Skip to content

Commit

Permalink
refactor: moved github actions from alfresco-process
Browse files Browse the repository at this point in the history 
The two actions docker-build-image and docker-scan-image have been
created in the Alfresco/alfresco-process repository.
This was causing a bad coupling between the action changes in the
alfresco-process repo and the other repos containing the action
(like Alfresco/alfresco-deployment-service).

Moving to here the action enable a better decoupled design.

Refs: AAE-17459
  • Loading branch information
@gicappa
gicappa committed Oct 25, 2023
1 parent 77507a8 commit e9adfb4
Show file tree
Hide file tree
Showing 2 changed files with 246 additions and 0 deletions.
213 changes: 213 additions & 0 deletions .github/actions/docker-build-image/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
name: Build docker image
description: Build docker image based on supplied jar files
inputs:
base-directory:
description: base working directory directory
required: false
default: .
image-tag:
description: tag to be created
required: true
image-dir:
description: Directory holding the Dockerfile. Relative path from base-directory.
required: true
docker-username:
description: Docker.io user name
required: true
docker-password:
description: Docker.io password
required: true
quay-username:
description: Quay.io user name
required: true
quay-password:
description: Quay.io password
required: true
ghcr-username:
description: User name to connect to GHCR
required: false
default: ${{ github.actor }}
ghcr-token:
description: Github token to connect to GHCR
required: true
aws-access-key-id:
description: AWS access key id to connect to ECR
required: false
aws-secret-access-key:
description: AWS secret access key to connect to ECR
required: false
aws-account-id:
description: AWS account id to connect to ECR
required: true
aws-region:
description: AWS region to use while pushing to ECR
required: false
default: us-east-1
aws-role-name:
required: false
description: AWS role name
default: ECR_Write
grype-scan-enabled:
description: Define whether a Grype scan should be executed or not
required: false
default: 'true'
jars-artifact-name:
description: Name of the the artifact holding the jar files used to build the docker image
required: false
default: 'build'
preview-label:
description: The label name for creating a preview version
required: false
default: 'preview'

runs:
using: composite
steps:
- name: Set is_preview env variable
env:
IS_PREVIEW: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, inputs.preview-label) }}
shell: bash
run: |
echo "IS_PREVIEW=$IS_PREVIEW" >> $GITHUB_ENV
- name: set is PUSH_IMAGE env variable
env:
PUSH_IMAGE: ${{ github.event_name == 'push' || env.IS_PREVIEW == 'true' }}
shell: bash
run: echo "PUSH_IMAGE=$PUSH_IMAGE" >> $GITHUB_ENV

- uses: actions/download-artifact@v3
with:
name: ${{ inputs.jars-artifact-name }}

- name: Set IMAGE_NAME
shell: bash
run: |
REPOSITORY=${DIR##*/}
TAG="${TAG:-$(echo ${GITHUB_HEAD_REF:-$GITHUB_REF_NAME} | sed -e 's/[^-_.[:alnum:]]/_/g')}"
echo "IMAGE_REPOSITORY=$REPOSITORY" >> $GITHUB_ENV
echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
echo "IMAGE_NAME=$REPOSITORY:$TAG" >> $GITHUB_ENV
env:
DIR: ${{ inputs.image-dir }}
TAG: ${{ inputs.image-tag }}

- name: Replace base image
shell: bash
working-directory: ${{ inputs.base-directory }}
run: |
cp ./Dockerfile $DIR/Dockerfile.new
cp ./entrypoint.sh ./$DIR
tail -n +2 $DIR/Dockerfile >> $DIR/Dockerfile.new
mv $DIR/Dockerfile{.new,}
env:
DIR: ${{ inputs.image-dir }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: v0.11.0
# apply fix from https://github.com/moby/buildkit/issues/3969
driver-opts: |
image=moby/buildkit:v0.11.6
network=host
- name: Login to docker.io
uses: docker/login-action@v2
with:
username: ${{ inputs.docker-username }}
password: ${{ inputs.docker-password }}

