Skip to content

Merge pull request #227 from OADA/dependabot/github_actions/docker/bu… #764

Merge pull request #227 from OADA/dependabot/github_actions/docker/bu…

Merge pull request #227 from OADA/dependabot/github_actions/docker/bu… #764

# Copyright 2022 Open Ag Data Alliance
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Build and push OADA images
on:
push:
pull_request:
jobs:
setup:
runs-on: ubuntu-latest
outputs:
services: ${{ steps.services.outputs.list }}
version: ${{ steps.ref.outputs.version }}
release: ${{ steps.ref.outputs.release }}
major: ${{ steps.semver.outputs.major }}
minor: ${{ steps.semver.outputs.minor }}
patch: ${{ steps.semver.outputs.patch }}
prerelease: ${{ steps.semver.outputs.prerelease }}
build: ${{ steps.semver.outputs.build }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Find Services
id: services
run: |
SERVICES=$(ls -1 oada/services | tr '\n' ',' | sed 's/,/","/g' | sed 's/^/["/' | sed 's/,"$/]/')
echo ::set-output name=list::${SERVICES}
- name: Parse Ref
id: ref
run: |
echo 'Processing git ref:' $GITHUB_REF
# Release version is just the release number
if [[ $GITHUB_REF == refs/heads/release/* ]]; then
VERSION=${GITHUB_REF#refs/heads/release/}
#RELEASE=true
elif [[ $GITHUB_REF == refs/tags/* ]]; then
if [[ $GITHUB_REF == refs/tags/v* ]]; then
VERSION=${GITHUB_REF#refs/tags/v}
RELEASE=true
else
VERSION=tag-${GITHUB_REF#refs/tags/}
fi
# Branch version is branch name (with '/' -> '-')
elif [[ $GITHUB_REF == refs/heads/* ]]; then
VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
# Expect for the default_branch, which gets version "edge"
if [ "$VERSION" == "${{ github.event.repository.default_branch }}" ]; then
VERSION=edge
fi
# PR versions are pr-<github pr number>
elif [[ $GITHUB_REF == refs/pull/* ]]; then
VERSION=pr-${{ github.event.number }}
else
echo ::error ::Can not determine version of service -- unexpected job trigger? Stopping.
exit 1
fi
echo ::set-output name=version::${VERSION}
echo ::set-output name=release::${RELEASE}
- name: Parse Semver
id: semver
if: ${{ steps.ref.outputs.release }}
uses: booxmedialtd/[email protected]
with:
input_string: ${{ steps.ref.outputs.version }}
#version_extractor_regex: '\/v(.*)$'
prebuild:
name: Build and cache shared Docker layers
runs-on: ubuntu-latest
# Only run one build at a time to fix layer reuse?
concurrency: prebuild-${{ github.sha }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
id: buildx
uses: docker/[email protected]
with:
version: latest
- name: Cache docker layers
if: ${{ !env.ACT }} # Awaiting ACT version after 0.2.17 for this feature
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}-oada
restore-keys: |
${{ runner.os }}-buildx-${{ github.sha }}-
${{ runner.os }}-buildx-
- name: Build base OADA images
uses: docker/[email protected]
with:
context: oada
file: oada/Dockerfile
platforms: linux/amd64
build-args: |
GIT_REF=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
- # Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
build-and-push-services:
name: Build and Push images to DockerHub and GHCR
needs:
- setup
- prebuild
strategy:
matrix:
service: ${{ fromJson(needs.setup.outputs.services) }}
context:
- oada
include:
- service: support/proxy
context: support/proxy
- service: support/proxy-http-only
context: support/proxy
target: http-only
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
id: buildx
uses: docker/[email protected]
with:
version: latest
- name: Cache docker layers
if: ${{ !env.ACT }} # Awaiting ACT version after 0.2.17 for this feature
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.service }}
restore-keys: |
${{ runner.os }}-buildx-${{ github.sha }}-
${{ runner.os }}-buildx-
- name: Prepare Images
id: images
run: |
# Doesn't like upper case
OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
# Name on DockerHub (doesn't like extra / in images?)
DOCKER_IMAGE=${OWNER}/$(echo ${{ matrix.service }} | tr '/' '-')
# Name on GHCR
GHCR_IMAGE=ghcr.io/${OWNER}/${{ matrix.service}}
echo ::set-output name=dockerhub::${DOCKER_IMAGE}
echo ::set-output name=ghcr::${GHCR_IMAGE}
- name: Login to DockerHub
