From e9adfb4777ccd7edeb44b10dc1a79cf2bcf81823 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Wed, 25 Oct 2023 17:16:54 +0200 Subject: [PATCH 01/16] refactor: moved github actions from alfresco-process The two actions docker-build-image and docker-scan-image have been created in the Alfresco/alfresco-process repository. This was causing a bad coupling between the action changes in the alfresco-process repo and the other repos containing the action (like Alfresco/alfresco-deployment-service). Moving to here the action enable a better decoupled design. Refs: AAE-17459 --- .github/actions/docker-build-image/action.yml | 213 ++++++++++++++++++ .../actions/docker-scan-image-dirs/action.yml | 33 +++ 2 files changed, 246 insertions(+) create mode 100644 .github/actions/docker-build-image/action.yml create mode 100644 .github/actions/docker-scan-image-dirs/action.yml diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml new file mode 100644 index 000000000..667d9aeb5 --- /dev/null +++ b/.github/actions/docker-build-image/action.yml @@ -0,0 +1,213 @@ +name: Build docker image +description: Build docker image based on supplied jar files +inputs: + base-directory: + description: base working directory directory + required: false + default: . + image-tag: + description: tag to be created + required: true + image-dir: + description: Directory holding the Dockerfile. Relative path from base-directory. + required: true + docker-username: + description: Docker.io user name + required: true + docker-password: + description: Docker.io password + required: true + quay-username: + description: Quay.io user name + required: true + quay-password: + description: Quay.io password + required: true + ghcr-username: + description: User name to connect to GHCR + required: false + default: ${{ github.actor }} + ghcr-token: + description: Github token to connect to GHCR + required: true + aws-access-key-id: + description: AWS access key id to connect to ECR + required: false + aws-secret-access-key: + description: AWS secret access key to connect to ECR + required: false + aws-account-id: + description: AWS account id to connect to ECR + required: true + aws-region: + description: AWS region to use while pushing to ECR + required: false + default: us-east-1 + aws-role-name: + required: false + description: AWS role name + default: ECR_Write + grype-scan-enabled: + description: Define whether a Grype scan should be executed or not + required: false + default: 'true' + jars-artifact-name: + description: Name of the the artifact holding the jar files used to build the docker image + required: false + default: 'build' + preview-label: + description: The label name for creating a preview version + required: false + default: 'preview' + +runs: + using: composite + steps: + - name: Set is_preview env variable + env: + IS_PREVIEW: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, inputs.preview-label) }} + shell: bash + run: | + echo "IS_PREVIEW=$IS_PREVIEW" >> $GITHUB_ENV + + - name: set is PUSH_IMAGE env variable + env: + PUSH_IMAGE: ${{ github.event_name == 'push' || env.IS_PREVIEW == 'true' }} + shell: bash + run: echo "PUSH_IMAGE=$PUSH_IMAGE" >> $GITHUB_ENV + + - uses: actions/download-artifact@v3 + with: + name: ${{ inputs.jars-artifact-name }} + + - name: Set IMAGE_NAME + shell: bash + run: | + REPOSITORY=${DIR##*/} + TAG="${TAG:-$(echo ${GITHUB_HEAD_REF:-$GITHUB_REF_NAME} | sed -e 's/[^-_.[:alnum:]]/_/g')}" + echo "IMAGE_REPOSITORY=$REPOSITORY" >> $GITHUB_ENV + echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV + echo "IMAGE_NAME=$REPOSITORY:$TAG" >> $GITHUB_ENV + env: + DIR: ${{ inputs.image-dir }} + TAG: ${{ inputs.image-tag }} + + - name: Replace base image + shell: bash + working-directory: ${{ inputs.base-directory }} + run: | + cp ./Dockerfile $DIR/Dockerfile.new + cp ./entrypoint.sh ./$DIR + tail -n +2 $DIR/Dockerfile >> $DIR/Dockerfile.new + mv $DIR/Dockerfile{.new,} + env: + DIR: ${{ inputs.image-dir }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + with: + version: v0.11.0 + # apply fix from https://github.com/moby/buildkit/issues/3969 + driver-opts: | + image=moby/buildkit:v0.11.6 + network=host + + - name: Login to docker.io + uses: docker/login-action@v2 + with: + username: ${{ inputs.docker-username }} + password: ${{ inputs.docker-password }} + + - name: Build image ${{ env.IMAGE_NAME }} + uses: docker/build-push-action@v4 + with: + context: ${{ inputs.base-directory }}/${{ inputs.image-dir }} + tags: ghcr.io/alfresco/${{ env.IMAGE_NAME }} + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: false + + - name: Anchore Scan API Image + uses: anchore/scan-action@v3 + id: scan + with: + # for now fail-build parameter is set to false as there are many more problems reported by grype than prisma. + # we should set it to true after those issues are fixed. + # See https://alfresco.atlassian.net/browse/HXCS-2474 for more details. + fail-build: false + grype-version: v0.72.0 + image: ghcr.io/alfresco/${{ env.IMAGE_NAME }} + output-format: sarif + severity-cutoff: critical + + - name: Echo sarif + shell: bash + run: echo "$(> $GITHUB_OUTPUT From dfe2536701f010574c660372989324b61a3ebaa9 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Wed, 25 Oct 2023 17:31:11 +0200 Subject: [PATCH 02/16] docs: added documentaion for the two actions moved Basic documentation for the two actions. Needs to be improved. Refs: AAE-17459 --- docs/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/README.md b/docs/README.md index 081b1fda5..645dde6a5 100644 --- a/docs/README.md +++ b/docs/README.md @@ -31,7 +31,9 @@ Here follows the list of GitHub Actions topics available in the current document - [automate-dependabot](#automate-dependabot) - [automate-propagation](#automate-propagation) - [configure-git-author](#configure-git-author) + - [docker-build-image](#docker-build-image) - [docker-dump-containers-logs](#docker-dump-containers-logs) + - [docker-scan-image-dirs](#docker-scan-image-dirs) - [env-load-from-yaml](#env-load-from-yaml) - [free-hosted-runner-disk-space](#free-hosted-runner-disk-space) - [get-branch-name](#get-branch-name) @@ -344,6 +346,12 @@ Configures the git username and email to associate commits with the provided ide The two vars in the previous snippet are [workflow configuration variables](https://github.blog/changelog/2023-01-10-github-actions-support-for-configuration-variables-in-workflows/) that can be created at organization level and shared across different repositories. +### docker-build-image + +```yaml + - uses: Alfresco/alfresco-build-tools/.github/actions/docker-build-image@ref +``` + ### docker-dump-containers-logs Dumps Docker containers logs. Each container's log will be stored in a separate `.log` file. All files will be archived by default under `containers-logs---.tar.gz` and will be available to download via the workflow's summary page. @@ -353,6 +361,12 @@ It is also possible to specify the output archive name when providing the `outpu - uses: Alfresco/alfresco-build-tools/.github/actions/docker-dump-containers-logs@ref ``` +### docker-scan-image-dirs + +```yaml + - uses: Alfresco/alfresco-build-tools/.github/actions/docker-scan-image-dirs@ref +``` + ### env-load-from-yaml To ease the migration to GitHub Actions of repositories that contains one or From 1d42f08cf7b4223ec20989784c2ea165e727f993 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Wed, 25 Oct 2023 19:25:21 +0200 Subject: [PATCH 03/16] docs: improved docker-build-image documentation Refs: AAE-17459 --- docs/README.md | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 645dde6a5..24b444c48 100644 --- a/docs/README.md +++ b/docs/README.md @@ -348,9 +348,50 @@ The two vars in the previous snippet are [workflow configuration variables](http ### docker-build-image +Build docker image based on supplied jar files. It replaces `image-dir` and `image-tag` in the +docker file and build it. After the build if `grype-scan-enabled` is `true` it scans the image using grype and upload the result in GitHub security. +Finally, it push the created image into: +- RedHat quay.io +- GitHub ghcr +- AWS ECR + ```yaml - uses: Alfresco/alfresco-build-tools/.github/actions/docker-build-image@ref -``` + with: + image-tag: ${{ needs.build.outputs.version }} + image-dir: ${{ matrix.image-dir }} + docker-username: ${{ secrets.DOCKER_USERNAME }} + docker-password: ${{ secrets.DOCKER_PASSWORD }} + quay-username: ${{ secrets.QUAY_USERNAME }} + quay-password: ${{ secrets.QUAY_PASSWORD }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} + aws-access-key-id: ${{ secrets.HXPS_DEV_SVC_ECR_WRITE_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.HXPS_DEV_SVC_ECR_WRITE_AWS_SECRET_ACCESS_KEY }} + aws-account-id: ${{ vars.ACCOUNT_ID }} + # aws-region: ${{ vars.AWS_REGION }} # optional + # aws-role-name: ${{ vars.AWS_ROLE_NAME }} # optional + # grype-scan-enabled: true # optional + # preview-label: ${{ vars.PREVIEW_LABEL }} # optional + +``` +| Input | Required | Description | +|-----------------------|----------|----------------------------------------------------------------------| +| base-directory | false | base working directory directory | +| image-tag | true | tag to be created | +| image-dir | true | Directory holding the Dockerfile. Relative path from base-directory. | +| docker-username | true | Docker.io user name | +| docker-password | true | Docker.io password | +| quay-username | true | Quay.io user name | +| quay-password | true | Quay.io password | +| ghcr-username | false | User name to connect to GHCR | +| ghcr-token | true | Github token to connect to GHCR | +| aws-access-key-id | false | AWS access key id to connect to ECR | +| aws-secret-access-key | false | AWS secret access key to connect to ECR | +| aws-account-id | true | AWS account id to connect to ECR | +| aws-region | false | AWS region to use while pushing to ECR | +| aws-role-name | false | AWS role name | +| grype-scan-enabled | false | Define whether a Grype scan should be executed or not | +| preview-label | false | The label name for creating a preview version | ### docker-dump-containers-logs From de8c7134a1e6a1ed2ae6d82215719788729f1f59 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Wed, 25 Oct 2023 19:30:00 +0200 Subject: [PATCH 04/16] docs: enhanced documentation of the docker-scan-image-dir Refs: AAE-17459 --- docs/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/README.md b/docs/README.md index 24b444c48..9056598e1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -351,6 +351,7 @@ The two vars in the previous snippet are [workflow configuration variables](http Build docker image based on supplied jar files. It replaces `image-dir` and `image-tag` in the docker file and build it. After the build if `grype-scan-enabled` is `true` it scans the image using grype and upload the result in GitHub security. Finally, it push the created image into: + - RedHat quay.io - GitHub ghcr - AWS ECR @@ -374,6 +375,7 @@ Finally, it push the created image into: # preview-label: ${{ vars.PREVIEW_LABEL }} # optional ``` + | Input | Required | Description | |-----------------------|----------|----------------------------------------------------------------------| | base-directory | false | base working directory directory | @@ -404,6 +406,8 @@ It is also possible to specify the output archive name when providing the `outpu ### docker-scan-image-dirs +Scan the directories were the Dockerfiles are to feed the scanner. + ```yaml - uses: Alfresco/alfresco-build-tools/.github/actions/docker-scan-image-dirs@ref ``` From b0fe49cb0de3ae4b309462a3d1904f0b3e1d4592 Mon Sep 17 00:00:00 2001 From: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> Date: Thu, 26 Oct 2023 14:57:28 +0200 Subject: [PATCH 05/16] Update version.txt --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index c0c4025db..130165bc0 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v3.5.0 +v3.6.0 From 1ae85ac7b3083e06b9bc7758de72295498d38666 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 15:38:17 +0200 Subject: [PATCH 06/16] fix: updated the docker-build-image/action.yml The file copied from alfresco-process repo has a new version and needs to be updated before being moved. Refs: AAE-17459 --- .github/actions/docker-build-image/action.yml | 36 ++++++++----------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index 667d9aeb5..ee10434e6 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -51,10 +51,6 @@ inputs: description: Define whether a Grype scan should be executed or not required: false default: 'true' - jars-artifact-name: - description: Name of the the artifact holding the jar files used to build the docker image - required: false - default: 'build' preview-label: description: The label name for creating a preview version required: false @@ -76,10 +72,6 @@ runs: shell: bash run: echo "PUSH_IMAGE=$PUSH_IMAGE" >> $GITHUB_ENV - - uses: actions/download-artifact@v3 - with: - name: ${{ inputs.jars-artifact-name }} - - name: Set IMAGE_NAME shell: bash run: | @@ -104,10 +96,10 @@ runs: DIR: ${{ inputs.image-dir }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 with: version: v0.11.0 # apply fix from https://github.com/moby/buildkit/issues/3969 @@ -116,13 +108,13 @@ runs: network=host - name: Login to docker.io - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: ${{ inputs.docker-username }} password: ${{ inputs.docker-password }} - name: Build image ${{ env.IMAGE_NAME }} - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ${{ inputs.base-directory }}/${{ inputs.image-dir }} tags: ghcr.io/alfresco/${{ env.IMAGE_NAME }} @@ -132,14 +124,14 @@ runs: provenance: false - name: Anchore Scan API Image - uses: anchore/scan-action@v3 + uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6 id: scan with: # for now fail-build parameter is set to false as there are many more problems reported by grype than prisma. # we should set it to true after those issues are fixed. - # See https://alfresco.atlassian.net/browse/HXCS-2474 for more details. + # See See https://alfresco.atlassian.net/browse/HXCS-2474 for more details. fail-build: false - grype-version: v0.72.0 + grype-version: v0.71.0 image: ghcr.io/alfresco/${{ env.IMAGE_NAME }} output-format: sarif severity-cutoff: critical @@ -150,7 +142,7 @@ runs: - name: Upload SARIF Files if: ${{ always() && inputs.grype-scan-enabled == 'true' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 continue-on-error: true # do not fail if GHAS is not enabled with: sarif_file: ${{ steps.scan.outputs.sarif }} @@ -158,13 +150,13 @@ runs: - name: Extract metadata for Docker if: env.PUSH_IMAGE == 'true' id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: ${{ env.IMAGE_NAME }} - name: Login to quay.io if: env.PUSH_IMAGE == 'true' - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: quay.io username: ${{ inputs.quay-username }} @@ -172,7 +164,7 @@ runs: - name: Login to ghcr.io if: env.PUSH_IMAGE == 'true' - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ inputs.ghcr-username }} @@ -180,7 +172,7 @@ runs: - name: Configure AWS credentials if: env.PUSH_IMAGE == 'true' - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 with: aws-access-key-id: ${{ inputs.aws-access-key-id }} aws-secret-access-key: ${{ inputs.aws-secret-access-key }} @@ -192,13 +184,13 @@ runs: - name: Login to Amazon ECR if: env.PUSH_IMAGE == 'true' id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 with: mask-password: true - name: Build and Push image ${{ env.IMAGE_NAME }} if: env.PUSH_IMAGE == 'true' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ${{ inputs.base-directory }}/${{ inputs.image-dir }} platforms: linux/amd64,linux/arm64/v8 From 703f5ad92e7f7c8ebff825162849404373b570a7 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 15:56:09 +0200 Subject: [PATCH 07/16] Update .github/actions/docker-build-image/action.yml Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- .github/actions/docker-build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index ee10434e6..b85a5573f 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -2,7 +2,7 @@ name: Build docker image description: Build docker image based on supplied jar files inputs: base-directory: - description: base working directory directory + description: Base working directory required: false default: . image-tag: From c0c021cb9b0abcf137ba5501e2c7ad3a7d13981a Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 15:59:05 +0200 Subject: [PATCH 08/16] Update docs/README.md Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- docs/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index 9056598e1..8478be748 100644 --- a/docs/README.md +++ b/docs/README.md @@ -349,8 +349,11 @@ The two vars in the previous snippet are [workflow configuration variables](http ### docker-build-image Build docker image based on supplied jar files. It replaces `image-dir` and `image-tag` in the -docker file and build it. After the build if `grype-scan-enabled` is `true` it scans the image using grype and upload the result in GitHub security. -Finally, it push the created image into: +docker file