From 553601c570a6ce5d777d3846e8924c54966b495d Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:52:39 +0200 Subject: [PATCH] Update actions - Add PR build & test - Add PR closed build & push ckan-docker image --- .github/{workflows => .old}/build-master.yml | 0 .github/{workflows => .old}/build-tags.yml | 0 .github/{workflows => .old}/docker-master.yml | 10 +- .github/{workflows => .old}/docker-tags.yml | 0 .github/workflows/docker-build.yml | 78 ++++++++++++ .github/workflows/docker-pr.yml | 113 ++++++++++++++++++ 6 files changed, 196 insertions(+), 5 deletions(-) rename .github/{workflows => .old}/build-master.yml (100%) rename .github/{workflows => .old}/build-tags.yml (100%) rename .github/{workflows => .old}/docker-master.yml (82%) rename .github/{workflows => .old}/docker-tags.yml (100%) create mode 100644 .github/workflows/docker-build.yml create mode 100644 .github/workflows/docker-pr.yml diff --git a/.github/workflows/build-master.yml b/.github/.old/build-master.yml similarity index 100% rename from .github/workflows/build-master.yml rename to .github/.old/build-master.yml diff --git a/.github/workflows/build-tags.yml b/.github/.old/build-tags.yml similarity index 100% rename from .github/workflows/build-tags.yml rename to .github/.old/build-tags.yml diff --git a/.github/workflows/docker-master.yml b/.github/.old/docker-master.yml similarity index 82% rename from .github/workflows/docker-master.yml rename to .github/.old/docker-master.yml index 6fa27c8..826cb67 100644 --- a/.github/workflows/docker-master.yml +++ b/.github/.old/docker-master.yml @@ -20,17 +20,17 @@ jobs: steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Login to registry if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -43,7 +43,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/docker-tags.yml b/.github/.old/docker-tags.yml similarity index 100% rename from .github/workflows/docker-tags.yml rename to .github/.old/docker-tags.yml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..555e7e5 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,78 @@ +name: Build and push ckan-docker image from PR Merge + +on: + pull_request: + types: + - closed + branches: + - main + - 'ckan-*.*.*' + - '!dev/ckan-*.*.*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }} + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan + DOCKERFILE: Dockerfile + +jobs: + docker: + name: runner/build-docker-push:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Check out code + uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ env.TAG }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile with hadolint in GH Actions + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml new file mode 100644 index 0000000..ca60c18 --- /dev/null +++ b/.github/workflows/docker-pr.yml @@ -0,0 +1,113 @@ +name: Test ckan-docker images (PR) + +on: + pull_request: + branches: + - main + - 'ckan-*.*.*' + - '!dev/ckan-*.*.*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan + DOCKERFILE: Dockerfile + HADOLINT_VERSION: 2.12.0 + +jobs: + docker: + name: runner/test-docker-pr:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout + uses: actions/checkout@v4 + + - name: NGINX build + uses: docker/build-push-action@v5 + with: + context: ./nginx + file: ./nginx/Dockerfile + push: false + tags: mjanez/ckan-docker-nginx:test-build-only + + - name: Apache HTTP Server build + uses: docker/build-push-action@v5 + with: + context: ./apache + file: ./apache/Dockerfile + push: false + tags: mjanez/ckan-docker-apache:test-build-only + + - name: PostgreSQL build + uses: docker/build-push-action@v5 + with: + context: ./postgresql + file: ./postgresql/Dockerfile + push: false + tags: mjanez/ckan-docker-postgresql:test-build-only + + - name: Solr build + uses: docker/build-push-action@v5 + with: + context: ./solr + file: ./solr/Dockerfile + push: false + tags: mjanez/ckan-docker-solr:test-build-only + + - name: ckan-pycsw build + uses: docker/build-push-action@v4 + with: + context: ./ckan-pycsw + file: ./ckan-pycsw/Dockerfile + push: false + tags: mjanez/ckan-docker-pycsw:test-build-only + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Build to test + uses: docker/build-push-action@v5 + id: docker-push + with: + push: false + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile and annotate code inline in the github PR viewer + id: hadolint + uses: jbergstroem/hadolint-gh-action@v1.11.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + version: ${{ env.HADOLINT_VERSION }} + annotate: true + error_level: -1 + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file