-
Notifications
You must be signed in to change notification settings - Fork 8
152 lines (135 loc) · 5.1 KB
/
container-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Reusable Container Build
on:
workflow_call:
inputs:
build-version:
description: "Version of Logprep to build"
required: true
type: string
tags:
description: "Tags to apply to the image"
required: true
type: string
jobs:
containerbuild:
timeout-minutes: 20
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up SSH
uses: MrSquaare/ssh-setup-action@v3
with:
host: ${{ secrets.DOCKER_BUILD_SERVER_01 }}
private-key: ${{ secrets.DOCKER_BUILD_SERVER_IDENTITY_FILE }}
- name: Set up SSH
uses: MrSquaare/ssh-setup-action@v3
with:
host: ${{ secrets.DOCKER_BUILD_SERVER_02 }}
private-key: ${{ secrets.DOCKER_BUILD_SERVER_IDENTITY_FILE }}
- name: Set up Docker
uses: docker/setup-docker-action@v4
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Image Tags
id: image-tag
run: |
python - <<EOF
import os
image = "ghcr.io/fkie-cad/logprep"
version = "${{ matrix.python-version }}"
tags = "${{ inputs.tags }}".split(",")
full_image = [f"{image}:py{version}-{tag.strip()}" for tag in tags]
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"tags={', '.join(full_image)}")
EOF
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker-container
platforms: linux/amd64
append: |
- endpoint: ssh://root@${{ secrets.DOCKER_BUILD_SERVER_01 }}
platforms: linux/arm64
- endpoint: ssh://root@${{ secrets.DOCKER_BUILD_SERVER_02 }}
platforms: linux/arm64
- name: Build image and push to registry
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
build-args: |
LOGPREP_VERSION=${{ inputs.build-version }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: ${{ steps.image-tag.outputs.tags }}
platforms: "linux/arm64,linux/amd64"
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Extract image ID from sha256
id: pushed-imageid
run: |
python - <<EOF
import os
imageid = "${{ steps.build-and-push.outputs.ImageID }}"
digest = "${{ steps.build-and-push.outputs.Digest }}"
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"digest={digest.split(':')[1]}")
file.write(f"imageid={imageid.split(':')[1]}")
EOF
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: "v2.4.1"
- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.Digest }}
artifact-name: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
output-file: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys: trivy-cache-
- name: Scan image using Trivy
uses: aquasecurity/[email protected]
env:
TRIVY_CACHE_DIR: ./cache
TRIVY_PLATFORM: linux/amd64
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
trivy-config: trivy.yaml
# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db