Skip to content

build-push-docker-images #70

build-push-docker-images

build-push-docker-images #70

Workflow file for this run

# This is a workflow for building and pushing Docker images.
#
# It is configured to be triggered by repository dispatch events which come from outside of this repository.
# It requires write access to the repository by providing a personal access token (PAT) with `repo` scope.
#
# The `event_type` parameter is expected to be `build-push-docker-images`.
# The `client_payload` parameter is expected to contain the following data:
# * `CLI_version`: a string containing the Phylum CLI version to include
# in the image, in a format acceptable to `phylum-init`
#
# Here is an example repository dispatch event, triggered with `curl` from the command line:
#
# curl \
# -X POST \
# --fail-with-body \
# -H "Accept: application/vnd.github+json" \
# -H "X-GitHub-Api-Version: 2022-11-28" \
# -H "Authorization: token <PAT>" \
# -d '{"event_type":"build-push-docker-images","client_payload":{"CLI_version":"v3.8.0"}}' \
# https://api.github.com/repos/phylum-dev/phylum-ci/dispatches
#
# References:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch
# https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event
---
name: Build and push images
concurrency: Production
on:
repository_dispatch:
types: [build-push-docker-images]
jobs:
docker:
name: Build and push Docker images
environment:
name: Production
url: https://hub.docker.com/r/phylumio/phylum-ci/tags
runs-on: ubuntu-latest
defaults:
run:
shell: bash
env:
DOCKER_BUILDKIT: 1
steps:
- name: Get latest phylum-ci release version
id: get_vers
# The API is called directly here instead of using git commands because the repo is not checked out yet
run: |
REL_VER_WITH_v=$( \
curl \
--silent \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/repos/phylum-dev/phylum-ci/releases/latest \
| \
jq \
--raw-output \
--exit-status \
.tag_name \
)
REL_VER_WITHOUT_v="${REL_VER_WITH_v//v/}"
echo "${REL_VER_WITH_v}" "${REL_VER_WITHOUT_v}"
echo "REL_VER_WITH_v=${REL_VER_WITH_v}" >> "${GITHUB_OUTPUT}"
echo "REL_VER_WITHOUT_v=${REL_VER_WITHOUT_v}" >> "${GITHUB_OUTPUT}"
- name: Checkout the repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# This will ensure the checkout matches the tag for the latest release
ref: ${{ steps.get_vers.outputs.REL_VER_WITH_v }}
- name: Get phylum wheel from latest release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ steps.get_vers.outputs.REL_VER_WITH_v }} --pattern '*.whl'
- name: Build default docker image with latest phylum wheel
run: |
docker build \
--tag phylum-ci \
--build-arg PKG_SRC=phylum-*.whl \
--build-arg PKG_NAME=phylum-*.whl \
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
.
- name: Test default docker image with latest phylum wheel
run: scripts/docker_tests.sh --image phylum-ci
- name: Build slim docker image with latest phylum wheel
run: |
docker build \
--tag phylum-ci-slim \
--build-arg PKG_SRC=phylum-*.whl \
--build-arg PKG_NAME=phylum-*.whl \
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
--file Dockerfile.slim \
.
- name: Test slim docker image with latest phylum wheel
run: scripts/docker_tests.sh --image phylum-ci-slim --slim
- name: Login to Docker Hub
run: docker login --username ${{ secrets.DOCKER_HUB_USERNAME }} --password ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Login to GitHub Container Registry
run: docker login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
- name: Create specific docker tags and push them
env:
REL_VER_WITHOUT_v: ${{ steps.get_vers.outputs.REL_VER_WITHOUT_v }}
run: |
CLI_REL_VER=$(docker run --rm phylum-ci phylum --version | sed 's/phylum //')
docker tag phylum-ci "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker tag phylum-ci-slim "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker tag phylum-ci "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker tag phylum-ci-slim "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
- name: Tag and push latest docker images
# Only tag and push `latest` when it's not a CLI pre-release
# NOTE: This is an instance where the expression syntax (`${{ }}`) is required for the `if` conditional,
# contrary to the GitHub workflow syntax documentation. Do not remove the expression syntax.
if: ${{ !contains(github.event.client_payload.CLI_version, 'rc') }}
run: |
docker tag phylum-ci phylumio/phylum-ci:latest
docker tag phylum-ci-slim phylumio/phylum-ci:slim
docker tag phylum-ci ghcr.io/phylum-dev/phylum-ci:latest
docker tag phylum-ci-slim ghcr.io/phylum-dev/phylum-ci:slim
docker push phylumio/phylum-ci:latest
docker push phylumio/phylum-ci:slim
docker push ghcr.io/phylum-dev/phylum-ci:latest
docker push ghcr.io/phylum-dev/phylum-ci:slim
- name: Logout of Docker Hub
if: always()
run: docker logout
- name: Logout of GitHub Container Registry
if: always()
run: docker logout ghcr.io