- name: Build image ${{ env.IMAGE_NAME }}
uses: docker/build-push-action@v4
with:
context: ${{ inputs.base-directory }}/${{ inputs.image-dir }}
tags: ghcr.io/alfresco/${{ env.IMAGE_NAME }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false

- name: Anchore Scan API Image
uses: anchore/scan-action@v3
id: scan
with:
# for now fail-build parameter is set to false as there are many more problems reported by grype than prisma.
# we should set it to true after those issues are fixed.
# See https://alfresco.atlassian.net/browse/HXCS-2474 for more details.
fail-build: false
grype-version: v0.72.0
image: ghcr.io/alfresco/${{ env.IMAGE_NAME }}
output-format: sarif
severity-cutoff: critical

- name: Echo sarif
shell: bash
run: echo "$(<results.sarif )"

- name: Upload SARIF Files
if: ${{ always() && inputs.grype-scan-enabled == 'true' }}
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true # do not fail if GHAS is not enabled
with:
sarif_file: ${{ steps.scan.outputs.sarif }}

- name: Extract metadata for Docker
if: env.PUSH_IMAGE == 'true'
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.IMAGE_NAME }}

- name: Login to quay.io
if: env.PUSH_IMAGE == 'true'
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ inputs.quay-username }}
password: ${{ inputs.quay-password }}

- name: Login to ghcr.io
if: env.PUSH_IMAGE == 'true'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ inputs.ghcr-username }}
password: ${{ inputs.ghcr-token }}

- name: Configure AWS credentials
if: env.PUSH_IMAGE == 'true'
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: ${{ inputs.aws-region }}
role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-name }}
role-session-name: gh-${{ env.IMAGE_REPOSITORY }}
role-duration-seconds: 900

- name: Login to Amazon ECR
if: env.PUSH_IMAGE == 'true'
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
mask-password: true

- name: Build and Push image ${{ env.IMAGE_NAME }}
if: env.PUSH_IMAGE == 'true'
uses: docker/build-push-action@v4
with:
context: ${{ inputs.base-directory }}/${{ inputs.image-dir }}
platforms: linux/amd64,linux/arm64/v8
tags: |
quay.io/alfresco/${{ env.IMAGE_NAME }}
ghcr.io/alfresco/${{ env.IMAGE_NAME }}
${{ steps.login-ecr.outputs.registry }}/${{ env.IMAGE_NAME }}
labels: ${{ steps.meta.outputs.labels }}
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false
33 changes: 33 additions & 0 deletions .github/actions/docker-scan-image-dirs/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Scan docker image directories
description: Scan the directories Dockerfile
inputs:
base-directory:
description: base directory to be scanned
required: false
default: .
outputs:
image-dirs-as-json:
description: list of directories containing Dockerfile formatted as JSON
value: ${{ steps.scan-image-dirs.outputs.image-dirs-as-json }}
runs:
using: composite
steps:
- id: scan-image-dirs
name: Scan Image Dirs
shell: bash
working-directory: ${{ inputs.base-directory }}
run: |
IMAGE_DIRS=$(find . -type f -mindepth 2 -name Dockerfile | grep -v target | xargs -I% dirname % | xargs || echo "")
echo "image dirs IMAGE_DIRS=$IMAGE_DIRS"
FILTERED_IMAGE_DIRS=()
for IMAGE_DIR in $IMAGE_DIRS; do
echo checking $IMAGE_DIR
if [ "$(yq '.project.properties.["docker.skip"]' $IMAGE_DIR/pom.xml)" != "true" ]; then
echo add $IMAGE_DIR
FILTERED_IMAGE_DIRS+=($IMAGE_DIR)
fi
done
echo "filtered image dirs FILTERED_IMAGE_DIRS=${FILTERED_IMAGE_DIRS[@]}"
IMAGE_DIRS_AS_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${FILTERED_IMAGE_DIRS[@]}")
echo "generated image dirs matrix IMAGE_DIRS_AS_JSON=$IMAGE_DIRS_AS_JSON"
echo "image-dirs-as-json=$IMAGE_DIRS_AS_JSON" >> $GITHUB_OUTPUT

0 comments on commit e9adfb4

Please sign in to comment.