-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (112 loc) · 4.19 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: CD
on:
push:
branches: [master]
schedule:
- cron: '30 4 * * *'
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force image rebuild'
required: true
type: choice
options: [yes, no]
permissions:
packages: write
contents: read
env:
REGISTRY: ghcr.io
jobs:
Alpine:
name: Alpine
runs-on: ubuntu-latest
timeout-minutes: 5
strategy:
matrix:
version: [ '3.17', '3.18', '3.19', '3.20', '3.21' ]
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check for rebuild
id: rebuild_check
continue-on-error: true
run : |
# [rebuild-check]
echo -e "::group::\033[34mChecking for packages updates…\033[0m"
if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
else
if ! docker pull "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
if ! docker run --rm "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" checkupdate ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: packages update)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
fi
echo "::endgroup::"
echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"
echo "Pulling alpine:${{matrix.version}} from registry…"
echo ""
if ! docker pull "alpine:${{matrix.version}}" ; then
echo "::error::Can't pull image alpine:${{matrix.version}}"
exit 1
fi
orig_dig=$(docker inspect "alpine:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
our_dig=$(docker inspect "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
echo ""
echo "Original: ${orig_dig}"
echo "Our: ${our_dig}"
if [[ "$orig_dig" != "$our_dig" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
echo "::endgroup::"
- name: Checkout
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
uses: actions/checkout@v4
- name: Set build context
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
id: build_context
run: |
dockerfile=$(echo "${{matrix.version}}" | tr -d ".")
echo "dockerfile=$dockerfile.docker" >> $GITHUB_OUTPUT
- name: Rebuild and push image
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
uses: docker/build-push-action@v5
with:
context: .
file: ${{ steps.build_context.outputs.dockerfile }}
push: true
tags: |
ghcr.io/${{github.repository}}:${{matrix.version}}
${{github.repository}}:${{matrix.version}}
- name: Show info about image
uses: essentialkaos/docker-info-action@v1
with:
image: ${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}
- name: Scan final image with Trivy
uses: aquasecurity/trivy-action@master
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
with:
image-ref: "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}"
format: "table"
ignore-unfixed: true
severity: "LOW,MEDIUM,HIGH,CRITICAL"
scanners: "vuln"