From 28602e0f0c08bca8d18e8f689bc0e96c5f30a74a Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:59:24 +0100 Subject: [PATCH] Add Docker workflow for building and pushing ckan-docker image from master push --- .github/workflows/docker-master.yml | 76 +++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/docker-master.yml diff --git a/.github/workflows/docker-master.yml b/.github/workflows/docker-master.yml new file mode 100644 index 0000000..b113aac --- /dev/null +++ b/.github/workflows/docker-master.yml @@ -0,0 +1,76 @@ +name: Build and push ckan-docker image from master push + +on: + push: + branches: + - master + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CONTEXT: . + DOCKERFILE_PATH: /ckan + DOCKERFILE: Dockerfile + +jobs: + docker: + name: runner/build-docker-push:master + runs-on: ubuntu-latest + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Check out code + uses: actions/checkout@v4 + + - name: Get highest ckan branch excluding -dev + id: getbranch + run: echo "::set-output name=VERSION::$(git branch | grep '^ckan-[0-9]*\.[0-9]*\.[0-9]*[^-dev]$' | sort -V | tail -n 1)" + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/master/README.md + org.opencontainers.image.version=${{ steps.getbranch.outputs.VERSION }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.getbranch.outputs.VERSION }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile with hadolint in GH Actions + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + no-fail: true + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.getbranch.outputs.VERSION }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file