forked from wemove/read2burn
-
Notifications
You must be signed in to change notification settings - Fork 5
135 lines (132 loc) · 4.45 KB
/
docker-build-push-read2burn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: docker build publish read2burn
concurrency:
group: "read2burn"
cancel-in-progress: true
env:
BUILD_CONTEXT: .
IMAGE_AUTHORS: Jürrens, Eike Hinderk <[email protected]>
IMAGE_DESCRIPTION: transport passwords more secure by email
IMAGE_LICENSES: Apache-2.0
IMAGE_TAG: 52north/read2burn
IMAGE_TITLE: read2burn by wemove forked by 52n
IMAGE_VENDOR: 52°North Spatial Information Research GmbH
IMAGE_URL: https://github.com/52north/read2burn
METADATA_TAG_PATTERN: v(.*)
on:
workflow_dispatch:
inputs:
tags:
description: "Please provide a git tag value, e.g. v1.0b3. It should be the same version as the read2burn app with added build id."
required: true
type: string
default: "v1.0b3"
push:
tags:
- "v*"
jobs:
build_and_publish:
name: docker build publish image
runs-on: ubuntu-latest
strategy:
matrix:
language: [ 'javascript' ]
steps:
-
name: Declare some variables
id: vars
shell: bash
run: |
echo "build_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT
echo "build_id=$(echo ${{ github.event.inputs.tags }} | awk -F 'b' '{print $(NF)}')" >> $GITHUB_OUTPUT
-
name: Checkout Repository
uses: actions/checkout@v4
-
name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
-
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
-
name: Set up Docker Buildkit env
uses: docker/setup-buildx-action@v3
-
name: Extract metadata (tags, labels) for tagging Docker Image
id: meta
uses: docker/metadata-action@v5
with:
images: "${{ env.IMAGE_TAG }}"
labels: |
"org.opencontainers.image.authors=${{ env.IMAGE_AUTHORS }}"
"org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}"
"org.opencontainers.image.licenses=${{ env.IMAGE_LICENSES }}"
"org.opencontainers.image.title=${{ env.IMAGE_TITLE }}"
"org.opencontainers.image.url=${{ env.IMAGE_URL }}"
"org.opencontainers.image.vendor=${{ env.IMAGE_VENDOR }}"
tags: |
type=match,pattern=${{ env.METADATA_TAG_PATTERN }},group=1,value=${{ github.event.inputs.tags }}
-
name: Log in to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
-
name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: "${{ env.BUILD_CONTEXT }}"
cache-from: type=gha
cache-to: type=gha
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
GIT_COMMIT=${{ github.sha }}
BUILD_DATE=${{ steps.vars.outputs.build_date }}
BUILD_ID=${{ steps.vars.outputs.build_id }}
-
name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
env:
#
# Using AWS repository to circumvent TOOMANYREQUEST error from github repository
#
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
#
# Original GitHub repository
#
# TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2
# TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1
#
#
# Disable VEX notice
#
TRIVY_DISABLE_VEX_NOTICE: disable_vex_notice
with:
image-ref: "${{ env.IMAGE_TAG }}"
format: 'table'
output: 'trivy-results.txt'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
-
name: Trigger redeployment
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GHA_WORKFLOW_TRIGGER }}
script: |
const result = await github.rest.actions.createWorkflowDispatch({
owner: '${{ secrets.TRIGGER_ORGA }}',
repo: '${{ secrets.TRIGGER_REPO }}',
workflow_id: '${{ secrets.TRIGGER_WORKFLOW_1 }}',
ref: '${{ secrets.TRIGGER_REF }}'
})
console.log(result)