From 12bd06bbcc5029412a38835f45a7eb70f741b05c Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Tue, 17 Dec 2024 13:41:10 +0100 Subject: [PATCH] refactor: replace container build steps with reusable workflow - Centralized container build logic into a reusable workflow file. - Simplified workflow definitions in CI, PyPI, and GitHub release pipelines. - Improved maintainability by eliminating duplicate container build steps. --- .github/workflows/ci.yml | 99 +---------------- .github/workflows/container-build.yml | 105 ++++++++++++++++++ .../publish-latest-dev-release-to-github.yml | 35 ++---- .github/workflows/publish-release-to-pypi.yml | 85 ++------------ 4 files changed, 124 insertions(+), 200 deletions(-) create mode 100644 .github/workflows/container-build.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1acc1835..02107d626 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,97 +94,8 @@ jobs: uses: codecov/codecov-action@v2 containerbuild: - strategy: - fail-fast: false - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build image and export to Docker - uses: docker/build-push-action@v6 - with: - context: . - load: true - build-args: | - LOGPREP_VERSION=dev - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - - - name: Ensure logprep is available in image - run: | - docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version - - # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. - - name: Push image - uses: docker/build-push-action@v6 - id: build-and-push - with: - context: . - push: true - build-args: | - LOGPREP_VERSION=dev - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - - - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Create SBOM of container image - uses: anchore/sbom-action@v0 - with: - image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} - artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - - - name: Sign image with a key and add sbom attestation - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - - # To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get date - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - - - name: Scan image using Trivy - uses: aquasecurity/trivy-action@0.24.0 - env: - TRIVY_CACHE_DIR: ./cache - with: - scan-type: image - image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - trivy-config: trivy.yaml - - # Trivy-db uses `0600` permissions. - # But `action/cache` use `runner` user by default - # So we need to change the permissions before caching the database. - - name: Change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + uses: ./.github/workflows/container-build.yml + with: + build-version: dev + tags: | + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml new file mode 100644 index 000000000..45fa77352 --- /dev/null +++ b/.github/workflows/container-build.yml @@ -0,0 +1,105 @@ +name: Reusable Container Build + +on: + workflow_call: + inputs: + build-version: + description: "Version of Logprep to build" + required: true + type: string + tags: + description: "Tags to apply to the image" + required: true + type: array + +jobs: + containerbuild: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [ "3.10", "3.11", "3.12" ] + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build image and export to Docker + uses: docker/build-push-action@v6 + id: build-and-push + with: + context: . + load: true + build-args: | + LOGPREP_VERSION=${{ inputs.build-version }} + PYTHON_VERSION=${{ matrix.python-version }} + tags: ${{ join(inputs.tags, '\n') }} + + - name: Ensure logprep is available in image + run: | + docker run --rm ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} --version + + - name: Push image + uses: docker/build-push-action@v6 + with: + context: . + push: true + build-args: | + LOGPREP_VERSION=${{ inputs.build-version }} + PYTHON_VERSION=${{ matrix.python-version }} + tags: ${{ join(inputs.tags, '\n') }} + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Create SBOM of container image + uses: anchore/sbom-action@v0 + with: + image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} + artifact-name: logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json + output-file: logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json + + - name: Sign image with a key and add sbom attestation + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} + cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + + # To avoid the trivy-db becoming outdated, we save the cache for one day + - name: Get date + id: date + run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Restore trivy cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + + - name: Scan image using Trivy + uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_CACHE_DIR: ./cache + with: + scan-type: image + image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} + trivy-config: trivy.yaml + + # Trivy-db uses `0600` permissions. + # But `action/cache` use `runner` user by default + # So we need to change the permissions before caching the database. + - name: Change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db diff --git a/.github/workflows/publish-latest-dev-release-to-github.yml b/.github/workflows/publish-latest-dev-release-to-github.yml index 0c49be251..756732272 100644 --- a/.github/workflows/publish-latest-dev-release-to-github.yml +++ b/.github/workflows/publish-latest-dev-release-to-github.yml @@ -47,31 +47,10 @@ jobs: LICENSE containerbuild: - strategy: - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build images - uses: docker/build-push-action@v3 - with: - context: . - push: true # Will only build if this is not here - build-args: | - LOGPREP_VERSION=latest - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-main - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest + uses: ./.github/workflows/container-build.yml + needs: create-github-prerelease + with: + build-version: ${{ github.ref_name }} + tags: | + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-main + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml index e5057661e..27834e772 100644 --- a/.github/workflows/publish-release-to-pypi.yml +++ b/.github/workflows/publish-release-to-pypi.yml @@ -60,82 +60,11 @@ jobs: uses: pypa/gh-action-pypi-publish@release/v1 containerbuild: - strategy: - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest + uses: ./.github/workflows/container-build.yml needs: publish-latest-release-to-pypi - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build images - uses: docker/build-push-action@v3 - with: - context: . - push: true # Will only build if this is not here - build-args: | - LOGPREP_VERSION=${{ github.ref_name }} - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }} - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest - - - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Create SBOM of container image - uses: anchore/sbom-action@v0 - with: - image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} - artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - - - name: Sign image with a key and add sbom attestation - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - - # To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get date - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - - - name: Scan image using Trivy - uses: aquasecurity/trivy-action@0.24.0 - env: - TRIVY_CACHE_DIR: ./cache - with: - scan-type: image - image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - trivy-config: trivy.yaml - - # Trivy-db uses `0600` permissions. - # But `action/cache` use `runner` user by default - # So we need to change the permissions before caching the database. - - name: Change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + with: + build-version: ${{ github.ref_name }} + tags: | + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }} + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable + ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest