-
Notifications
You must be signed in to change notification settings - Fork 5
140 lines (127 loc) · 4.59 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Continuous Delivery
on:
push:
branches:
- main
workflow_dispatch:
env:
IMAGE_STAGING: enterprisedb/postgresql-testing
IMAGE_RELEASE: enterprisedb/postgresql
jobs:
generate-jobs:
name: Generate Jobs
runs-on: ubuntu-20.04
outputs:
strategy: ${{ steps.generate-jobs.outputs.strategy }}
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Generate Jobs
id: generate-jobs
shell: bash
run: |
bash .github/generate-strategy.sh
build:
needs: generate-jobs
strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
name: ${{ matrix.name }}
runs-on: ubuntu-20.04
permissions:
contents: read
packages: write
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Docker meta
env:
TAGS: ${{ toJson(matrix.tags) }}
run: |
RESULT=""
for tag in $(jq -r '.[]' <<< "${TAGS}")
do
RESULT="${RESULT},quay.io/${IMAGE_STAGING}:${tag},ghcr.io/${IMAGE_STAGING}:${tag}"
# If we are running the pipeline in the main branch images are pushed in both -testing and PROD repo
if [ "${GITHUB_REF#refs/heads/}" == main ]
then
RESULT="${RESULT},quay.io/${IMAGE_RELEASE}:${tag},ghcr.io/${IMAGE_RELEASE}:${tag}"
fi
done
echo "TAGS=${RESULT%,}" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to quay.io
uses: docker/login-action@v2
with:
registry: quay.io/enterprisedb
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Log in to the GitHub Container registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and load
uses: docker/build-push-action@v3
with:
context: ${{ matrix.dir }}
file: ${{ matrix.file }}
secrets: |
"cs_script=${{ secrets.CS_SCRIPT }}"
"subscription=${{ secrets.SUBSCRIPTION }}"
push: false
load: true
tags: ${{ env.TAGS }}
build-args: |
SUBSCRIPTION_NAME=docker-postgresql-cicd-${{ github.run_number }}
- name: Dockle scan
uses: erzz/dockle-action@v1
env:
DOCKLE_IGNORES: CIS-DI-0009
with:
image: "quay.io/${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key
- name: Build and push
uses: docker/build-push-action@v3
with:
context: ${{ matrix.dir }}
file: ${{ matrix.file }}
secrets: |
"cs_script=${{ secrets.CS_SCRIPT }}"
"subscription=${{ secrets.SUBSCRIPTION }}"
# Available architecture on UBI8 are: linux/amd64, linux/s390x, linux/ppc64le, linux/arm64
platforms: ${{ matrix.platforms }}
push: true
tags: ${{ env.TAGS }}
labels: ${{ github.ref != 'refs/heads/main' && 'quay.expires-after=7d' || '' }}
build-args: |
SUBSCRIPTION_NAME=docker-postgresql-cicd-${{ github.run_number }}
- name: Slack Notification
uses: rtCamp/action-slack-notify@v2
if: ${{ failure() }}
env:
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
SLACK_USERNAME: ghBot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
# Send a notification if new public images are released
notify:
needs: build
name: Notify update on Slack
runs-on: ubuntu-20.04
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@v2
# Only images built from the main branch go public, and we limit the
# amount of notifications to those.
if: ${{ github.ref == 'refs/heads/main' }}
env:
SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
SLACK_USERNAME: ghBot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: New PostgreSQL images pushed on Quay.io