This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (111 loc) · 4.09 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: CD
on:
push:
branches: [master]
schedule:
- cron: '30 3 * * *'
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force container rebuild'
required: true
type: choice
options: [yes, no]
permissions:
packages: write
contents: write
env:
REGISTRY: ghcr.io
jobs:
CentOS:
name: CentOS
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
matrix:
version: [ '7' ]
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check for rebuild
id: update_check
continue-on-error: true
run : |
# [update-check]
echo -e "::group::\033[34mChecking for packages updates…\033[0m"
if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
else
if ! docker pull "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
if ! docker run --rm "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" yum check-update ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: packages update)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
fi
echo "::endgroup::"
echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"
echo "Pulling centos:${{matrix.version}} from registry…"
echo ""
if ! docker pull "centos:${{matrix.version}}" ; then
echo "::error::Can't pull image centos:${{matrix.version}}"
exit 1
fi
orig_dig=$(docker inspect "centos:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
our_dig=$(docker inspect "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
echo ""
echo "Original: ${orig_dig}"
echo "Our: ${our_dig}"
if [[ "$orig_dig" != "$our_dig" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
echo "::endgroup::"
- name: Checkout
if: ${{ steps.update_check.outputs.build == 'true' }}
uses: actions/checkout@v4
- name: Set build context
if: ${{ steps.update_check.outputs.build == 'true' }}
id: build_context
run: |
echo "dockerfile=centos${{matrix.version}}.docker" >> $GITHUB_OUTPUT
- name: Rebuild and push image
if: ${{ steps.update_check.outputs.build == 'true' }}
uses: docker/build-push-action@v5
with:
context: .
file: ${{ steps.build_context.outputs.dockerfile }}
push: true
tags: |
ghcr.io/${{github.repository}}:${{matrix.version}}
${{github.repository}}:${{matrix.version}}
- name: Show info about images
uses: essentialkaos/docker-info-action@v1
with:
image: ${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}
- name: Scan final image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}"
format: "github"
github-pat: ${{secrets.GITHUB_TOKEN}}
output: "dependency-results.sbom.json"
ignore-unfixed: true
severity: "LOW,MEDIUM,HIGH,CRITICAL"
scanners: "vuln"