From 553601c570a6ce5d777d3846e8924c54966b495d Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:52:39 +0200 Subject: [PATCH 1/6] Update actions - Add PR build & test - Add PR closed build & push ckan-docker image --- .github/{workflows => .old}/build-master.yml | 0 .github/{workflows => .old}/build-tags.yml | 0 .github/{workflows => .old}/docker-master.yml | 10 +- .github/{workflows => .old}/docker-tags.yml | 0 .github/workflows/docker-build.yml | 78 ++++++++++++ .github/workflows/docker-pr.yml | 113 ++++++++++++++++++ 6 files changed, 196 insertions(+), 5 deletions(-) rename .github/{workflows => .old}/build-master.yml (100%) rename .github/{workflows => .old}/build-tags.yml (100%) rename .github/{workflows => .old}/docker-master.yml (85%) rename .github/{workflows => .old}/docker-tags.yml (100%) create mode 100644 .github/workflows/docker-build.yml create mode 100644 .github/workflows/docker-pr.yml diff --git a/.github/workflows/build-master.yml b/.github/.old/build-master.yml similarity index 100% rename from .github/workflows/build-master.yml rename to .github/.old/build-master.yml diff --git a/.github/workflows/build-tags.yml b/.github/.old/build-tags.yml similarity index 100% rename from .github/workflows/build-tags.yml rename to .github/.old/build-tags.yml diff --git a/.github/workflows/docker-master.yml b/.github/.old/docker-master.yml similarity index 85% rename from .github/workflows/docker-master.yml rename to .github/.old/docker-master.yml index 6fa27c89..826cb673 100644 --- a/.github/workflows/docker-master.yml +++ b/.github/.old/docker-master.yml @@ -20,17 +20,17 @@ jobs: steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Login to registry if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -43,7 +43,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/docker-tags.yml b/.github/.old/docker-tags.yml similarity index 100% rename from .github/workflows/docker-tags.yml rename to .github/.old/docker-tags.yml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 00000000..555e7e5d --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,78 @@ +name: Build and push ckan-docker image from PR Merge + +on: + pull_request: + types: + - closed + branches: + - main + - 'ckan-*.*.*' + - '!dev/ckan-*.*.*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }} + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan + DOCKERFILE: Dockerfile + +jobs: + docker: + name: runner/build-docker-push:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Check out code + uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ env.TAG }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile with hadolint in GH Actions + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml new file mode 100644 index 00000000..ca60c187 --- /dev/null +++ b/.github/workflows/docker-pr.yml @@ -0,0 +1,113 @@ +name: Test ckan-docker images (PR) + +on: + pull_request: + branches: + - main + - 'ckan-*.*.*' + - '!dev/ckan-*.*.*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan + DOCKERFILE: Dockerfile + HADOLINT_VERSION: 2.12.0 + +jobs: + docker: + name: runner/test-docker-pr:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout + uses: actions/checkout@v4 + + - name: NGINX build + uses: docker/build-push-action@v5 + with: + context: ./nginx + file: ./nginx/Dockerfile + push: false + tags: mjanez/ckan-docker-nginx:test-build-only + + - name: Apache HTTP Server build + uses: docker/build-push-action@v5 + with: + context: ./apache + file: ./apache/Dockerfile + push: false + tags: mjanez/ckan-docker-apache:test-build-only + + - name: PostgreSQL build + uses: docker/build-push-action@v5 + with: + context: ./postgresql + file: ./postgresql/Dockerfile + push: false + tags: mjanez/ckan-docker-postgresql:test-build-only + + - name: Solr build + uses: docker/build-push-action@v5 + with: + context: ./solr + file: ./solr/Dockerfile + push: false + tags: mjanez/ckan-docker-solr:test-build-only + + - name: ckan-pycsw build + uses: docker/build-push-action@v4 + with: + context: ./ckan-pycsw + file: ./ckan-pycsw/Dockerfile + push: false + tags: mjanez/ckan-docker-pycsw:test-build-only + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Build to test + uses: docker/build-push-action@v5 + id: docker-push + with: + push: false + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile and annotate code inline in the github PR viewer + id: hadolint + uses: jbergstroem/hadolint-gh-action@v1.11.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + version: ${{ env.HADOLINT_VERSION }} + annotate: true + error_level: -1 + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file From e95f2a1a210f9472d5765abfab464f17bf49d147 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:56:16 +0200 Subject: [PATCH 2/6] Avoid */* branches test --- .github/workflows/docker-pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index ca60c187..f79d72ac 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -6,6 +6,7 @@ on: - main - 'ckan-*.*.*' - '!dev/ckan-*.*.*' + - '!