Revert last Docker CD refactoring (#59)

* Revert "Fix tag extraction in dockerhub CD (#56)"

This reverts commit 1d68363.

* Revert "Refactor Docker Hub CI to use composite action and enable debian / alpine flavors (#54)"

This reverts commit 92e9ab3.

* Switch Dockerfile to Alpine

.github/workflows/ci_workflow_dispatch.yaml

@@ -34,7 +34,6 @@ jobs:
     strategy:
       matrix:
         service: ${{ fromJson(needs.changed-services.outputs.services) }}
-        flavor: ["", "debian"]
       fail-fast: false
 
     steps:
@@ -74,17 +73,41 @@ jobs:
         id: symlink-requirements
         run: cp -r lock services/${{ matrix.service }}/lock
 
-      - name: Prepare Dockerfiles
-        id: prepare-dockerfiles
-        run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile*
+      - name: Prepare Dockerfile
+        id: prepare-dockerfile
+        run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile
 
-      - name: Docker build and push
-        uses: ghga-de/gh-action-ci@v1
+      - uses: docker/setup-qemu-action@v3
+        name: Set up QEMU
+
+      - uses: docker/setup-buildx-action@v3
+        name: Set up Docker Buildx
+
+      - uses: docker/login-action@v3
+        name: Login to DockerHub
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v5
+        name: Build and push
+        id: docker_build
         with:
-          checkout: "false"
-          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
-          tag: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
-          trivy_severity: "CRITICAL"
-          flavor: "${{ matrix.flavor }}"
-          working_directory: "services/${{ matrix.service }}"
+          push: true
+          platforms: "${{ env.DOCKERHUB_PLATFORMS }}"
+          tags: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
+          context: "services/${{ matrix.service }}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "docker.io/${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: ${{ env.TRIVY_SEVERITY }}
+
+      - name: Image digest
+        shell: bash
+        run: echo ${{ steps.docker_build.outputs.digest }}

.github/workflows/docker_on_release.yaml

@@ -127,7 +127,6 @@ jobs:
     strategy:
       matrix:
         service: ${{ fromJson(needs.changed-services.outputs.services) }}
-        flavor: ["", "debian"]
       fail-fast: false
 
     steps:
@@ -174,21 +173,50 @@ jobs:
             exit 1
           fi
 
+      - name: Ensure that tag complies with semantic versioning.
+        uses: matt-usurp/validate-semver@v2
+        with:
+          version: ${{ steps.extract-service-version.outputs.version }}
+
       - name: Symlink requirement files
         id: symlink-requirements
         run: cp -r lock services/${{ matrix.service }}/lock
 
-      - name: Prepare Dockerfiles
-        id: prepare-dockerfiles
-        run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile*
+      - name: Prepare Dockerfile
+        id: prepare-dockerfile
+        run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile
+
+      - uses: docker/setup-qemu-action@v3
+        name: Set up QEMU
 
-      - name: Docker build and push
-        uses: ghga-de/gh-action-ci@v1
+      - uses: docker/setup-buildx-action@v3
+        name: Set up Docker Buildx
+
+      - uses: docker/login-action@v3
+        name: Login to DockerHub
         with:
-          checkout: "false"
-          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
-          tag: "${{ steps.extract-service-version.outputs.version }}"
-          trivy_severity: "CRITICAL"
-          flavor: "${{ matrix.flavor }}"
-          working_directory: "services/${{ matrix.service }}"
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v5
+        name: Build and push
+        id: docker_build
+        with:
+          push: true
+          platforms: "${{ env.DOCKERHUB_PLATFORMS }}"
+          tags: "${{ steps.docker-tag.outputs.tag }}"
+          context: "services/${{ matrix.service }}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "docker.io/${{ steps.docker-tag.outputs.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: ${{ env.TRIVY_SEVERITY }}
+
+      - name: Image digest
+        shell: bash
+        run: echo ${{ steps.docker_build.outputs.digest }}

Dockerfile

@@ -46,5 +46,4 @@ WORKDIR /home/appuser
 USER appuser
 ENV PYTHONUNBUFFERED=1
 
-# Please adapt to package name:
 ENTRYPOINT []