Skip to content
ACA Docker Image Build

Env context #3

Sign in to view logs

Env context

Env context #3

Workflow file for this run

.github/workflows/create_aca_images.yml at 9095abc
name: ACA Docker Image Build
on:
push:
release:
types: [ published ]
workflow_dispatch:
inputs:
# GITHUB_REF is assumed to be a tag
# tag is assumed to have the format vx.y.z. The docker images will be tagged :x.y.z
also_tag_latest:
description: 'Tag latest?'
required: false
type: boolean
env:
PACKAGES_PATH: nsacyber/hirs
DOCKERFILE_ROCKY: aca-rocky
DOCKERFILE_WINDOWS: aca-windows
IMAGE_NAME_ROCKY: ghcr.io/nsacyber/hirs/aca-rocky
IMAGE_NAME_WINDOWS: ghcr.io/nsacyber/hirs/aca-windows
IMAGE_NAME_WINDOWS_COMPAT: ghcr.io/nsacyber/hirs/aca-windows-1809
PUBLIC_IMAGE_NAME: ghcr.io/nsacyber/hirs/aca
PUBLIC_IMAGE_TAG_LATEST: ghcr.io/nsacyber/hirs/aca:latest
TAG_LATEST: ${{ github.event_name == 'release' || inputs.also_tag_latest }} # The public docker image will be tagged 'latest' for releases, or if this option is selected.
jobs:
setup:
runs-on: ubuntu-latest
steps:
- name: Set env
run: |
# Change dash to bash
sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
export RUNLEVEL=1
# Parse docker image tag from GitHub tag if available
if [ "${{ github.ref_type }}" = "tag" ]; then
# tags start with refs/tags/. Also remove v if it exists.
export IMAGE_TAG_VAR=${GITHUB_REF:10}
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR//v/}
else
# Not a tag, use the commit hash. Do not tag as latest.
export IMAGE_TAG_VAR=${GITHUB_SHA:7}
fi
# To lowercase
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR,,}
# Save to output
echo "IMAGE_TAG=$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "ROCKY_IMAGE_TAG=$IMAGE_NAME_ROCKY:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "WINDOWS_IMAGE_TAG=$IMAGE_NAME_WINDOWS:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "WINDOWS_COMPAT_IMAGE_TAG=$IMAGE_NAME_WINDOWS_COMPAT:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "PUBLIC_IMAGE_TAG=ghcr.io/nsacyber/hirs/aca:IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
- name: Test env
run: |
echo "IMAGE_NAME_TAG=$IMAGE_NAME_TAG"
echo "ROCKY_IMAGE_TAG=$ROCKY_IMAGE_TAG"
echo "WINDOWS_IMAGE_TAG=$WINDOWS_IMAGE_TAG"
echo "WINDOWS_COMPAT_IMAGE_TAG=$WINDOWS_COMPAT_IMAGE_TAG"
echo "PUBLIC_IMAGE_TAG=$PUBLIC_IMAGE_TAG"
rocky-image:
needs: setup
runs-on: ubuntu-latest
env:
FILE: env.DOCKERFILE_ROCKY
TAG: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push a release Docker image for ${{ github.repository }}
uses: docker/build-push-action@v5
with:
context: ./.ci/docker
file: Dockerfile.$FILE
tags: $TAG
push: true
sbom: true
windows-11-image:
needs: setup
runs-on: windows-latest
env:
FILE: env.DOCKERFILE_WINDOWS
TAG: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push a release Docker image for ${{ github.repository }}
uses: docker/build-push-action@v5
with:
context: ./.ci/docker
file: Dockerfile.$FILE
tags: $TAG
push: true
sbom: true
windows-compat-image: # This job uses a different build arg than the other windows job.
needs: setup
runs-on: windows-latest
env:
FILE: env.DOCKERFILE_WINDOWS
TAG: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push a release Docker image for ${{ github.repository }}
uses: docker/build-push-action@v5
with:
context: ./.ci/docker
file: Dockerfile.$FILE
tags: $TAG
build-args: BASE_IMAGE_TAG=lts-windowsservercore-1809
push: true
sbom: true
manifest:
needs: [rocky-image, windows-11-image, windows-compat-image]
runs-on: ubuntu-latest
env:
IMAGE1: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
IMAGE2: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
IMAGE3: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
PUB: ${{ needs.setup.outputs.PUBLIC_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create and push manifest with tag
run: |
# Change dash to bash
sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
export RUNLEVEL=1
docker manifest rm $PUB
docker manifest create $PUB --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
docker manifest push $PUB
- name: Create and push manifest latest if selected
if: env.TAG_LATEST
run: |
# Change dash to bash
sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
export RUNLEVEL=1
docker manifest rm $PUBLIC_IMAGE_TAG_LATEST
docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
docker manifest push $PUBLIC_IMAGE_TAG_LATEST