Build vault-agent container #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: vault-agent | |
| run-name: Build vault-agent container | |
| on: | |
| pull_request: | |
| paths: | |
| - pipelines/dockerfiles/vault-agent/** | |
| - '!pipelines/dockerfiles/vault-agent/Jenkinsfile' | |
| - '!pipelines/dockerfiles/vault-agent/config.yml' | |
| - '!pipelines/dockerfiles/vault-agent/Makefile' | |
| - .github/workflows/vault-agent.yml | |
| branches: [ master ] | |
| push: | |
| paths: | |
| - pipelines/dockerfiles/vault-agent/** | |
| - '!pipelines/dockerfiles/vault-agent/Jenkinsfile' | |
| - '!pipelines/dockerfiles/vault-agent/config.yml' | |
| - '!pipelines/dockerfiles/vault-agent/Makefile' | |
| - .github/workflows/vault-agent.yml | |
| branches: [ master ] | |
| workflow_dispatch: | |
| env: | |
| REPOSITORY: constantin07/vault-agent | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| security-events: write | |
| defaults: | |
| run: | |
| working-directory: pipelines/dockerfiles/vault-agent | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3.3.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3.8.0 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3.3.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Get version | |
| run: | | |
| VAULT_VERSION=$(grep -E "^VAULT_VERSION" Makefile | awk '{print $3}') | |
| echo "VAULT_VERSION=$VAULT_VERSION" >> $GITHUB_ENV | |
| echo $VAULT_VERSION | |
| - name: Build image and export to docker | |
| uses: docker/build-push-action@v6.13.0 | |
| with: | |
| context: pipelines/dockerfiles/vault | |
| platforms: linux/amd64,linux/arm64 | |
| push: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: VAULT_VERSION=${{ env.VAULT_VERSION }} | |
| tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} | |
| provenance: true | |
| load: false | |
| - name: Load amd64 platform image | |
| run: | | |
| docker buildx build --load --platform 'linux/amd64' \ | |
| --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \ | |
| -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} . | |
| - name: Load arm64 platform image | |
| run: | | |
| docker buildx build --load --platform 'linux/arm64' \ | |
| --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \ | |
| -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}-arm64 . | |
| - name: Run trivy scan | |
| uses: aquasecurity/trivy-action@0.29.0 | |
| with: | |
| image-ref: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Test image | |
| run: docker run --rm -t --cap-add IPC_LOCK ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} vault --version | |
| - name: Push amd64 & arm64 platform images | |
| uses: docker/build-push-action@v6.13.0 | |
| with: | |
| context: pipelines/dockerfiles/vault | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| build-args: VAULT_VERSION=${{ env.VAULT_VERSION }} | |
| tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} |