#if: github.event_name != 'pull_request'
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
#if: github.event_name != 'pull_request'
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ steps.images.outputs.dockerhub }}
${{ steps.images.outputs.ghcr}}
labels: |
org.opencontainers.image.title=${{ matrix.service }}
org.opencontainers.image.description=An OADA microservice
# Don't update latest on prereleases?
flavor: latest=${{ !!(needs.setup.outputs.release && !needs.setup.outputs.prerelease) }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=schedule,pattern=nightly
type=edge
type=ref,event=pr
type=sha
- name: Build and push to images
uses: docker/[email protected]
with:
context: ${{ matrix.context }}
file: ${{ matrix.context }}/Dockerfile
target: ${{ matrix.target }}
platforms: linux/amd64
push: true
tags: ${{ steps.meta.outputs.tags }}
build-args: |
GIT_REF=${{ github.sha }}
OADA_SERVICE=${{ matrix.service }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
- # Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
# Use Snyk to check service docker images
snyk-services:
name: Snyk Checks
needs:
- setup
- build-and-push-services
strategy:
matrix:
service: ${{ fromJson(needs.setup.outputs.services) }}
context:
- oada
include:
- service: support/proxy
context: support/proxy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Find Docker tag for Snyk
id: tag
run: |
# Doesn't like upper case
OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
# Name on DockerHub (doesn't like extra / in images?)
DOCKER_IMAGE=${OWNER}/$(echo ${{ matrix.service }} | tr '/' '-')
# Name on GHCR
#GHCR_IMAGE=ghcr.io/${OWNER}/${{ matrix.service}}
TAG="${DOCKER_IMAGE}:edge"
if [[ "${{ needs.setup.outputs.release }}" ]]; then
if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then
TAG="${DOCKER_IMAGE}:edge"
else
TAG="${DOCKER_IMAGE}:latest"
fi
fi
echo ::set-output name=tag::${TAG}
echo ::set-output name=org::${OWNER}
echo ::set-output name=cur::${GHCR_IMAGE}:sha-${GITHUB_SHA::8}
- name: Monitor Service image with Snyk
uses: snyk/actions/docker@master
# Don't break workflow on errors?
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: container monitor
image: ${{ steps.tag.outputs.tag }}
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile
- name: Test current Service image with Snyk
uses: snyk/actions/docker@master
# Don't break workflow on errors?
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ steps.tag.outputs.tag }}
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile
- name: Secure Code Warrior
uses: SecureCodeWarrior/github-action-add-sarif-contextual-training@v1
with:
inputSarifFile: ./snyk.sarif
outputSarifFile: ./securecodewarrior.sarif
githubToken: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./securecodewarrior.sarif
#sarif_file: ./snyk.sarif
# Create a "release" compose file and attack it to a draft GitHub release.
# TODO: Disallow release if high severity vulnerabilities, failing tests, etc.?
create-release:
needs:
- setup
- build-and-push-services
if: ${{ needs.setup.outputs.release }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up yq
uses: chrisdickinson/setup-yq@latest
with:
yq-version: v4.25.2
- name: Login to DockerHub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get Release Compose File
id: release
run: |
RELEASE=docker-compose.release.yml
# Use commit of release as version??
OADA_VERSION="sha-${GITHUB_SHA::7}" \
RELEASE_VERSION="${{ needs.setup.outputs.version }}" \
./release/make.sh | tee $RELEASE
echo ::set-output name=composefile::$RELEASE
# TODO: More detailed check?
- name: Verify Compose File
run: docker-compose -f ${{ steps.release.outputs.composefile }} config
- name: Create Release
id: create_release
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: OADA v${{ needs.setup.outputs.version }}
# Make draft and wait for person to release it?
draft: true
prerelease: ${{ !!needs.setup.outputs.prerelease }}
- name: Upload Release Compose File
id: upload-release-asset
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ steps.release.outputs.composefile }}
asset_name: docker-compose.yml
asset_content_type: application/yaml