From a41258ef592fced94c5f1d3c90db816faa280c7c Mon Sep 17 00:00:00 2001 From: na2na-p Date: Mon, 27 Nov 2023 19:07:11 +0900 Subject: [PATCH 1/4] =?UTF-8?q?=E3=82=A2=E3=83=97=E3=83=AA=E3=82=B1?= =?UTF-8?q?=E3=83=BC=E3=82=B7=E3=83=A7=E3=83=B3=E3=81=AEDocker=20image?= =?UTF-8?q?=E3=81=AE=E7=9B=A3=E8=A6=96=E3=82=82=E3=81=99=E3=82=8B=E3=82=88?= =?UTF-8?q?=E3=81=86=E3=81=AB=E3=81=99=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd-for-main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cd-for-main.yml b/.github/workflows/cd-for-main.yml index ea82b833..11282739 100644 --- a/.github/workflows/cd-for-main.yml +++ b/.github/workflows/cd-for-main.yml @@ -27,10 +27,12 @@ jobs: echo "JETDISC_VERSION=$(cat package.json | jq -r '.version')" >> $GITHUB_ENV - name: Check Docker Hub id: check_docker_hub + # NOTE: 実験用にすでに存在しててもOUTPUT吐き出す run: | DOCKER_HUB_TAGS=$(curl -s ${{ env.DOCKER_TAG_API_URI }} | jq -r '.results[] | .name') if echo "$DOCKER_HUB_TAGS" | grep -q "^$JETDISC_VERSION$"; then echo "Tag $JETDISC_VERSION already exists on Docker Hub." + echo "JETDISC_VERSION=$JETDISC_VERSION" >> $GITHUB_OUTPUT else echo "Tag $JETDISC_VERSION does not exist on Docker Hub." echo "tag_exists=false" >> $GITHUB_OUTPUT @@ -48,7 +50,7 @@ jobs: Build-and-Push-to-Docker-Hub: needs: - Prepare - if: ${{ needs.Prepare.outputs.tag_exists == 'false' }} + # if: ${{ needs.Prepare.outputs.tag_exists == 'false' }} with: JETDISC_VERSION: ${{ needs.Prepare.outputs.JETDISC_VERSION }} IMAGE_REPOSITORY: na2na From b2c1cbdcaa52e623feb2e46ba117eb57428d38fe Mon Sep 17 00:00:00 2001 From: na2na-p Date: Tue, 28 Nov 2023 21:10:25 +0900 Subject: [PATCH 2/4] =?UTF-8?q?CI=E7=94=A8=E3=82=A4=E3=83=A1=E3=83=BC?= =?UTF-8?q?=E3=82=B8=E3=83=93=E3=83=AB=E3=83=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../actions/prepare-docker-image/action.yml | 48 +++++++++++++++ .github/workflows/cd-for-pr.yml | 4 ++ .github/workflows/image-build.yml | 59 +++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 .github/actions/prepare-docker-image/action.yml create mode 100644 .github/workflows/image-build.yml diff --git a/.github/actions/prepare-docker-image/action.yml b/.github/actions/prepare-docker-image/action.yml new file mode 100644 index 00000000..f9a316cf --- /dev/null +++ b/.github/actions/prepare-docker-image/action.yml @@ -0,0 +1,48 @@ +name: Prepare Docker Image +description: Prepare Docker Image for CI +inputs: + docker_image_tag_ci: + description: Docker Image Tag for CI + required: true + +runs: + using: composite + steps: + - uses: actions/checkout@v4 + - name: Prepare for ci + shell: bash + id: prepare-for-ci + run: | + echo "WWWUSER=$(id -u)" >> $GITHUB_ENV + echo "WWWUSER=$(id -u)" >> $GITHUB_OUTPUT + echo "WWWGROUP=$(id -g)" >> $GITHUB_ENV + echo "WWWGROUP=$(id -g)" >> $GITHUB_OUTPUT + - name: Cache Docker Registry + uses: actions/cache@v3 + with: + path: /tmp/docker-registry + key: docker-registry-${{ github.ref }}-${{ github.sha }} + restore-keys: | + docker-registry-${{ github.ref }} + docker-registry- + - name: Boot-up Local Docker Registry + shell: bash + run: docker run -d -p 5000:5000 --restart=always --name registry -v /tmp/docker-registry:/var/lib/registry registry:2 + - name: Wait for Docker Registry + shell: bash + run: npx wait-on tcp:5000 + - name: Get Docker Image Tag + shell: bash + env: + TAG: ${{ inputs.docker_image_tag_ci }} + run: | + echo "DOCKER_IMAGE_TAG_CI=$TAG" >> $GITHUB_ENV + echo TAG $TAG + - name: Docker Compose Pull + shell: bash + run: | + docker pull localhost:5000/jetdisc-ci:${{ inputs.docker_image_tag_ci }} + # - name: List docker images in registry + # shell: bash + # run: | + # curl -X GET http://localhost:5000/v2/_catalog diff --git a/.github/workflows/cd-for-pr.yml b/.github/workflows/cd-for-pr.yml index 9f416abc..089eed0f 100644 --- a/.github/workflows/cd-for-pr.yml +++ b/.github/workflows/cd-for-pr.yml @@ -44,3 +44,7 @@ jobs: uses: ./.github/workflows/ci.yml secrets: inherit needs: prepare + image-build-for-ci: + uses: ./.github/workflows/image-build.yml + secrets: inherit + needs: prepare diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml new file mode 100644 index 00000000..41f38c68 --- /dev/null +++ b/.github/workflows/image-build.yml @@ -0,0 +1,59 @@ +name: Image build +on: + workflow_call: + outputs: + docker_image_tag_ci: + description: Docker image tag for CI + value: ${{ jobs.image-build.outputs.docker_image_tag_ci }} + workflow_dispatch: + +jobs: + image-build: + runs-on: + - ubuntu-latest + outputs: + docker_image_tag_ci: ${{ steps.generate_docker_image_tag.outputs.docker_image_tag_ci }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Cache Docker Build Cache + uses: actions/cache@v3 + with: + path: /tmp/.buildx-cache + key: docker-build-cache-${{ github.ref }}-${{ github.sha }} + restore-keys: | + docker-build-cache-${{ github.ref }} + docker-build-cache- + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + - name: Generate Docker Image Tag + id: generate_docker_image_tag + run: | + SHA=${{ github.sha }} + TAG=$(TZ=UTC-9 date '+%Y%m')-${SHA:0:7} + echo "DOCKER_IMAGE_TAG_CI=$TAG" >> $GITHUB_ENV + echo TAG $TAG + echo "docker_image_tag_ci=$TAG" >> $GITHUB_OUTPUT + - name: Cache Docker Registry + uses: actions/cache@v3 + with: + path: /tmp/docker-registry + key: docker-registry-${{ github.ref }}-${{ github.sha }} + restore-keys: | + docker-registry-${{ github.ref }} + docker-registry- + - name: Boot-up Local Docker Registry + run: docker run -d -p 5000:5000 --restart=always --name registry -v /tmp/docker-registry:/var/lib/registry registry:2 + - name: Wait for Docker Registry + run: npx wait-on tcp:5000 + - name: Build Docker Image + run: | + docker buildx bake \ + -f 'infra/docker/image-bake.hcl' \ + --builder="${{ steps.buildx.outputs.name }}" \ + --set='app.tags=localhost:5000/jetdisc-ci:${{ steps.generate_docker_image_tag.outputs.docker_image_tag_ci }}' \ + --set='app.platform=linux/amd64' \ + --push From 58ebf707ff8d1f92be1c5d7fe2a3816519560ae5 Mon Sep 17 00:00:00 2001 From: na2na-p Date: Tue, 28 Nov 2023 21:23:36 +0900 Subject: [PATCH 3/4] =?UTF-8?q?=E3=82=A4=E3=83=A1=E3=83=BC=E3=82=B8?= =?UTF-8?q?=E3=82=B9=E3=82=AD=E3=83=A3=E3=83=B3=E3=81=99=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd-for-pr.yml | 6 ++++++ .github/workflows/image-scan.yml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 .github/workflows/image-scan.yml diff --git a/.github/workflows/cd-for-pr.yml b/.github/workflows/cd-for-pr.yml index 089eed0f..7a8453e6 100644 --- a/.github/workflows/cd-for-pr.yml +++ b/.github/workflows/cd-for-pr.yml @@ -48,3 +48,9 @@ jobs: uses: ./.github/workflows/image-build.yml secrets: inherit needs: prepare + image-scan: + uses: ./.github/workflows/image-scan.yml + secrets: inherit + needs: image-build-for-ci + with: + docker_image_tag_ci: ${{ needs.image-build-for-ci.outputs.docker_image_tag_ci }} diff --git a/.github/workflows/image-scan.yml b/.github/workflows/image-scan.yml new file mode 100644 index 00000000..a8c9309f --- /dev/null +++ b/.github/workflows/image-scan.yml @@ -0,0 +1,31 @@ +name: Image Scan +on: + workflow_call: + inputs: + docker_image_tag_ci: + required: true + type: string + secrets: {} + +env: + COMPOSE_FILE: compose.ci.yml + +jobs: + build: + name: Image Scan + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - name: Prepare Docker Image + uses: ./.github/actions/prepare-docker-image + with: + docker_image_tag_ci: ${{ inputs.DOCKER_IMAGE_TAG_CI }} + - name: Container Scan + uses: aquasecurity/trivy-action@master + with: + image-ref: "localhost:5000/jetdisc-ci:${{ inputs.DOCKER_IMAGE_TAG_CI }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" From 0847672f2b622f0d90bfaa92a9bee0e73852c52d Mon Sep 17 00:00:00 2001 From: na2na-p Date: Fri, 8 Dec 2023 21:44:42 +0900 Subject: [PATCH 4/4] =?UTF-8?q?Prepare=E5=BE=85=E3=81=A4=E5=BF=85=E8=A6=81?= =?UTF-8?q?=E3=81=AA=E3=81=84=E3=81=AE=E3=81=A7=E3=82=84=E3=82=81=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd-for-pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/cd-for-pr.yml b/.github/workflows/cd-for-pr.yml index 7a8453e6..fac0ba43 100644 --- a/.github/workflows/cd-for-pr.yml +++ b/.github/workflows/cd-for-pr.yml @@ -47,7 +47,6 @@ jobs: image-build-for-ci: uses: ./.github/workflows/image-build.yml secrets: inherit - needs: prepare image-scan: uses: ./.github/workflows/image-scan.yml secrets: inherit