Fix critical vulnerabilities in images (#38) #262
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish artifacts | |
| on: | |
| # Publish artifacts on every push to main and every tag | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "*" | |
| # Also allow publication to be done via a workflow call | |
| # In this case, the chart version is returned as an output | |
| workflow_call: | |
| outputs: | |
| chart-version: | |
| description: The chart version that was published | |
| value: ${{ jobs.build_push_chart.outputs.chart-version }} | |
| # Variables controlling the dependencies that are baked in to the image | |
| env: | |
| # proxy | |
| NGINX_VERSION: 1.25.3 | |
| GOMPLATE_VERSION: v3.11.5 | |
| # sync | |
| HELM_VERSION: v3.13.2 | |
| jobs: | |
| build_push_images: | |
| name: Build and push images | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - component: client | |
| - component: operator | |
| - component: proxy | |
| - component: registrar | |
| - component: sshd | |
| - component: sync | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Calculate metadata for image | |
| id: image-meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ghcr.io/stackhpc/zenith-${{ matrix.component }} | |
| # Produce the branch name or tag and the SHA as tags | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=sha,prefix= | |
| - name: Build and push image | |
| uses: stackhpc/github-actions/docker-multiarch-build-push@master | |
| with: | |
| cache-key: ${{ matrix.component }} | |
| context: ./${{ matrix.component }} | |
| platforms: linux/amd64,linux/arm64 | |
| # We can't use env in the matrix definition, so just specify | |
| # the build args for all the builds - they will just go unused | |
| build-args: | | |
| NGINX_VERSION=${{ env.NGINX_VERSION }} | |
| GOMPLATE_VERSION=${{ env.GOMPLATE_VERSION }} | |
| HELM_VERSION=${{ env.HELM_VERSION }} | |
| push: true | |
| tags: ${{ steps.image-meta.outputs.tags }} | |
| labels: ${{ steps.image-meta.outputs.labels }} | |
| # This task mirrors and tags the current latest version of the | |
| # Consul and Helm exporter images, to reduce reliance on Docker Hub | |
| mirror_exporter_images: | |
| name: Mirror exporter images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@v3 | |
| - name: Install skopeo | |
| run: sudo apt-get -y update && sudo apt-get install -y skopeo | |
| - name: Mirror exporter images | |
| run: |- | |
| skopeo sync \ | |
| --src yaml \ | |
| --dest docker \ | |
| --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \ | |
| --all \ | |
| skopeo-manifest.yml \ | |
| ghcr.io/stackhpc/zenith | |
| build_push_chart: | |
| name: Build and push Helm chart | |
| runs-on: ubuntu-latest | |
| # Only build and push the chart if the images built successfully | |
| needs: [build_push_images, mirror_exporter_images] | |
| outputs: | |
| chart-version: ${{ steps.semver.outputs.version }} | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@v3 | |
| with: | |
| # This is important for the semver action to work correctly | |
| # when determining the number of commits since the last tag | |
| fetch-depth: 0 | |
| - name: Get SemVer version for current commit | |
| id: semver | |
| uses: stackhpc/github-actions/semver@master | |
| - name: Publish Helm charts | |
| uses: stackhpc/github-actions/helm-publish@master | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| version: ${{ steps.semver.outputs.version }} | |
| app-version: ${{ steps.semver.outputs.short-sha }} |