replace container build steps with reusable workflow (#732)

* refactor: replace container build steps with reusable workflow - Centralized container build logic into a reusable workflow file. - Simplified workflow definitions in CI, PyPI, and GitHub release pipelines. - Improved maintainability by eliminating duplicate container build steps.
fkie-cad · Dec 17, 2024 · 1791db8 · 1791db8
1 parent ca065f9
commit 1791db8
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 200 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -94,97 +94,8 @@ jobs:
         uses: codecov/codecov-action@v2
 
   containerbuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build image and export to Docker
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          load: true
-          build-args: |
-            LOGPREP_VERSION=dev
-            PYTHON_VERSION=${{ matrix.python-version }}
-          tags: |
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
-
-      - name: Ensure logprep is available in image
-        run: |
-          docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version
-
-      # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
-      - name: Push image
-        uses: docker/build-push-action@v6
-        id: build-and-push
-        with:
-          context: .
-          push: true
-          build-args: |
-            LOGPREP_VERSION=dev
-            PYTHON_VERSION=${{ matrix.python-version }}
-          tags: |
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-        with:
-          cosign-release: 'v2.4.1'
-
-      - name: Create SBOM of container image
-        uses: anchore/sbom-action@v0
-        with:
-          image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
-          artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
-          output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
-
-      - name: Sign image with a key and add sbom attestation
-        run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
-          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-
-      # To avoid the trivy-db becoming outdated, we save the cache for one day
-      - name: Get date
-        id: date
-        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
-
-      - name: Restore trivy cache
-        uses: actions/cache@v4
-        with:
-          path: cache/db
-          key: trivy-cache-${{ steps.date.outputs.date }}
-          restore-keys:
-            trivy-cache-
-
-      - name: Scan image using Trivy
-        uses: aquasecurity/[email protected]
-        env:
-          TRIVY_CACHE_DIR: ./cache
-        with:
-          scan-type: image
-          image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
-          trivy-config: trivy.yaml
-
-      # Trivy-db uses `0600` permissions.
-      # But `action/cache` use `runner` user by default
-      # So we need to change the permissions before caching the database.
-      - name: Change permissions for trivy.db
-        run: sudo chmod 0644 ./cache/db/trivy.db
+    uses: ./.github/workflows/container-build.yml
+    secrets: inherit
+    with:
+      build-version: dev
+      tags: "${{ github.head_ref }}"
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -0,0 +1,129 @@
+name: Reusable Container Build
+
+on:
+  workflow_call:
+    inputs:
+      build-version:
+        description: "Version of Logprep to build"
+        required: true
+        type: string
+      tags:
+        description: "Tags to apply to the image"
+        required: true
+        type: string
+
+jobs:
+  containerbuild:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [ "3.10", "3.11", "3.12" ]
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate Image Tags
+        id: image-tag
+        run: |
+          python - <<EOF
+          import os
+          image = "ghcr.io/fkie-cad/logprep"
+          version = "${{ matrix.python-version }}"
+          tags = "${{ inputs.tags }}".split(",")
+          full_image = [f"{image}:py{version}-{tag.strip()}" for tag in tags]
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
+              file.write(f"tags={', '.join(full_image)}")
+          EOF
+
+      - name: Build image and export to Docker
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          context: .
+          load: true
+          build-args: |
+            LOGPREP_VERSION=${{ inputs.build-version }}
+            PYTHON_VERSION=${{ matrix.python-version }}
+          tags: ${{ steps.image-tag.outputs.tags }}
+
+      - name: Extract image ID from sha256
+        id: imageid
+        run: |
+          python - <<EOF
+          import os
+          digest = "${{ steps.build.outputs.ImageID }}"
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
+              file.write(f"imageid={digest.split(':')[1]}")
+          EOF
+
+      - name: Ensure logprep is available in image
+        run: |
+          docker run --rm ${{ steps.imageid.outputs.imageid }} --version
+
+      - name: Push image
+        uses: docker/build-push-action@v6
+        id: build-and-push
+        with:
+          context: .
+          push: true
+          build-args: |
+            LOGPREP_VERSION=${{ inputs.build-version }}
+            PYTHON_VERSION=${{ matrix.python-version }}
+          tags: ${{ steps.image-tag.outputs.tags }}
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Create SBOM of container image
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          artifact-name: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
+          output-file: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
+
+      - name: Sign image with a key and add sbom attestation
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.imageid.outputs.imageid }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      # To avoid the trivy-db becoming outdated, we save the cache for one day
+      - name: Get date
+        id: date
+        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
+
+      - name: Restore trivy cache
+        uses: actions/cache@v4
+        with:
+          path: cache/db
+          key: trivy-cache-${{ steps.date.outputs.date }}
+          restore-keys:
+            trivy-cache-
+
+      - name: Scan image using Trivy
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_CACHE_DIR: ./cache
+        with:
+          scan-type: image
+          image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          trivy-config: trivy.yaml
+
+      # Trivy-db uses `0600` permissions.
+      # But `action/cache` use `runner` user by default
+      # So we need to change the permissions before caching the database.
+      - name: Change permissions for trivy.db
+        run: sudo chmod 0644 ./cache/db/trivy.db
diff --git a/.github/workflows/publish-latest-dev-release-to-github.yml b/.github/workflows/publish-latest-dev-release-to-github.yml
@@ -47,31 +47,9 @@ jobs:
             LICENSE
 
   containerbuild:
-    strategy:
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build images
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          push: true # Will only build if this is not here
-          build-args: |
-            LOGPREP_VERSION=latest
-            PYTHON_VERSION=${{ matrix.python-version }}
-          tags: |
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-main
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest
+    uses: ./.github/workflows/container-build.yml
+    needs: create-github-prerelease
+    secrets: inherit
+    with:
+      build-version: ${{ github.ref_name }}
+      tags: "main, latest"
diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml
@@ -60,82 +60,9 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
 
   containerbuild:
-    strategy:
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/container-build.yml
     needs: publish-latest-release-to-pypi
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build images
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          push: true # Will only build if this is not here
-          build-args: |
-            LOGPREP_VERSION=${{ github.ref_name }}
-            PYTHON_VERSION=${{ matrix.python-version }}
-          tags: |
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }}
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable
-            ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-        with:
-          cosign-release: 'v2.4.1'
-
-      - name: Create SBOM of container image
-        uses: anchore/sbom-action@v0
-        with:
-          image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
-          artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
-          output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
-
-      - name: Sign image with a key and add sbom attestation
-        run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
-          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-
-      # To avoid the trivy-db becoming outdated, we save the cache for one day
-      - name: Get date
-        id: date
-        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
-
-      - name: Restore trivy cache
-        uses: actions/cache@v4
-        with:
-          path: cache/db
-          key: trivy-cache-${{ steps.date.outputs.date }}
-          restore-keys:
-            trivy-cache-
-
-      - name: Scan image using Trivy
-        uses: aquasecurity/[email protected]
-        env:
-          TRIVY_CACHE_DIR: ./cache
-        with:
-          scan-type: image
-          image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
-          trivy-config: trivy.yaml
-
-      # Trivy-db uses `0600` permissions.
-      # But `action/cache` use `runner` user by default
-      # So we need to change the permissions before caching the database.
-      - name: Change permissions for trivy.db
-        run: sudo chmod 0644 ./cache/db/trivy.db
+    secrets: inherit
+    with:
+      build-version: ${{ github.ref_name }}
+      tags: "${{ github.ref_name }}, stable, latest"