Update actions

- Add PR build & test - Add PR closed build & push ckan-docker image
2023-09-27 16:52:39 +02:00 · 2023-09-27 16:52:39 +02:00 · 553601c570
parent 66e231b343
commit 553601c570
6 changed files with 196 additions and 5 deletions
--- a/.github/workflows/build-master.yml
+++ b/.github/workflows/build-master.yml
--- a/.github/workflows/build-tags.yml
+++ b/.github/workflows/build-tags.yml
--- a/.github/workflows/docker-master.yml
+++ b/.github/workflows/docker-master.yml
@ -20,17 +20,17 @@ jobs:
    steps:
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      -
        name: Login to registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@ -43,7 +43,7 @@ jobs:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      -
        name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        with:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
--- a/.github/workflows/docker-tags.yml
+++ b/.github/workflows/docker-tags.yml
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@ -0,0 +1,78 @@
+name: Build and push ckan-docker image from PR Merge
+
+on:
+  pull_request:
+    types:
+        - closed
+    branches:
+        - main
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
+  CONTEXT: .
+  BRANCH: ${{ github.head_ref }}
+  DOCKERFILE_PATH: /ckan
+  DOCKERFILE: Dockerfile
+
+jobs:
+  docker:
+    name: runner/build-docker-push:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
+            org.opencontainers.image.version=${{ env.BRANCH }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.TAG }}
+          labels: ${{ steps.meta.outputs.labels }}
+          context: ${{ env.CONTEXT }}
+          file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+          format: sarif
+          output: trivy-results.sarif
+  
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@ -0,0 +1,113 @@
+name: Test ckan-docker images (PR)
+
+on:
+  pull_request:
+    branches:
+        - main
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+    CONTEXT: .
+    BRANCH: ${{ github.head_ref }}
+    DOCKERFILE_PATH: /ckan
+    DOCKERFILE: Dockerfile
+    HADOLINT_VERSION: 2.12.0
+
+jobs:
+  docker:
+    name: runner/test-docker-pr:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      -  name: NGINX build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./nginx
+            file: ./nginx/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-nginx:test-build-only
+
+      -  name: Apache HTTP Server build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./apache
+            file: ./apache/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-apache:test-build-only
+
+      -  name: PostgreSQL build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./postgresql
+              file: ./postgresql/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-postgresql:test-build-only
+
+      -  name: Solr build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./solr
+              file: ./solr/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-solr:test-build-only
+
+      -  name: ckan-pycsw build
+         uses: docker/build-push-action@v4
+         with:
+              context: ./ckan-pycsw
+              file: ./ckan-pycsw/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-pycsw:test-build-only
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
+            org.opencontainers.image.version=${{ env.BRANCH }}
+
+      - name: Build to test
+        uses: docker/build-push-action@v5
+        id: docker-push
+        with:
+            push: false
+            tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+            labels: ${{ steps.meta.outputs.labels }}
+            context: ${{ env.CONTEXT }}
+            file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile and annotate code inline in the github PR viewer
+        id: hadolint
+        uses: jbergstroem/hadolint-gh-action@v1.11.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+          version: ${{ env.HADOLINT_VERSION }}
+          annotate: true
+          error_level: -1
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref:  ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+          format: sarif
+          output: trivy-results.sarif
+  
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif