-
Notifications
You must be signed in to change notification settings - Fork 1
131 lines (116 loc) · 4.47 KB
/
docker-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Build and Publish Docker Images
on:
workflow_dispatch:
push:
branches:
- '**'
tags:
- 'v*.*.*'
pull_request:
jobs:
build_and_publish:
name: Build and Publish Docker images
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
strategy:
matrix:
version:
- '3.7.1.1'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image
- name: Gather docker meta data for server image
id: docker_meta_runtime
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64
- name: Docker build and push server image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-server
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime.outputs.tags }}
labels: ${{ steps.docker_meta_runtime.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image + rowan extent
- name: Gather docker meta data for rowan image
id: docker_meta_runtime_rowan
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-rowan
- name: Docker build and push rowan image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-rowan
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_rowan.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_rowan.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image + base extent0.dbf
- name: Gather docker meta data for base image
id: docker_meta_runtime_base
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-base
- name: Docker build and push base image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-base
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_base.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_base.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 gem image
- name: Gather docker meta data for gem image
id: docker_meta_runtime_gem
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-gem
- name: Docker build and push gem image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-gem
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Scan for vulnerabilities
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: ${{ github.event_name != 'pull_request' }}
with:
image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.ref_name }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: 'trivy-results.sarif'