.yml    | 27 ++++++++++--------
 .github/workflows/build_images.yml            | 17 +++++++----
 images/contributing.md                        | 28 +++++++++++++++++--
 3 files changed, 53 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/build_and_publish_images.yml b/.github/workflows/build_and_publish_images.yml
index caebee7..125820a 100644
--- a/.github/workflows/build_and_publish_images.yml
+++ b/.github/workflows/build_and_publish_images.yml
@@ -15,7 +15,7 @@ jobs:
         working-directory: './images'
     steps:
       - name: 'Checkout GitHub Action'
-        uses: actions/checkout@main
+        uses: actions/checkout@v4
 
       - name: 'Login to GitHub Container Registry'
         uses: docker/login-action@v3
@@ -24,27 +24,32 @@ jobs:
           username: ${{github.actor}}
           password: ${{secrets.GITHUB_TOKEN}}
 
+      - name: Git SHA
+        shell: bash
+        run: |
+          echo "git_sha=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
+
       - name: 'Build and Publish alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18 -f Dockerfile-alpine .
-          docker push ghcr.io/cfpb/regtech/sbl/alpine:3.18
+          docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18_${{env.git_sha}} -f Dockerfile-alpine .
+          docker push ghcr.io/cfpb/regtech/sbl/alpine:3.18_${{env.git_sha}}
 
       - name: 'Build and Publish python-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:3.12 -f Dockerfile-python-alpine .
-          docker push ghcr.io/cfpb/regtech/sbl/python-alpine:3.12
+          docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_${{env.git_sha}} -f Dockerfile-python-alpine .
+          docker push ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_${{env.git_sha}}
 
       - name: 'Build and Publish nginx-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27 -f Dockerfile-nginx-alpine .
-          docker push ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27
+          docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27_${{env.git_sha}} -f Dockerfile-nginx-alpine .
+          docker push ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27_${{env.git_sha}}
 
       - name: 'Build and Publish node-js-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20 -f Dockerfile-node-js-alpine .
-          docker push ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20
+          docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20_${{env.git_sha}} -f Dockerfile-node-js-alpine .
+          docker push ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20_${{env.git_sha}}
 
       - name: 'Build and Publish python-ubi8 image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12 -f Dockerfile-python-ubi8 .
-          docker push ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12
+          docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12_${{env.git_sha}} -f Dockerfile-python-ubi8 .
+          docker push ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12_${{env.git_sha}}
diff --git a/.github/workflows/build_images.yml b/.github/workflows/build_images.yml
index 62c370f..faaa851 100644
--- a/.github/workflows/build_images.yml
+++ b/.github/workflows/build_images.yml
@@ -13,7 +13,7 @@ jobs:
         working-directory: './images'
     steps:
       - name: 'Checkout GitHub Action'
-        uses: actions/checkout@main
+        uses: actions/checkout@v4
 
       - name: 'Login to GitHub Container Registry'
         uses: docker/login-action@v3
@@ -22,22 +22,27 @@ jobs:
           username: ${{github.actor}}
           password: ${{secrets.GITHUB_TOKEN}}
 
+      - name: Git SHA
+        shell: bash
+        run: |
+          echo "git_sha=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
+
       - name: 'Build alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18 -f Dockerfile-alpine .
+          docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18_${{env.git_sha}} -f Dockerfile-alpine .
 
       - name: 'Build python-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:3.12 -f Dockerfile-python-alpine .
+          docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_${{env.git_sha}} -f Dockerfile-python-alpine .
 
       - name: 'Build nginx-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27 -f Dockerfile-nginx-alpine .
+          docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27_${{env.git_sha}} -f Dockerfile-nginx-alpine .
 
       - name: 'Build node-js-alpine image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20 -f Dockerfile-node-js-alpine .
+          docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20_${{env.git_sha}} -f Dockerfile-node-js-alpine .
 
       - name: 'Build python-ubi8 image'
         run: |
-          docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12 -f Dockerfile-python-ubi8 .
+          docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12_${{env.git_sha}} -f Dockerfile-python-ubi8 .
diff --git a/images/contributing.md b/images/contributing.md
index bd5ab4c..1930fb6 100644
--- a/images/contributing.md
+++ b/images/contributing.md
@@ -2,7 +2,31 @@
 
 Reference [Github's documentation](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry) as needed.
 
-## Authenticating with GHCR
+
+## Pipeline Build and Publish Core Images
+We now have a GHA pipeline to build and publish these base images to the GHCR.
+
+#### On Pull Requests
+[build_images](../.github/workflows/build_images.yml) - runs on Pull Requests to test the image build only.
+
+#### On Merge to Main
+[build_and_publish_images](../.github/workflows/build_and_publish_images.yml) - runs on Merge to Main. This workflow will build and publish the images to Github Container Registry (GHCR).
+
+> **NOTE** The `build_and_publish_images` workflow is also scheduled to run weekly every Sunday at 5 AM to help keep the base images up-to-date with the latest security patches and such.
+
+#### Core Image tagging
+We now add a unique tag to each published set of images that are included in the `build_and_publish_images` workflow.
+Tagging is using standard git sha shortend and appended to the image tag.
+
+Example image with new tag format: `ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_xxxxxxxx`
+
+This will allow applications to pin to specific builds in the event a new change is introduced to latest that doesn't play nice with the application.
+
+---
+
+## Local Machine build and push core images (old depracated method)
+
+#### Authenticating with GHCR
 
 Generate a classic PAT token with the `read:packages`, `write:packages`, and `delete:packages` permissions.
 
@@ -13,7 +37,7 @@ $ echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin
 > Login Succeeded
 ```
 
-## Build and push to GCR
+#### Build and push to GCR
 
 ```bash
 $ docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18 -f Dockerfile-alpine .