From 29be52f58c0f280395f74db2b8778f5afecd8036 Mon Sep 17 00:00:00 2001 From: Alexandru Emil Lupu Date: Tue, 10 Sep 2024 10:29:33 +0300 Subject: [PATCH] Add image scanner to build process --- .github/workflows/build.yml | 55 +++++++++++++++++++++++++++++++++ .github/workflows/dockerhub.yml | 51 ++++++------------------------ .github/workflows/test.yml | 15 +++++++++ 3 files changed, 80 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..d760cf9 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,55 @@ +on: + workflow_call: + +jobs: + build: + name: Build Docker image + runs-on: ubuntu-latest + env: + GENERATOR_IMAGE_NAME: decidim/decidim-generator + TEST_IMAGE_NAME: decidim/decidim-test + DEV_IMAGE_NAME: decidim/decidim-dev + APP_IMAGE_NAME: decidim/decidim + TAG: ${{ github.sha }} + steps: + - name: Fetch Decidim Tag + id: decidim-tag + uses: oprypin/find-latest-tag@v1 + with: + repository: decidim/decidim + releases-only: true + + - name: Set Ruby Version + id: ruby-version + env: + RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version + run: | + echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL) + - name: Set Decidim Version + id: decidim-version + run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-) + + - name: Checkout Our Repo + uses: actions/checkout@v2 + + - name: Build decidim-generator Image + env: + RUBY_VERSION: ${{ steps.ruby-version.outputs.version }} + DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }} + run: | + docker build \ + --build-arg ruby_version=$RUBY_VERSION \ + --build-arg decidim_version=$DECIDIM_VERSION \ + --file Dockerfile-generator \ + -t $GENERATOR_IMAGE_NAME . + docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG + docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG + docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION + docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION + - + name: Scan for vulnerabilities + id: scan + uses: crazy-max/ghaction-container-scan@v3 + with: + image: decidim/decidim-generator + dockerfile: ./Dockerfile-generator \ No newline at end of file diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 0f7b42e..905299e 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -6,13 +6,18 @@ on: branches: - master paths: - - 'Dockerfile' - - 'Dockerfile-test' - - 'Dockerfile-dev' - - 'Dockerfile-generator' - - '.github/workflows/dockerhub.yml' + - "*" + - 'Dockerfile' + - 'Dockerfile-test' + - 'Dockerfile-dev' + - 'Dockerfile-generator' + - '.github/workflows/dockerhub.yml' jobs: + build: + uses: ./.github/workflows/build.yml + secrets: inherit + name: Build image build-publish: name: Build & Publish Docker Images runs-on: ubuntu-latest @@ -24,42 +29,6 @@ jobs: TAG: ${{ github.sha }} steps: - - name: Fetch Decidim Tag - id: decidim-tag - uses: oprypin/find-latest-tag@v1 - with: - repository: decidim/decidim - releases-only: true - - - name: Set Ruby Version - id: ruby-version - env: - RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version - run: | - echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL) - - - name: Set Decidim Version - id: decidim-version - run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-) - - - name: Checkout Our Repo - uses: actions/checkout@v2 - - - name: Build decidim-generator Image - env: - RUBY_VERSION: ${{ steps.ruby-version.outputs.version }} - DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }} - run: | - docker build \ - --build-arg ruby_version=$RUBY_VERSION \ - --build-arg decidim_version=$DECIDIM_VERSION \ - --file Dockerfile-generator \ - -t $GENERATOR_IMAGE_NAME . - docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG - docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG - docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION - docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION - - name: Publish decidim-generator Image to Docker Hub uses: docker/login-action@v1 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..f903c4d --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,15 @@ +name: "Test Current PR" +on: + pull_request: + paths: + - "*" + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + build: + uses: ./.github/workflows/build.yml + secrets: inherit + name: Build image \ No newline at end of file