*/*' env: REGISTRY: ghcr.io From c8eb770920f4dd527ac278498abcf86b1b5dd8e0 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:01:30 +0200 Subject: [PATCH 3/6] Add :test-build-only tag --- .github/workflows/docker-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index f79d72ac..502e08fb 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -86,7 +86,7 @@ jobs: id: docker-push with: push: false - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test-build-only labels: ${{ steps.meta.outputs.labels }} context: ${{ env.CONTEXT }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} @@ -103,7 +103,7 @@ jobs: - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test-build-only format: sarif output: trivy-results.sarif From 21b09029593c699b4230482a9e57ef6fb755bf21 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:17:03 +0200 Subject: [PATCH 4/6] Fix docker-pr --- .github/workflows/docker-pr.yml | 11 ++++------- ckan/Dockerfile | 1 + 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index 502e08fb..f62163ba 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -10,7 +10,7 @@ on: env: REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: ckan-docker-spatial CONTEXT: . BRANCH: ${{ github.head_ref }} DOCKERFILE_PATH: /ckan @@ -77,9 +77,6 @@ jobs: uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md - org.opencontainers.image.version=${{ env.BRANCH }} - name: Build to test uses: docker/build-push-action@v5 @@ -88,14 +85,14 @@ jobs: push: false tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test-build-only labels: ${{ steps.meta.outputs.labels }} - context: ${{ env.CONTEXT }} - file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + context: ./ckan + file: ./ckan/Dockerfile - name: Linting Dockerfile and annotate code inline in the github PR viewer id: hadolint uses: jbergstroem/hadolint-gh-action@v1.11.0 with: - dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + dockerfile: ./ckan/Dockerfile version: ${{ env.HADOLINT_VERSION }} annotate: true error_level: -1 diff --git a/ckan/Dockerfile b/ckan/Dockerfile index 66e9b08b..da268584 100644 --- a/ckan/Dockerfile +++ b/ckan/Dockerfile @@ -1,4 +1,5 @@ FROM ghcr.io/mjanez/ckan-base-spatial:ckan-2.9.9 +LABEL maintainer="mnl.janez@gmail.com" # Set up environment variables ENV APP_DIR=/srv/app \ From 83ecd027d2fd748c47d680718c9f5beaec94d143 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:37:35 +0200 Subject: [PATCH 5/6] Update actions --- .github/workflows/docker-manual.yml | 6 +++--- .github/workflows/docker-pr.yml | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-manual.yml b/.github/workflows/docker-manual.yml index 24ea7240..909cad5f 100644 --- a/.github/workflows/docker-manual.yml +++ b/.github/workflows/docker-manual.yml @@ -48,8 +48,8 @@ jobs: push: true tags: ${{ env.TAG }} labels: ${{ steps.meta.outputs.labels }} - context: ${{ env.CONTEXT }} - file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + context: ./ckan + file: ./ckan/Dockerfile - name: Linting Dockerfile with hadolint in GH Actions uses: hadolint/hadolint-action@v3.1.0 @@ -59,7 +59,7 @@ jobs: - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + image-ref: ${{ steps.meta.outputs.tags }} format: sarif output: trivy-results.sarif diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index f62163ba..a66409ed 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -14,7 +14,7 @@ env: CONTEXT: . BRANCH: ${{ github.head_ref }} DOCKERFILE_PATH: /ckan - DOCKERFILE: Dockerfile + DOCKERFILE: Dockerfile.ghcr HADOLINT_VERSION: 2.12.0 jobs: @@ -83,16 +83,16 @@ jobs: id: docker-push with: push: false - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test-build-only + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} context: ./ckan - file: ./ckan/Dockerfile + file: ./ckan/Dockerfile.ghcr - name: Linting Dockerfile and annotate code inline in the github PR viewer id: hadolint uses: jbergstroem/hadolint-gh-action@v1.11.0 with: - dockerfile: ./ckan/Dockerfile + dockerfile: ./ckan/Dockerfile.ghcr version: ${{ env.HADOLINT_VERSION }} annotate: true error_level: -1 @@ -100,7 +100,7 @@ jobs: - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test-build-only + image-ref: ${{ steps.meta.outputs.tags }} format: sarif output: trivy-results.sarif From 42d2ddb91c7144540f95401b3f3353d53e834d80 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 18:17:59 +0200 Subject: [PATCH 6/6] Fix actions --- .github/workflows/docker-manual.yml | 6 +++--- .github/workflows/docker-pr.yml | 29 +++-------------------------- 2 files changed, 6 insertions(+), 29 deletions(-) diff --git a/.github/workflows/docker-manual.yml b/.github/workflows/docker-manual.yml index 909cad5f..24ea7240 100644 --- a/.github/workflows/docker-manual.yml +++ b/.github/workflows/docker-manual.yml @@ -48,8 +48,8 @@ jobs: push: true tags: ${{ env.TAG }} labels: ${{ steps.meta.outputs.labels }} - context: ./ckan - file: ./ckan/Dockerfile + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - name: Linting Dockerfile with hadolint in GH Actions uses: hadolint/hadolint-action@v3.1.0 @@ -59,7 +59,7 @@ jobs: - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: - image-ref: ${{ steps.meta.outputs.tags }} + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} format: sarif output: trivy-results.sarif diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index a66409ed..f9a6a52e 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -14,7 +14,7 @@ env: CONTEXT: . BRANCH: ${{ github.head_ref }} DOCKERFILE_PATH: /ckan - DOCKERFILE: Dockerfile.ghcr + DOCKERFILE: Dockerfile HADOLINT_VERSION: 2.12.0 jobs: @@ -78,34 +78,11 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Build to test - uses: docker/build-push-action@v5 - id: docker-push - with: - push: false - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - context: ./ckan - file: ./ckan/Dockerfile.ghcr - - name: Linting Dockerfile and annotate code inline in the github PR viewer id: hadolint uses: jbergstroem/hadolint-gh-action@v1.11.0 with: - dockerfile: ./ckan/Dockerfile.ghcr + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} version: ${{ env.HADOLINT_VERSION }} annotate: true - error_level: -1 - - - name: Run Trivy container image vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: sarif - output: trivy-results.sarif - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: trivy-results.sarif \ No newline at end of file + error_level: -1 \ No newline at end of file