-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
136 lines (121 loc) · 4.45 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: "Build docker image"
description: "Build a docker image"
inputs:
runner_platorm:
description: "Platform of the github runner for build testing"
required: false
default: linux/amd64
platforms:
description: "Image platform(s)"
required: true
default: linux/amd64
context:
description: "Dockerfile Build context path"
required: true
dockerfile:
description: "Dockerfile path"
required: true
push:
description: "Push the image to the remote repository. Requires to be pre-authenticated to the registry. Either push or load must be true"
required: true
default: 'true'
build-args:
description: "List of build-time variables"
required: false
registry:
description: "Registry to push the image to"
required: true
tags:
description: "CSV list of tags to apply to the image"
required: true
default: latest
runs:
using: "composite"
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Conditionally format tags with full image + repo definition
id: process_tags
shell: bash
run: |
function process_tags() {
local registry="${{ inputs.registry }}"
local raw_tags="${{ inputs.tags }}"
local processed_tags=()
# split tag field on comma character and add project + registry + image_name
IFS=',' read -ra tags <<< "$raw_tags"
for tag in "${tags[@]}"; do
case "$tag" in
*:*)
# tag includes ':' - assume preprocessed and just pass to output
processed_tags+=("$tag")
;;
*)
# tag needs to include full host + repo definition
processed_tags+=("$registry:$tag")
;;
esac
done
# format full tags into csv for docker/build-push-action
output_str=$(printf "%s," "${processed_tags[@]}")
# export first processed tag in list for trivy scan
echo "first_tag=${processed_tags[0]}" >> $GITHUB_OUTPUT
echo "processed=$output_str" >> $GITHUB_OUTPUT
echo "::debug::processed_tags=${processed_tags[@]}"
echo "::debug::output_str=$output_str"
echo "::debug::first_tag=${processed_tags[0]}"
}
process_tags
- name: Build container image
uses: docker/build-push-action@v6
id: docker-build
with:
platforms: ${{ inputs.runner_platform }}
file: ${{ inputs.dockerfile }}
context: ${{ inputs.context }}
cache-from: type=registry,ref=${{ inputs.registry }}:buildcache
cache-to: type=local,dest=cache
tags: ${{ steps.process_tags.outputs.processed }}
load: true
build-args: ${{ inputs.build-args }}
- name: Scan for OIDC credentials
shell: bash
run: |
echo ":Scanning for oidc credentials"
set +e
docker create --name="tmp_container" ${{ steps.docker-build.outputs.imageid }}
found=$(docker export tmp_container | tar tf - | grep -e "gha-creds-.*.json" | wc -l)
if [ $found -ge 1 ]; then
echo "::error::Found oidc credentials"
echo "::notice::Add the following line to your .dockerignore file"
echo "::notice::gha-creds-*.json"
fi
exit "$found"
- name: Build and push
if: ${{ inputs.push }} == 'true'
uses: docker/build-push-action@v6
id: docker-build-push
with:
platforms: ${{ inputs.platforms }}
file: ${{ inputs.dockerfile }}
context: ${{ inputs.context }}
push: ${{ fromJSON(inputs.push) }}
tags: ${{ steps.process_tags.outputs.processed }}
build-args: ${{ inputs.build-args }}
cache-from: type=local,src=cache
cache-to: type=registry,ref=${{ inputs.registry }}:buildcache,mode=max
provenance: ${{ fromJSON(true) }}
- uses: sigstore/cosign-installer@main
- name: Sign container image
env:
COSIGN_EXPERIMENTAL: "true"
shell: bash
run: |
cosign sign --yes ${{ inputs.registry }}@${{ steps.docker-build-push.outputs.digest }}
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: celo-org/[email protected]
with:
image-ref: ${{ steps.process_tags.outputs.first_tag }}