and builds it. + +After the build, if `grype-scan-enabled` is `true`, it scans the image using grype and uploads the result in GitHub security. + +Finally, it pushes the created image into: - RedHat quay.io - GitHub ghcr From 43e8c0bb1c569af8e323cc0a0693df0dfe2ea3d5 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 15:59:42 +0200 Subject: [PATCH 09/16] Update docs/README.md Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- docs/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/README.md b/docs/README.md index 8478be748..002a82331 100644 --- a/docs/README.md +++ b/docs/README.md @@ -359,6 +359,7 @@ Finally, it pushes the created image into: - GitHub ghcr - AWS ECR +When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` can be omitted: the `aws-role-name` input should be used instead. ```yaml - uses: Alfresco/alfresco-build-tools/.github/actions/docker-build-image@ref with: From 4821554c2e5536819aebcc64294831032e19da72 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:00:50 +0200 Subject: [PATCH 10/16] Update docs/README.md Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- docs/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 002a82331..b55f437c7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -377,7 +377,6 @@ When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` c # aws-role-name: ${{ vars.AWS_ROLE_NAME }} # optional # grype-scan-enabled: true # optional # preview-label: ${{ vars.PREVIEW_LABEL }} # optional - ``` | Input | Required | Description | From 69b72b37f64222e3d4a4346db9f3c2a9ced8b696 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:02:12 +0200 Subject: [PATCH 11/16] Update .github/actions/docker-build-image/action.yml Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- .github/actions/docker-build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index b85a5573f..84107cc02 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -48,7 +48,7 @@ inputs: description: AWS role name default: ECR_Write grype-scan-enabled: - description: Define whether a Grype scan should be executed or not + description: Defines whether a Grype scan should be executed or not required: false default: 'true' preview-label: From 0f8bdffa0c07ebb1add63a2ea613b12a494d2153 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:43:01 +0200 Subject: [PATCH 12/16] Update .github/actions/docker-build-image/action.yml Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- .github/actions/docker-build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index 84107cc02..a42377e12 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -130,7 +130,7 @@ runs: # for now fail-build parameter is set to false as there are many more problems reported by grype than prisma. # we should set it to true after those issues are fixed. # See See https://alfresco.atlassian.net/browse/HXCS-2474 for more details. - fail-build: false + fail-build: ${{ inputs.grype-fail-build }} grype-version: v0.71.0 image: ghcr.io/alfresco/${{ env.IMAGE_NAME }} output-format: sarif From 893c3d6933784c28c88eb65493aa0db821809d38 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:43:15 +0200 Subject: [PATCH 13/16] Update .github/actions/docker-build-image/action.yml Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- .github/actions/docker-build-image/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index a42377e12..8da57eb3e 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -51,6 +51,10 @@ inputs: description: Defines whether a Grype scan should be executed or not required: false default: 'true' +grype-fail-build: + description: Defines whether a Grype scan failure would fail the build + required: false + default: 'true' preview-label: description: The label name for creating a preview version required: false From c5d5b8d917b4729bd02033dad945f79cf5c1bbb3 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:43:28 +0200 Subject: [PATCH 14/16] Update docs/README.md Co-authored-by: Anahide Tchertchian <608958+atchertchian@users.noreply.github.com> --- docs/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/README.md b/docs/README.md index b55f437c7..603f4a1a1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -376,6 +376,7 @@ When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` c # aws-region: ${{ vars.AWS_REGION }} # optional # aws-role-name: ${{ vars.AWS_ROLE_NAME }} # optional # grype-scan-enabled: true # optional + # grype-fail-build: false # optional # preview-label: ${{ vars.PREVIEW_LABEL }} # optional ``` From a889b93ad155bd72c811e92aa55369e412b6f112 Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 16:49:30 +0200 Subject: [PATCH 15/16] fix: wrong indentation in yaml and missing line in markdown Refs: AAE-17459 --- .github/actions/docker-build-image/action.yml | 2 +- docs/README.