ci: update trivy-action to 0.28.0 #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build and Push | |
| on: | |
| workflow_call: | |
| secrets: | |
| BLOCKCHAIN_ACTIONS_TOKEN: | |
| required: true | |
| GRAVITON_BUILDER_SSH_PRIVATE_KEY: | |
| required: true | |
| inputs: | |
| ref: | |
| type: string | |
| required: false | |
| default: "" | |
| working-directory: | |
| type: string | |
| required: true | |
| docker-context: | |
| type: string | |
| required: false | |
| default: "." | |
| image-name: | |
| type: string | |
| required: true | |
| image-dev-name: | |
| type: string | |
| required: false | |
| image-dev-description: | |
| type: string | |
| required: false | |
| push_image: | |
| type: boolean | |
| default: true | |
| required: false | |
| runs_on: | |
| type: string | |
| required: false | |
| default: "ubuntu-latest" | |
| generate-dev-image: | |
| type: boolean | |
| default: false | |
| required: false | |
| docker-file: | |
| type: string | |
| default: "ci.dockerfile" | |
| required: false | |
| docker-file-dev: | |
| type: string | |
| default: "dev.dockerfile" | |
| required: false | |
| graviton-build-host: | |
| type: string | |
| required: false | |
| default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com" | |
| arm-build: | |
| type: boolean | |
| default: true | |
| required: false | |
| cache-from: | |
| type: string | |
| required: false | |
| default: "type=gha" | |
| cache-to: | |
| type: string | |
| required: false | |
| default: "type=gha,mode=max" | |
| outputs: | |
| image_name: | |
| description: "Image Name with Tag generated by this task" | |
| value: "${{ jobs.build-and-push-docker.outputs.image_name }}" | |
| jobs: | |
| build-and-push-docker: | |
| runs-on: ${{ inputs.runs_on }} | |
| outputs: | |
| image_name: ${{ steps.export-image.outputs.image }} | |
| env: | |
| HOME: ${{ inputs.runs_on != 'ubuntu-latest' && '/root' || '/home/runner' }} | |
| steps: | |
| - name: Checkout Project | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
| with: | |
| dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file }} | |
| failure-threshold: none | |
| - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
| if: ${{ inputs.generate-dev-image }} | |
| with: | |
| dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }} | |
| failure-threshold: none | |
| - name: Set up SSH | |
| if: inputs.arm-build | |
| uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0 | |
| with: | |
| host: ${{ inputs.graviton-build-host }} | |
| private-key: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }} | |
| private-key-name: docker_builder_arm | |
| - name: Set up Docker Buildx | |
| if: inputs.arm-build | |
| uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| append: | | |
| - endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}" | |
| platforms: linux/arm64 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Echo github event | |
| run: echo "Github event ==> ${{ github.event_name }}" | |
| - name: Current branch sha | |
| if: github.event_name != 'release' | |
| run: | | |
| echo "DOCKER_TAG_IMAGE=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV" | |
| - name: Current Tag | |
| if: github.event_name == 'release' | |
| run: | | |
| echo "DOCKER_TAG_IMAGE=${{ github.ref_name }}" >> "$GITHUB_ENV" | |
| - name: Docker Build and Push | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| with: | |
| context: ${{ inputs.docker-context }} | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} | |
| file: ${{ inputs.working-directory }}/${{ inputs.docker-file }} | |
| push: false | |
| pull: false | |
| tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest | |
| cache-from: ${{ inputs.cache-from }} | |
| cache-to: ${{ inputs.cache-to }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@@0.28.0 | |
| with: | |
| image-ref: 'ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Extract Docker metadata | |
| if: ${{ inputs.generate-dev-image }} | |
| id: meta | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| with: | |
| annotations: | | |
| org.opencontainers.image.description="${{ inputs.image-dev-description }}" | |
| labels: | | |
| zama.fhevm.version=${{ env.DOCKER_TAG_IMAGE }} | |
| zama.fhevm.description="${{ inputs.image-dev-description }}" | |
| images: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{ env.DOCKER_TAG_IMAGE }} | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: index | |
| - name: Docker Build and Push Dev Image | |
| if: ${{ inputs.generate-dev-image }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| timeout-minutes: 360 | |
| with: | |
| context: ${{ inputs.docker-context }} | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} | |
| file: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }} | |
| push: false | |
| pull: false | |
| tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 | |
| with: | |
| image-ref: 'ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Export image name | |
| id: export-image | |
| run: echo "image=ghcr.io/zama-ai/${{inputs.image-name}}:${{env.DOCKER_TAG_IMAGE}}" >> "${GITHUB_OUTPUT}" |