Disable sbom on windows #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create ACA Docker Image | |
| on: | |
| push: | |
| release: | |
| types: [ published ] | |
| workflow_dispatch: | |
| inputs: | |
| # GITHUB_REF is assumed to be a tag | |
| # tag is assumed to have the format vx.y.z. The docker images will be tagged :x.y.z | |
| also_tag_latest: | |
| description: 'Tag latest?' | |
| required: false | |
| type: boolean | |
| env: | |
| PACKAGES_PATH: nsacyber/hirs | |
| DOCKERFILE_ROCKY: aca-rocky | |
| DOCKERFILE_WINDOWS: aca-windows | |
| IMAGE_NAME_ROCKY: ghcr.io/nsacyber/hirs/aca-rocky | |
| IMAGE_NAME_WINDOWS: ghcr.io/nsacyber/hirs/aca-windows | |
| IMAGE_NAME_WINDOWS_COMPAT: ghcr.io/nsacyber/hirs/aca-windows-1809 | |
| PUBLIC_IMAGE_NAME: ghcr.io/nsacyber/hirs/aca | |
| PUBLIC_IMAGE_TAG_LATEST: ghcr.io/nsacyber/hirs/aca:latest | |
| TAG_LATEST: ${{ github.event_name == 'release' || inputs.also_tag_latest }} # The public docker image will be tagged 'latest' for releases, or if this option is selected. | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set env | |
| run: | | |
| # Change dash to bash | |
| sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections | |
| sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash | |
| export RUNLEVEL=1 | |
| # Parse docker image tag from GitHub tag if available | |
| if [ "${{ github.ref_type }}" = "tag" ]; then | |
| # tags start with refs/tags/. Also remove v if it exists. | |
| export IMAGE_TAG_VAR=${GITHUB_REF:10} | |
| export IMAGE_TAG_VAR=${IMAGE_TAG_VAR//v/} | |
| else | |
| # Not a tag, use the commit hash. Do not tag as latest. | |
| export IMAGE_TAG_VAR=${GITHUB_SHA:7} | |
| fi | |
| # To lowercase | |
| export IMAGE_TAG_VAR=${IMAGE_TAG_VAR,,} | |
| # Save to output | |
| echo "IMAGE_TAG=$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT" | |
| echo "ROCKY_IMAGE_TAG=$IMAGE_NAME_ROCKY:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT" | |
| echo "WINDOWS_IMAGE_TAG=$IMAGE_NAME_WINDOWS:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT" | |
| echo "WINDOWS_COMPAT_IMAGE_TAG=$IMAGE_NAME_WINDOWS_COMPAT:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT" | |
| echo "PUBLIC_IMAGE_TAG=ghcr.io/nsacyber/hirs/aca:IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT" | |
| - name: Test env | |
| run: | | |
| echo "IMAGE_NAME_TAG=$IMAGE_NAME_TAG" | |
| echo "ROCKY_IMAGE_TAG=$ROCKY_IMAGE_TAG" | |
| echo "WINDOWS_IMAGE_TAG=$WINDOWS_IMAGE_TAG" | |
| echo "WINDOWS_COMPAT_IMAGE_TAG=$WINDOWS_COMPAT_IMAGE_TAG" | |
| echo "PUBLIC_IMAGE_TAG=$PUBLIC_IMAGE_TAG" | |
| rocky-image: | |
| needs: setup | |
| runs-on: ubuntu-latest | |
| env: | |
| FILE: env.DOCKERFILE_ROCKY | |
| TAG: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push a release Docker image for ${{ github.repository }} | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./.ci/docker | |
| file: Dockerfile.${{env.FILE}} | |
| tags: ${{env.TAG}} | |
| push: true | |
| sbom: true | |
| windows-11-image: | |
| needs: setup | |
| runs-on: windows-latest | |
| env: | |
| FILE: env.DOCKERFILE_WINDOWS | |
| TAG: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| # Leaving this in case we want to check if docker's sbom option below still attempts to use privileged mode in the future | |
| # There are third party options, but requires sending password through those actions. | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push a release Docker image for ${{ github.repository }} | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./.ci/docker | |
| file: Dockerfile.${{env.FILE}} | |
| tags: ${{env.TAG}} | |
| push: true | |
| # sbom: true # Buildx on Windows requires privileged mode, and docker's action tries to use privileged mode | |
| windows-compat-image: # This job uses a different build arg than the other windows job. | |
| needs: setup | |
| runs-on: windows-latest | |
| env: | |
| FILE: env.DOCKERFILE_WINDOWS | |
| TAG: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| # Leaving this in case we want to check if docker's sbom option below still attempts to use privileged mode in the future | |
| # There are third party options, but requires sending password through those actions. | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push a release Docker image for ${{ github.repository }} | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./.ci/docker | |
| file: Dockerfile.${{env.FILE}} | |
| tags: ${{env.TAG}} | |
| build-args: BASE_IMAGE_TAG=lts-windowsservercore-1809 | |
| push: true | |
| # sbom: true # Buildx on Windows requires privileged mode, and docker's action tries to use privileged mode | |
| manifest: | |
| needs: [rocky-image, windows-11-image, windows-compat-image] | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE1: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }} | |
| IMAGE2: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }} | |
| IMAGE3: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }} | |
| PUB: ${{ needs.setup.outputs.PUBLIC_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest with tag | |
| run: | | |
| # Change dash to bash | |
| sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections | |
| sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash | |
| export RUNLEVEL=1 | |
| docker manifest rm $PUB | |
| docker manifest create $PUB --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3 | |
| docker manifest push $PUB | |
| - name: Create and push manifest latest if selected | |
| if: env.TAG_LATEST | |
| run: | | |
| # Change dash to bash | |
| sudo echo "dash dash/sh boolean false" | sudo debconf-set-selections | |
| sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash | |
| export RUNLEVEL=1 | |
| docker manifest rm $PUBLIC_IMAGE_TAG_LATEST | |
| docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3 | |
| docker manifest push $PUBLIC_IMAGE_TAG_LATEST | |