-
Notifications
You must be signed in to change notification settings - Fork 1
150 lines (135 loc) · 6.5 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# This is a workflow for building and pushing Docker images.
#
# It is configured to be triggered by repository dispatch events which come from outside of this repository.
# It requires write access to the repository by providing a personal access token (PAT) with `repo` scope.
#
# The `event_type` parameter is expected to be `build-push-docker-images`.
# The `client_payload` parameter is expected to contain the following data:
# * `CLI_version`: a string containing the Phylum CLI version to include
# in the image, in a format acceptable to `phylum-init`
#
# Here is an example repository dispatch event, triggered with `curl` from the command line:
#
# curl \
# -X POST \
# --fail-with-body \
# -H "Accept: application/vnd.github+json" \
# -H "X-GitHub-Api-Version: 2022-11-28" \
# -H "Authorization: token <PAT>" \
# -d '{"event_type":"build-push-docker-images","client_payload":{"CLI_version":"v3.8.0"}}' \
# https://api.github.com/repos/phylum-dev/phylum-ci/dispatches
#
# References:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch
# https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event
---
name: Build and push images
concurrency: Production
on:
repository_dispatch:
types: [build-push-docker-images]
jobs:
docker:
name: Build and push Docker images
environment:
name: Production
url: https://hub.docker.com/r/phylumio/phylum-ci/tags
runs-on: ubuntu-latest
defaults:
run:
shell: bash
env:
DOCKER_BUILDKIT: 1
steps:
- name: Get latest phylum-ci release version
id: get_vers
# The API is called directly here instead of using git commands because the repo is not checked out yet
run: |
REL_VER_WITH_v=$( \
curl \
--silent \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/repos/phylum-dev/phylum-ci/releases/latest \
| \
jq \
--raw-output \
--exit-status \
.tag_name \
)
REL_VER_WITHOUT_v="${REL_VER_WITH_v//v/}"
echo "${REL_VER_WITH_v}" "${REL_VER_WITHOUT_v}"
echo "REL_VER_WITH_v=${REL_VER_WITH_v}" >> "${GITHUB_OUTPUT}"
echo "REL_VER_WITHOUT_v=${REL_VER_WITHOUT_v}" >> "${GITHUB_OUTPUT}"
- name: Checkout the repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# This will ensure the checkout matches the tag for the latest release
ref: ${{ steps.get_vers.outputs.REL_VER_WITH_v }}
- name: Get phylum wheel from latest release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ steps.get_vers.outputs.REL_VER_WITH_v }} --pattern '*.whl'
- name: Build default docker image with latest phylum wheel
run: |
docker build \
--tag phylum-ci \
--build-arg PKG_SRC=phylum-*.whl \
--build-arg PKG_NAME=phylum-*.whl \
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
.
- name: Test default docker image with latest phylum wheel
run: scripts/docker_tests.sh --image phylum-ci
- name: Build slim docker image with latest phylum wheel
run: |
docker build \
--tag phylum-ci-slim \
--build-arg PKG_SRC=phylum-*.whl \
--build-arg PKG_NAME=phylum-*.whl \
--build-arg CLI_VER=${{ github.event.client_payload.CLI_version }} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
--file Dockerfile.slim \
.
- name: Test slim docker image with latest phylum wheel
run: scripts/docker_tests.sh --image phylum-ci-slim --slim
- name: Login to Docker Hub
run: docker login --username ${{ secrets.DOCKER_HUB_USERNAME }} --password ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Login to GitHub Container Registry
run: docker login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
- name: Create specific docker tags and push them
env:
REL_VER_WITHOUT_v: ${{ steps.get_vers.outputs.REL_VER_WITHOUT_v }}
run: |
CLI_REL_VER=$(docker run --rm phylum-ci phylum --version | sed 's/phylum //')
docker tag phylum-ci "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker tag phylum-ci-slim "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker tag phylum-ci "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker tag phylum-ci-slim "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker push "phylumio/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}"
docker push "ghcr.io/phylum-dev/phylum-ci:${{ env.REL_VER_WITHOUT_v }}-CLI${CLI_REL_VER}-slim"
- name: Tag and push latest docker images
# Only tag and push `latest` when it's not a CLI pre-release
# NOTE: This is an instance where the expression syntax (`${{ }}`) is required for the `if` conditional,
# contrary to the GitHub workflow syntax documentation. Do not remove the expression syntax.
if: ${{ !contains(github.event.client_payload.CLI_version, 'rc') }}
run: |
docker tag phylum-ci phylumio/phylum-ci:latest
docker tag phylum-ci-slim phylumio/phylum-ci:slim
docker tag phylum-ci ghcr.io/phylum-dev/phylum-ci:latest
docker tag phylum-ci-slim ghcr.io/phylum-dev/phylum-ci:slim
docker push phylumio/phylum-ci:latest
docker push phylumio/phylum-ci:slim
docker push ghcr.io/phylum-dev/phylum-ci:latest
docker push ghcr.io/phylum-dev/phylum-ci:slim
- name: Logout of Docker Hub
if: always()
run: docker logout
- name: Logout of GitHub Container Registry
if: always()
run: docker logout ghcr.io