-
Notifications
You must be signed in to change notification settings - Fork 12
135 lines (120 loc) · 4.82 KB
/
Build_Push_Image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Build and Push Image
on:
push:
branches:
- main
pull_request:
branches:
- main
# have the ability to trigger this workflow manually
workflow_dispatch:
jobs:
build:
name: Build and push image
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- uses: actions/checkout@v3
- name: Tag Name
id: tag_name
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "IMAGE_TAGS=pr-${{ github.event.pull_request.number }}.$(date +'%Y%m%d%H%M') pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
echo "LABEL quay.expires-after=3d" >> ./wisdom-service.Containerfile # tag expires in 3 days
elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "IMAGE_TAGS=${{ github.ref_name }}-$( git rev-parse --short HEAD ).$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
else
echo "IMAGE_TAGS=latest $(cat ./.version).$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
fi
echo "sha-short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "sha-long=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Retrieve ari knowledge base from s3
run: |
aws s3 cp --only-show-errors --recursive ${KB_ARI_PATH}/data ari/kb/data
aws s3 cp --only-show-errors --recursive ${KB_ARI_PATH}/rules ari/kb/rules
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
KB_ARI_PATH: ${{ secrets.KB_ARI_PATH }}
- name: Free space on build machine
run: |
rm -rf /opt/hostedtoolcache/Java*
rm -rf /opt/hostedtoolcache/Ruby*
rm -rf /opt/hostedtoolcache/Go*
rm -rf /opt/hostedtoolcache/node*
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Remove the pre-cached Docker images
run: docker image prune --all --force
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: wisdom-service
tags: ${{ steps.tag_name.outputs.IMAGE_TAGS }}
containerfiles: |
./wisdom-service.Containerfile
labels: |
sha-short=${{ steps.tag_name.outputs.sha-short }}
sha-long=${{ steps.tag_name.outputs.sha-long }}
build-args: |
IMAGE_TAGS=${{ steps.tag_name.outputs.IMAGE_TAGS }}
GIT_COMMIT=${{ steps.tag_name.outputs.sha-long }}
extra-args: |
--target=production
--ulimit nofile=4096
- name: Scan Malware
# Do not scan malware in PR builds
if: ${{ github.event_name == 'push' }}
run: |
id=$(podman create $CLAMAV_DB_IMAGE)
podman cp $id:$CLAMAV_DB_DIR clamav-db
podman rm -v $id
podman build -f ./wisdom-service-clamav.Containerfile -t wisdom-service-clamav .
echo '```' > clamav.md
podman run -t wisdom-service-clamav | tee -a clamav.md
echo '```' >> clamav.md
env:
CLAMAV_DB_IMAGE: quay.io/redhat-appstudio/clamav-db:latest
CLAMAV_DB_DIR: /var/lib/clamav
- name: Get Comment Body
id: get-comment-body
# https://github.com/marketplace/actions/commit-comment#setting-the-comment-body-from-a-file
if: ${{ github.event_name == 'push' }}
run: |
body="$(cat clamav.md)"
delimiter="$(openssl rand -hex 8)"
echo "body<<$delimiter" >> $GITHUB_OUTPUT
echo "$body" >> $GITHUB_OUTPUT
echo "$delimiter" >> $GITHUB_OUTPUT
- name: Add Malware Scanning Commit Comment
if: ${{ github.event_name == 'push' }}
uses: peter-evans/commit-comment@v2
with:
body: ${{ steps.get-comment-body.outputs.body }}
- name: Push To quay.io
id: push-to-quay
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: quay.io/ansible
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Print image url
run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
- name: Report to slack
id: slack
uses: slackapi/[email protected]
with:
# For posting a rich message using Block Kit
payload: |
{
"text": "wisdom service image build result: ${{ job.status }}\nimage tag: ${{ steps.build-image.outputs.tags }}\nlink to action: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ always() }}