-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
149 lines (135 loc) · 5.32 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Copyright 2022-2023 Universität Tübingen, DKFZ and EMBL
# for the German Human Genome-Phenome Archive (GHGA)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "GHGA CI action tasks"
description: "Tasks that are executed in our CI pipeline for GHGA microservices"
inputs:
checkout:
description: "Checkout the repository"
required: false
default: "true"
dockerhub_username:
description: "The DockerHub username"
required: true
default: "ghga"
dockerhub_token:
description: "The DockerHub token used to authenticate"
required: true
tag:
description: "The tag used to publish to the registry."
required: true
dockerhub_namespace:
description: "The namespace used to publish to the registry."
required: true
default: ghga
dockerhub_repository:
description: "The Docker Hub repository to publish to. Defaults to git repository name."
required: false
default: ${{ github.event.repository.name }}
working_directory:
description: "Directory which contains Dockerfile and project configuration files."
default: "."
trivy_severity:
description: "Severities of vulnerabilities to scanned for and displayed."
default: "CRITICAL,HIGH"
dockerhub_platforms:
description: "Platforms passed to DockerHub build and push action."
default: "linux/amd64,linux/arm64"
flavor:
description: "Flavor to build. Expects 'Dockerfile.{flavor} to be present and appends '-{flavor}' to the tag."
default: ""
runs:
using: "composite"
steps:
- uses: actions/checkout@v4
name: Check out code
if: ${{ inputs.checkout == 'true' }}
- if: contains(fromJSON('["release"]'), github.event_name)
name: Ensure that tag complies with semantic versioning.
uses: matt-usurp/validate-semver@v2
with:
version: ${{ inputs.tag }}
- if: contains(fromJSON('["release"]'), github.event_name)
uses: actions/setup-python@v5
name: Set up Python 3.12
with:
python-version: "3.12"
- if: contains(fromJSON('["release"]'), github.event_name)
name: Ensure package version and tag are equal
working-directory: ${{ inputs.working_directory }}
shell: bash
run: |
if [ -f "setup.py" ]
then
echo "Using setup.py to extract python package version"
PKG_VER="$(python setup.py --version)"
elif [ -f "pyproject.toml" ]
then
echo "Using pyproject.toml to extract python package version"
version=$(python3.12 -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
PKG_VER=$version
else
echo "Neither setup.py nor pyproject.toml were found." >&2; exit 1
fi
TAG_VER=${{ inputs.package_version }}
[[ -z "$TAG_VER" ]] && TAG_VER=${{ inputs.tag }}
echo "Package version is $PKG_VER" >&2
echo "Tag version is $TAG_VER" >&2
if [ "$PKG_VER" != "$TAG_VER" ]; then
echo "Package version and tag name mismatch." >&2
exit 1
fi
- uses: docker/setup-qemu-action@v3
name: Set up QEMU
- uses: docker/setup-buildx-action@v3
name: Set up Docker Buildx
- uses: docker/login-action@v3
name: Login to DockerHub
with:
username: ${{ inputs.dockerhub_username }}
password: ${{ inputs.dockerhub_token }}
- name: Construct Dockerfile and tag suffixes
shell: bash
id: get_suffixes
run: |
if [ -n "${{ inputs.flavor }}" ]; then
echo "dockerfile_suffix=.${{ inputs.flavor }}" >> $GITHUB_OUTPUT
echo "tag_suffix=-${{ inputs.flavor }}" >> $GITHUB_OUTPUT
else
echo "dockerfile_suffix=" >> $GITHUB_OUTPUT
echo "tag_suffix=" >> $GITHUB_OUTPUT
fi
- uses: docker/build-push-action@v5
name: Build and push
id: docker_build
with:
push: true
platforms: "${{ inputs.dockerhub_platforms }}"
file: "${{ inputs.working_directory }}/Dockerfile${{ steps.get_suffixes.outputs.dockerfile_suffix }}"
tags: "${{ inputs.dockerhub_namespace }}/${{ inputs.dockerhub_repository }}:${{ inputs.tag }}${{ steps.get_suffixes.outputs.tag_suffix }}"
context: "${{ inputs.working_directory }}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
env:
TRIVY_DB_REPOSITORY: "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db"
with:
image-ref: "docker.io/${{ inputs.dockerhub_namespace }}/${{ github.event.repository.name }}:${{ inputs.tag }}${{ steps.get_suffixes.outputs.tag_suffix }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: ${{ inputs.trivy_severity }}
- name: Image digest
shell: bash
run: echo ${{ steps.docker_build.outputs.digest }}