diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1acc1835..2aa933fe1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,97 +94,8 @@ jobs: uses: codecov/codecov-action@v2 containerbuild: - strategy: - fail-fast: false - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build image and export to Docker - uses: docker/build-push-action@v6 - with: - context: . - load: true - build-args: | - LOGPREP_VERSION=dev - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - - - name: Ensure logprep is available in image - run: | - docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version - - # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. - - name: Push image - uses: docker/build-push-action@v6 - id: build-and-push - with: - context: . - push: true - build-args: | - LOGPREP_VERSION=dev - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - - - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Create SBOM of container image - uses: anchore/sbom-action@v0 - with: - image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} - artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - - - name: Sign image with a key and add sbom attestation - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - - # To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get date - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - - - name: Scan image using Trivy - uses: aquasecurity/trivy-action@0.24.0 - env: - TRIVY_CACHE_DIR: ./cache - with: - scan-type: image - image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - trivy-config: trivy.yaml - - # Trivy-db uses `0600` permissions. - # But `action/cache` use `runner` user by default - # So we need to change the permissions before caching the database. - - name: Change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + uses: ./.github/workflows/container-build.yml + secrets: inherit + with: + build-version: dev + tags: "${{ github.head_ref }}" diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml new file mode 100644 index 000000000..453164d98 --- /dev/null +++ b/.github/workflows/container-build.yml @@ -0,0 +1,129 @@ +name: Reusable Container Build + +on: + workflow_call: + inputs: + build-version: + description: "Version of Logprep to build" + required: true + type: string + tags: + description: "Tags to apply to the image" + required: true + type: string + +jobs: + containerbuild: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [ "3.10", "3.11", "3.12" ] + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate Image Tags + id: image-tag + run: | + python - <> $GITHUB_OUTPUT + + - name: Restore trivy cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + + - name: Scan image using Trivy + uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_CACHE_DIR: ./cache + with: + scan-type: image + image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }} + trivy-config: trivy.yaml + + # Trivy-db uses `0600` permissions. + # But `action/cache` use `runner` user by default + # So we need to change the permissions before caching the database. + - name: Change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db diff --git a/.github/workflows/publish-latest-dev-release-to-github.yml b/.github/workflows/publish-latest-dev-release-to-github.yml index 0c49be251..00b5102cc 100644 --- a/.github/workflows/publish-latest-dev-release-to-github.yml +++ b/.github/workflows/publish-latest-dev-release-to-github.yml @@ -47,31 +47,9 @@ jobs: LICENSE containerbuild: - strategy: - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build images - uses: docker/build-push-action@v3 - with: - context: . - push: true # Will only build if this is not here - build-args: | - LOGPREP_VERSION=latest - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-main - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest + uses: ./.github/workflows/container-build.yml + needs: create-github-prerelease + secrets: inherit + with: + build-version: ${{ github.ref_name }} + tags: "main, latest" diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml index e5057661e..3c65c4b1e 100644 --- a/.github/workflows/publish-release-to-pypi.yml +++ b/.github/workflows/publish-release-to-pypi.yml @@ -60,82 +60,9 @@ jobs: uses: pypa/gh-action-pypi-publish@release/v1 containerbuild: - strategy: - matrix: - python-version: ["3.10", "3.11", "3.12"] - - runs-on: ubuntu-latest + uses: ./.github/workflows/container-build.yml needs: publish-latest-release-to-pypi - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build images - uses: docker/build-push-action@v3 - with: - context: . - push: true # Will only build if this is not here - build-args: | - LOGPREP_VERSION=${{ github.ref_name }} - PYTHON_VERSION=${{ matrix.python-version }} - tags: | - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }} - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable - ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest - - - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Create SBOM of container image - uses: anchore/sbom-action@v0 - with: - image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} - artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json - - - name: Sign image with a key and add sbom attestation - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - - # To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get date - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - - - name: Scan image using Trivy - uses: aquasecurity/trivy-action@0.24.0 - env: - TRIVY_CACHE_DIR: ./cache - with: - scan-type: image - image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - trivy-config: trivy.yaml - - # Trivy-db uses `0600` permissions. - # But `action/cache` use `runner` user by default - # So we need to change the permissions before caching the database. - - name: Change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + secrets: inherit + with: + build-version: ${{ github.ref_name }} + tags: "${{ github.ref_name }}, stable, latest"