-
Notifications
You must be signed in to change notification settings - Fork 1
171 lines (148 loc) · 6.38 KB
/
.github-ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: Build, Test, and Deploy Docker Image
on:
push:
branches: [eoepca-beta01]
jobs:
build:
runs-on: ubuntu-latest
steps:
# Step 1: Checkout repository
- uses: actions/checkout@v4
# Step 2: Install Trivy
- name: Install Trivy
run: |
sudo apt-get update -y
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install -y trivy
# Step 3: Read image name
- name: Read docker name
id: yaml-docker-name
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_name"]'
# Step 4: Read image version
- name: Read docker version
id: yaml-docker-version
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_version"]'
# Step 5: Generate Docker tag
- name: Generate docker tag
env:
GITHUB_BRANCH: ${{ github.ref }}
docker_image_name: ${{ steps.yaml-docker-name.outputs.data }}
docker_image_version: ${{ steps.yaml-docker-version.outputs.data }}
run: |
branch_name=${GITHUB_BRANCH#refs/heads/}
echo "branch_name=${GITHUB_BRANCH#refs/heads/}" >> $GITHUB_ENV
if [[ "$branch_name" = "main" ]]
then
mType=""
else
mType="dev"
fi
echo "docker_tag=$docker_image_name:$docker_image_version" >> $GITHUB_ENV
echo "docker_tag_latest=$docker_image_name:latest" >> $GITHUB_ENV
docker_image_application=(${docker_image_name#*/})
echo "docker_image_application=$docker_image_application" >> $GITHUB_ENV
echo "docker_image_version=$docker_image_version" >> $GITHUB_ENV
# Step 6: Build Docker image to inspect it with Trivy
- name: Build Docker image
run: |
tag="${docker_image_application}:${docker_image_version}"
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
docker build -t "${tag}" --file Dockerfile .
# Step 7: Save Docker image as tar.gz
- name: Save Docker Image as tar.gz
run: |
tag="${docker_image_application}:${docker_image_version}"
docker save "${tag}" -o "${docker_image_application}_${docker_image_version}.tar"
tar -czf "${docker_image_application}_${docker_image_version}.tar.gz" "${docker_image_application}_${docker_image_version}.tar"
# Step 8: Upload Docker Image tar.gz as an artifact
- name: Upload Docker Image Artifact
uses: actions/upload-artifact@v3
with:
name: docker-image-tar
path: ${{ env.docker_image_application }}_${{ env.docker_image_version }}.tar.gz
# Step 9: Scan Docker Image with Trivy
- name: Scan Docker Image with Trivy
run: |
tag="${docker_image_application}:${docker_image_version}"
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
trivy image --no-progress --exit-code 1 --severity HIGH,CRITICAL,UNKNOWN --format table "${{ secrets.CR_REGISTRY }}/${{ secrets.CR_REPO }}/${tag}"
deploy:
needs: build
runs-on: ubuntu-latest
steps:
# Step 1: Checkout repository
- uses: actions/checkout@v4
# Step 2: Read image name
- name: Read docker name
id: yaml-docker-name
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_name"]'
# Step 3: Read image version
- name: Read docker version
id: yaml-docker-version
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_version"]'
# Step 4: Generate Docker tag
- name: Generate docker tag
env:
GITHUB_BRANCH: ${{ github.ref }}
docker_image_name: ${{ steps.yaml-docker-name.outputs.data }}
docker_image_version: ${{ steps.yaml-docker-version.outputs.data }}
run: |
branch_name=${GITHUB_BRANCH#refs/heads/}
echo "branch_name=${GITHUB_BRANCH#refs/heads/}" >> $GITHUB_ENV
echo "docker_tag=$docker_image_name:$docker_image_version" >> $GITHUB_ENV
echo "docker_tag_latest=$docker_image_name:latest" >> $GITHUB_ENV
docker_image_application=(${docker_image_name#*/})
echo "docker_image_application=$docker_image_application" >> $GITHUB_ENV
echo "docker_image_version=$docker_image_version" >> $GITHUB_ENV
# Step 5: Download Docker Image tar.gz Artifact
- name: Download Docker Image Artifact
uses: actions/download-artifact@v3
with:
name: docker-image-tar
# Step 6: Extract the Docker Image tar.gz
- name: Extract Docker Image tar.gz
run: |
tar -xzf "${docker_image_application}_${docker_image_version}.tar.gz"
# Step 7: Load Docker Image
- name: Load Docker Image
run: |
docker load -i "${docker_image_application}_${docker_image_version}.tar"
# Step 8: Log in to Docker Registry (use GitHub secrets for security)
- name: Login to Docker Registry
run: |
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
# Step 9: Push Docker Image to Registry
- name: Push Docker Image to Registry
run: |
tag="${docker_image_application}:${docker_image_version}"
docker tag "${tag}" "${{ secrets.CR_REGISTRY }}"/"${{ secrets.CR_REPO }}"/"${tag}"
docker push "${{ secrets.CR_REGISTRY }}"/"${{ secrets.CR_REPO }}"/"${tag}"
# Step 10: Login Docker Hub
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Step 11: Push to Docker Hub
- name: push to Docker Hub
run: |
tag="${docker_image_application}:${docker_image_version}"
docker tag "${tag}" "docker.io/${{ env.docker_tag }}"
docker tag "${tag}" "docker.io/${{ env.docker_tag_latest }}"
docker push "docker.io/${{ env.docker_tag }}"
docker push "docker.io/${{ env.docker_tag_latest }}"