Skip to content

Merge pull request #84 from digitalghost-dev/0.9.1 #28

Merge pull request #84 from digitalghost-dev/0.9.1

Merge pull request #84 from digitalghost-dev/0.9.1 #28

Workflow file for this run

name: Docker Image CI
on:
workflow_dispatch:
inputs:
logLevel:
description: 'Log level'
required: true
default: 'warning'
type: choice
options:
- info
push:
paths-ignore:
- 'README.md'
- '.github/**'
- '.dockerignore'
- '.gitignore'
- 'demo**'
- 'go.mod'
- 'go.sum'
- '.goreleaser.yaml'
branches:
- main
env:
VERSION_NUMBER: 'v0.9.1'
DOCKERHUB_REGISTRY_NAME: 'digitalghostdev/poke-cli'
AWS_REGION: 'us-west-2'
jobs:
gosec:
runs-on: ubuntu-22.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
build-docker-image:
runs-on: ubuntu-22.04
needs: [gosec]
if: needs.gosec.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: 'docker/[email protected]'
- name: Prepare Docker Build Context
run: |
mkdir docker-context
rsync -av --exclude=docker-context . docker-context/
- name: Build and Export
uses: 'docker/[email protected]'
with:
context: ./docker-context
tags: poke-cli:${{ env.VERSION_NUMBER }}
outputs: type=docker,dest=/tmp/poke-cli.tar
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: poke-cli
path: /tmp/poke-cli.tar
# Uploading to Elastic Container Registry has a backup method.
upload-to-ecr:
runs-on: ubuntu-22.04
needs: [build-docker-image]
if: needs.build-docker-image.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build, tag, and push image to Amazon ECR
run : |
docker build -t poke-cli:${{ env.VERSION_NUMBER }} .
docker tag poke-cli:${{ env.VERSION_NUMBER }} ${{ secrets.AWS_ECR_NAME }}:${{ env.VERSION_NUMBER }}
docker push ${{ secrets.AWS_ECR_NAME }}:${{ env.VERSION_NUMBER }}
syft:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-22.04
needs: [build-docker-image]
if: needs.build-docker-image.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: 'docker/[email protected]'
- name: Download Artifact
uses: actions/download-artifact@v4
with:
name: poke-cli
path: /tmp
- name: Load Image
run: |
docker load --input /tmp/poke-cli.tar
docker image ls -a
- name: Create and Upload SBOM
uses: anchore/sbom-action@v0
with:
image: poke-cli:${{ env.VERSION_NUMBER }}
format: spdx-json
artifact-name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
output-file: /tmp/poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
upload-artifact: true
grype:
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-22.04
needs: [syft]
if: needs.syft.result == 'success'
steps:
- name: Download SBOM
uses: actions/download-artifact@v4
with:
name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
path: /tmp
- name: Scan SBOM
uses: anchore/scan-action@v5
id: scan
with:
sbom: /tmp/poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
fail-build: false
output-format: sarif
severity-cutoff: critical
- name: Upload SARIF Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
architecture-build:
runs-on: ubuntu-22.04
needs: [gosec]
if: needs.gosec.result == 'success'
strategy:
fail-fast: false
matrix:
platform: [linux/amd64, linux/arm64]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: meta
uses: 'docker/[email protected]'
with:
images: ${{ env.DOCKERHUB_REGISTRY_NAME }}
- name: Set up QEMU
uses: 'docker/setup-qemu-action@v3'
- name: Set up Docker Buildx
uses: 'docker/[email protected]'
- name: Login to Docker Hub
uses: 'docker/login-action@v3'
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and Push by Digest
id: build
uses: 'docker/[email protected]'
with:
context: .
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=${{ env.DOCKERHUB_REGISTRY_NAME }},push-by-digest=true,name-canonical=true,push=true
- name: Export Digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload Digest for AMD64
if: matrix.platform == 'linux/amd64'
uses: actions/upload-artifact@v4
with:
name: digests-amd64
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
- name: Upload Digest for ARM64
if: matrix.platform == 'linux/arm64'
uses: actions/upload-artifact@v4
with:
name: digests-arm64
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
create-manifest-and-push:
runs-on: ubuntu-22.04
needs: [architecture-build]
steps:
- name: Download Digests
uses: actions/download-artifact@v4
with:
pattern: digests-*
path: /tmp/digests
merge-multiple: true
- name: Set up Docker Buildx
uses: 'docker/[email protected]'
- name: Docker meta
id: meta
uses: 'docker/[email protected]'
with:
images: ${{ env.DOCKERHUB_REGISTRY_NAME }}
tags: ${{ env.VERSION_NUMBER }}
- name: Login to Docker Hub
uses: 'docker/login-action@v3'
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create Manifest List and Push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.DOCKERHUB_REGISTRY_NAME }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_REGISTRY_NAME }}:${{ steps.meta.outputs.version }}