-
Notifications
You must be signed in to change notification settings - Fork 73
198 lines (178 loc) · 7.08 KB
/
build-images-from-branch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
#
# OpenCRVS is also distributed under the terms of the Civil Registration
# & Healthcare Disclaimer located at http://opencrvs.org/license.
#
# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
name: Publish images to Dockerhub from any branch
on:
workflow_call:
inputs:
branch_name:
description: Branch to build from
required: true
type: string
workflow_dispatch:
inputs:
branch_name:
default: develop
required: true
description: Branch to build from
push:
branches:
- develop
- main
jobs:
base:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
if: github.event_name == 'workflow_dispatch'
with:
ref: '${{ github.event.inputs.branch_name }}'
- uses: actions/checkout@v4
if: github.event_name == 'push'
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/checkout@v4
if: github.event_name == 'pull_request'
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set version and branch
id: set-version-and-branch
run: |
export VERSION=`git log -1 --pretty=format:%h`
echo "Pushing version $VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT
# the event_name is the event that triggered the caller workflow
# and not "workflow_call" like how it was supposed to be when
# another workflow is calling this one
if [ "${{ github.event_name }}" == 'push' ]; then
BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
elif [ "${{ github.event_name }}" == 'pull_request' ]; then
BRANCH=${{ github.event.pull_request.head.ref }}
else
BRANCH=${{ inputs.branch_name }}
fi
ESCAPED_BRANCH=$(echo $BRANCH | sed 's/[^a-zA-Z0-9_.-]/-/g')
echo "from branch $BRANCH"
echo "branch=$ESCAPED_BRANCH" >> $GITHUB_OUTPUT
- name: Get list of services
id: get-services
run: |
services=$(grep "^ [^ ]" docker-compose.yml | grep -v base| grep -v '#' | awk -F: '{print $1}' | sed -e 's/^ *//')
services_json=$(echo $services | tr '\n' ',' | sed 's/,$//' | jq -R 'split(" ")' | tr -d '\n')
# Set the list of service names as an output variable
echo "services=$services_json" >> $GITHUB_OUTPUT
echo "services=$services_json"
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push base image
uses: docker/build-push-action@v6
with:
file: packages/Dockerfile.base
context: .
push: true
tags: |
opencrvs/ocrvs-base:${{ steps.set-version-and-branch.outputs.version }}
opencrvs/ocrvs-base:${{ steps.set-version-and-branch.outputs.branch }}
cache-from: type=registry,ref=opencrvs/ocrvs-base:${{ steps.set-version-and-branch.outputs.branch }}
cache-to: type=inline
outputs:
services: ${{ steps.get-services.outputs.services }}
version: ${{ steps.set-version-and-branch.outputs.version }}
branch: ${{ steps.set-version-and-branch.outputs.branch }}
build:
needs: base
strategy:
fail-fast: false
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
if: github.event_name == 'workflow_dispatch'
with:
ref: '${{ github.event.inputs.branch_name }}'
- uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push
uses: docker/build-push-action@v6
with:
file: packages/${{ matrix.service }}/Dockerfile
build-args: |
VERSION=${{ needs.base.outputs.version }}
BRANCH=${{ needs.base.outputs.branch }}
push: true
context: .
tags: |
opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}
opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.branch }}
cache-from: type=registry,ref=opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.branch }}
cache-to: type=inline
security-scans-pr:
needs: [build, base]
runs-on: ubuntu-22.04
if: github.event_name == 'pull_request'
strategy:
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
steps:
- uses: actions/checkout@v4
with:
sparse-checkout: |
trivy.yaml
.trivyignore.yaml
sparse-checkout-cone-mode: false
- name: Gather Trivy output from base branch image
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ github.event.pull_request.base.ref }}'
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-base.sarif'
exit-code: '0'
- name: Gather Trivy output from newly build image
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}'
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-branch.sarif'
exit-code: '0'
- name: Remove lines that are always expected to be different
run: |
jq '.runs |= map(del(.originalUriBaseIds, .properties))' ${{ github.workspace }}/trivy-results-base.sarif > ${{ github.workspace }}/trivy-results-base.sarif
jq '.runs |= map(del(.originalUriBaseIds, .properties))' ${{ github.workspace }}/trivy-results-branch.sarif > ${{ github.workspace }}/trivy-results-branch.sarif
- name: Diff Trivy results to catch newly introduced vulnerabilities
run: diff -u ./trivy-results-base.sarif ./trivy-results-branch.sarif
security-scans-develop:
needs: [build, base]
runs-on: ubuntu-22.04
if: ${{ needs.base.outputs.branch == 'develop' }}
strategy:
fail-fast: false
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
steps:
- uses: actions/checkout@v4
with:
sparse-checkout: |
trivy.yaml
.trivyignore.yaml
sparse-checkout-cone-mode: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}'
trivy-config: trivy.yaml