build-push-docker-images #70
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a workflow for building and pushing Docker images. | |
# | |
# It is configured to be triggered by repository dispatch events which come from outside of this repository. | |
# It requires write access to the repository by providing a personal access token (PAT) with `repo` scope. | |
# | |
# The `event_type` parameter is expected to be `build-push-docker-images`. | |
# The `client_payload` parameter is expected to contain the following data: | |
# * `CLI_version`: a string containing the Phylum CLI version to include | |
# in the image, in a format acceptable to `phylum-init` | |
# | |
# Here is an example repository dispatch event, triggered with `curl` from the command line: | |
# | |
# curl \ | |
# -X POST \ | |
# --fail-with-body \ | |
# -H "Accept: application/vnd.github+json" \ | |
# -H "X-GitHub-Api-Version: 2022-11-28" \ | |
# -H "Authorization: token <PAT>" \ | |
# -d '{"event_type":"build-push-docker-images","client_payload":{"CLI_version":"v3.8.0"}}' \ | |
# https://api.github.com/repos/phylum-dev/phylum-ci/dispatches | |
# | |
# References: | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch | |
# https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event | |
--- | |
name: Build and push images | |
concurrency: Production | |
on: | |
repository_dispatch: | |
types: [build-push-docker-images] | |
jobs: | |
docker: | |
name: Build and push Docker images | |
environment: | |
name: Production | |
url: https://hub.docker.com/r/phylumio/phylum-ci/tags | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
shell: bash | |
env: | |
DOCKER_BUILDKIT: 1 | |
steps: | |
- name: Get latest phylum-ci release version | |
id: get_vers | |
# The API is called directly here instead of using git commands because the repo is not checked out yet | |
run: | | |
REL_VER_WITH_v=$( \ | |
curl \ | |
--silent \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
https://api.github.com/repos/phylum-dev/phylum-ci/releases/latest \ | |
| \ | |
jq \ | |
--raw-output \ | |
--exit-status \ | |
.tag_name \ | |
) | |
REL_VER_WITHOUT_v="${REL_VER_WITH_v//v/}" | |
echo "${REL_VER_WITH_v}" "${REL_VER_WITHOUT_v}" | |
echo "REL_VER_WITH_v=${REL_VER_WITH_v}" >> "${GITHUB_OUTPUT}" | |
echo "REL_VER_WITHOUT_v=${REL_VER_WITHOUT_v}" >> "${GITHUB_OUTPUT}" | |
- name: Checkout the repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# This will ensure the checkout matches the tag for the latest release | |
ref: ${{ steps.get_vers.outputs.REL_VER_WITH_v }} | |
- name: Get phylum wheel from latest release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: gh release download ${{ steps.get_vers.outputs.REL_VER_WITH_v }} --pattern '*.whl' | |
- name: Build default docker image with latest phylum wheel | |
run: | | |
docker build \ | |
--tag phylum-ci \ | |
--build-arg PKG_SRC=phylum-*.whl \ | |
--build-arg PKG_NAME=phylum-*.whl \ | |
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \ | |
--build-arg BUILDKIT_INLINE_CACHE=1 \ | |
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ | |
. | |
- name: Test default docker image with latest phylum wheel | |
run: scripts/docker_tests.sh --image phylum-ci | |
- name: Build slim docker image with latest phylum wheel | |
run: | | |
docker build \ | |
--tag phylum-ci-slim \ | |
--build-arg PKG_SRC=phylum-*.whl \ | |
--build-arg PKG_NAME=phylum-*.whl \ | |
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \ | |
--build-arg BUILDKIT_INLINE_CACHE=1 \ | |
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ | |
--file Dockerfile.slim \ | |
. | |
- name: Test slim docker image with latest phylum wheel | |
run: scripts/docker_tests.sh --image phylum-ci-slim --slim | |
- name: Login to Docker Hub | |
run: docker login --username ${{ secrets.DOCKER_HUB_USERNAME }} --password ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
run: docker login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io | |
- name: Create specific docker tags and push them | |
env: | |
REL_VER_WITHOUT_v: ${{ steps.get_vers.outputs.REL_VER_WITHOUT_v }} | |
run: | | |
CLI_REL_VER=$(docker run --rm phylum-ci phylum --version | sed 's/phylum //') | |
docker tag phylum-ci "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}" | |
docker tag phylum-ci-slim "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim" | |
docker tag phylum-ci "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}" | |
docker tag phylum-ci-slim "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim" | |
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}" | |
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim" | |
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}" | |
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim" | |
- name: Tag and push latest docker images | |
# Only tag and push `latest` when it's not a CLI pre-release | |
# NOTE: This is an instance where the expression syntax (`${{ }}`) is required for the `if` conditional, | |
# contrary to the GitHub workflow syntax documentation. Do not remove the expression syntax. | |
if: ${{ !contains(github.event.client_payload.CLI_version, 'rc') }} | |
run: | | |
docker tag phylum-ci phylumio/phylum-ci:latest | |
docker tag phylum-ci-slim phylumio/phylum-ci:slim | |
docker tag phylum-ci ghcr.io/phylum-dev/phylum-ci:latest | |
docker tag phylum-ci-slim ghcr.io/phylum-dev/phylum-ci:slim | |
docker push phylumio/phylum-ci:latest | |
docker push phylumio/phylum-ci:slim | |
docker push ghcr.io/phylum-dev/phylum-ci:latest | |
docker push ghcr.io/phylum-dev/phylum-ci:slim | |
- name: Logout of Docker Hub | |
if: always() | |
run: docker logout | |
- name: Logout of GitHub Container Registry | |
if: always() | |
run: docker logout ghcr.io |