Security optimizations for the container base image #497
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Base Container Image | |
| on: | |
| push: | |
| branches: | |
| - 'develop' | |
| - 'master' | |
| paths: | |
| - 'modules/container-base/**' | |
| - 'modules/dataverse-parent/pom.xml' | |
| - '.github/workflows/container_base_push.yml' | |
| pull_request: | |
| branches: | |
| - 'develop' | |
| - 'master' | |
| paths: | |
| - 'modules/container-base/**' | |
| - 'modules/dataverse-parent/pom.xml' | |
| - '.github/workflows/container_base_push.yml' | |
| schedule: | |
| - cron: '23 3 * * 0' # Run for 'develop' every Sunday at 03:23 UTC | |
| env: | |
| IMAGE_TAG: unstable | |
| PLATFORMS: linux/amd64,linux/arm64 | |
| jobs: | |
| build: | |
| name: Build image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| strategy: | |
| matrix: | |
| jdk: [ '17' ] | |
| # Only run in upstream repo - avoid unnecessary runs in forks | |
| if: ${{ github.repository_owner == 'IQSS' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Set up JDK ${{ matrix.jdk }} | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: ${{ matrix.jdk }} | |
| distribution: 'adopt' | |
| - name: Cache Maven packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Build base container image with local architecture | |
| run: mvn -f modules/container-base -Pct package | |
| # Run anything below only if this is not a pull request. | |
| # Accessing, pushing tags etc. to DockerHub will only succeed in upstream because secrets. | |
| - if: ${{ github.event_name == 'push' && github.ref_name == 'develop' }} | |
| name: Push description to DockerHub | |
| uses: peter-evans/dockerhub-description@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| repository: gdcc/base | |
| short-description: "Dataverse Base Container image providing Payara application server and optimized configuration" | |
| readme-filepath: ./modules/container-base/README.md | |
| - if: ${{ github.event_name != 'pull_request' }} | |
| name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - if: ${{ github.event_name != 'pull_request' }} | |
| name: Set up QEMU for multi-arch builds | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Re-set image tag based on branch | |
| if: ${{ github.ref_name == 'master' }} | |
| run: echo "IMAGE_TAG=alpha" >> $GITHUB_ENV | |
| - if: ${{ github.event_name != 'pull_request' }} | |
| name: Deploy multi-arch base container image to Docker Hub | |
| run: mvn -f modules/container-base -Pct deploy -Dbase.image.tag=${{ env.IMAGE_TAG }} -Ddocker.platforms=${{ env.PLATFORMS }} | |
| push-app-img: | |
| name: "Rebase & Publish App Image" | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| needs: build | |
| # We do not release a new base image for pull requests, so do not trigger. | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: ./.github/workflows/container_app_push.yml | |
| secrets: inherit |