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index 8da57eb3e..66edc242f 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -51,7 +51,7 @@ inputs: description: Defines whether a Grype scan should be executed or not required: false default: 'true' -grype-fail-build: + grype-fail-build: description: Defines whether a Grype scan failure would fail the build required: false default: 'true' diff --git a/docs/README.md b/docs/README.md index 603f4a1a1..022043779 100644 --- a/docs/README.md +++ b/docs/README.md @@ -360,6 +360,7 @@ Finally, it pushes the created image into: - AWS ECR When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` can be omitted: the `aws-role-name` input should be used instead. + ```yaml - uses: Alfresco/alfresco-build-tools/.github/actions/docker-build-image@ref with: @@ -376,7 +377,7 @@ When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` c # aws-region: ${{ vars.AWS_REGION }} # optional # aws-role-name: ${{ vars.AWS_ROLE_NAME }} # optional # grype-scan-enabled: true # optional - # grype-fail-build: false # optional + # grype-fail-build: false # optional # preview-label: ${{ vars.PREVIEW_LABEL }} # optional ``` From c8e8bc1ca86ca200c9bfc2814ebebd2709a134bf Mon Sep 17 00:00:00 2001 From: Gian Carlo Pace Date: Thu, 26 Oct 2023 17:06:47 +0200 Subject: [PATCH 16/16] update: updated the grype version Refs: AAE-17459 --- .github/actions/docker-build-image/action.yml | 2 +- docs/README.md | 19 ------------------- 2 files changed, 1 insertion(+), 20 deletions(-) diff --git a/.github/actions/docker-build-image/action.yml b/.github/actions/docker-build-image/action.yml index 66edc242f..4e0700449 100644 --- a/.github/actions/docker-build-image/action.yml +++ b/.github/actions/docker-build-image/action.yml @@ -135,7 +135,7 @@ runs: # we should set it to true after those issues are fixed. # See See https://alfresco.atlassian.net/browse/HXCS-2474 for more details. fail-build: ${{ inputs.grype-fail-build }} - grype-version: v0.71.0 + grype-version: v0.72.0 image: ghcr.io/alfresco/${{ env.IMAGE_NAME }} output-format: sarif severity-cutoff: critical diff --git a/docs/README.md b/docs/README.md index 022043779..f5c242efb 100644 --- a/docs/README.md +++ b/docs/README.md @@ -381,25 +381,6 @@ When using OIDC on AWS, inputs `aws-access-key-id` and `aws-secret-access-key` c # preview-label: ${{ vars.PREVIEW_LABEL }} # optional ``` -| Input | Required | Description | -|-----------------------|----------|----------------------------------------------------------------------| -| base-directory | false | base working directory directory | -| image-tag | true | tag to be created | -| image-dir | true | Directory holding the Dockerfile. Relative path from base-directory. | -| docker-username | true | Docker.io user name | -| docker-password | true | Docker.io password | -| quay-username | true | Quay.io user name | -| quay-password | true | Quay.io password | -| ghcr-username | false | User name to connect to GHCR | -| ghcr-token | true | Github token to connect to GHCR | -| aws-access-key-id | false | AWS access key id to connect to ECR | -| aws-secret-access-key | false | AWS secret access key to connect to ECR | -| aws-account-id | true | AWS account id to connect to ECR | -| aws-region | false | AWS region to use while pushing to ECR | -| aws-role-name | false | AWS role name | -| grype-scan-enabled | false | Define whether a Grype scan should be executed or not | -| preview-label | false | The label name for creating a preview version | - ### docker-dump-containers-logs Dumps Docker containers logs. Each container's log will be stored in a separate `.log` file. All files will be archived by default under `containers-logs---.tar.gz` and will be available to download via the workflow's summary page.