Alfresco · gicappa · Oct 26, 2023 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
@@ -0,0 +1,213 @@
+name: Build docker image
+description: Build docker image based on supplied jar files
+inputs:
+  base-directory:
+    description: base working directory directory
+    required: false
+    default: .
+  image-tag:
+    description: tag to be created
+    required: true
+  image-dir:
+    description: Directory holding the Dockerfile. Relative path from base-directory.
+    required: true
+  docker-username:
+    description: Docker.io user name
+    required: true
+  docker-password:
+    description: Docker.io password
+    required: true
+  quay-username:
+    description: Quay.io user name
+    required: true
+  quay-password:
+    description: Quay.io password
+    required: true
+  ghcr-username:
+    description: User name to connect to GHCR
+    required: false
+    default: ${{ github.actor }}
+  ghcr-token:
+    description: Github token to connect to GHCR
+    required: true
+  aws-access-key-id:
+    description: AWS access key id to connect to ECR
+    required: false
+  aws-secret-access-key:
+    description: AWS secret access key to connect to ECR
+    required: false
+  aws-account-id:
+    description: AWS account id to connect to ECR
+    required: true
+  aws-region:
+    description: AWS region to use while pushing to ECR
+    required: false
+    default: us-east-1
+  aws-role-name:
+    required: false
+    description: AWS role name
+    default: ECR_Write
+  grype-scan-enabled:
+    description: Define whether a Grype scan should be executed or not
+    required: false
+    default: 'true'
+  jars-artifact-name:
+    description: Name of the the artifact holding the jar files used to build the docker image
+    required: false
+    default: 'build'
+  preview-label:
+    description: The label name for creating a preview version
+    required: false
+    default: 'preview'
+
+runs:
+  using: composite
+  steps:
+    - name: Set is_preview env variable
+      env:
+        IS_PREVIEW: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, inputs.preview-label) }}
+      shell: bash
+      run: |
+        echo "IS_PREVIEW=$IS_PREVIEW" >> $GITHUB_ENV
+
+    - name: set is PUSH_IMAGE env variable
+      env:
+        PUSH_IMAGE: ${{ github.event_name == 'push' || env.IS_PREVIEW == 'true' }}
+      shell: bash
+      run: echo "PUSH_IMAGE=$PUSH_IMAGE" >> $GITHUB_ENV
+
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ inputs.jars-artifact-name }}
+
+    - name: Set IMAGE_NAME
+      shell: bash
+      run: |
+        REPOSITORY=${DIR##*/}
+        TAG="${TAG:-$(echo ${GITHUB_HEAD_REF:-$GITHUB_REF_NAME} | sed -e 's/[^-_.[:alnum:]]/_/g')}"
+        echo "IMAGE_REPOSITORY=$REPOSITORY" >> $GITHUB_ENV
+        echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
+        echo "IMAGE_NAME=$REPOSITORY:$TAG" >> $GITHUB_ENV
+      env:
+        DIR: ${{ inputs.image-dir }}
+        TAG: ${{ inputs.image-tag }}
+
+    - name: Replace base image
+      shell: bash
+      working-directory: ${{ inputs.base-directory }}
+      run: |
+        cp ./Dockerfile $DIR/Dockerfile.new
+        cp ./entrypoint.sh ./$DIR
+        tail -n +2 $DIR/Dockerfile >> $DIR/Dockerfile.new
+        mv $DIR/Dockerfile{.new,}
+      env:
+        DIR: ${{ inputs.image-dir }}
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+      with:
+        version: v0.11.0
+        # apply fix from https://github.com/moby/buildkit/issues/3969
+        driver-opts: |
+          image=moby/buildkit:v0.11.6
+          network=host
+
+    - name: Login to docker.io
+      uses: docker/login-action@v2
+      with:
+        username: ${{ inputs.docker-username }}
+        password: ${{ inputs.docker-password }}
+
+    - name: Build image ${{ env.IMAGE_NAME }}
+      uses: docker/build-push-action@v4
+      with:
+        context: ${{ inputs.base-directory }}/${{ inputs.image-dir }}
+        tags: ghcr.io/alfresco/${{ env.IMAGE_NAME }}
+        load: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        provenance: false
+
+    - name: Anchore Scan API Image
+      uses: anchore/scan-action@v3
+      id: scan
+      with:
+        # for now fail-build parameter is set to false as there are many more problems reported by grype than prisma.
+        # we should set it to true after those issues are fixed.
+        # See https://alfresco.atlassian.net/browse/HXCS-2474 for more details.
+        fail-build: false
+        grype-version: v0.72.0
+        image: ghcr.io/alfresco/${{ env.IMAGE_NAME }}
+        output-format: sarif
+        severity-cutoff: critical
+
+    - name: Echo sarif
+      shell: bash
+      run: echo "$(<results.sarif )"
+
+    - name: Upload SARIF Files
+      if: ${{ always() && inputs.grype-scan-enabled == 'true' }}
+      uses: github/codeql-action/upload-sarif@v2
+      continue-on-error: true # do not fail if GHAS is not enabled
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}
+
+    - name: Extract metadata for Docker
+      if: env.PUSH_IMAGE == 'true'
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: ${{ env.IMAGE_NAME }}
+
+    - name: Login to quay.io
+      if: env.PUSH_IMAGE == 'true'
+      uses: docker/login-action@v2
+      with:
+        registry: quay.io
+        username: ${{ inputs.quay-username }}
+        password: ${{ inputs.quay-password }}
+
+    - name: Login to ghcr.io
+      if: env.PUSH_IMAGE == 'true'
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.ghcr-username }}
+        password: ${{ inputs.ghcr-token }}
+
+    - name: Configure AWS credentials
+      if: env.PUSH_IMAGE == 'true'
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        aws-access-key-id: ${{ inputs.aws-access-key-id }}
+        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
+        aws-region: ${{ inputs.aws-region }}
+        role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-name }}
+        role-session-name: gh-${{ env.IMAGE_REPOSITORY }}
+        role-duration-seconds: 900
+
+    - name: Login to Amazon ECR
+      if: env.PUSH_IMAGE == 'true'
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v1
+      with:
+        mask-password: true
+
+    - name: Build and Push image ${{ env.IMAGE_NAME }}
+      if: env.PUSH_IMAGE == 'true'
+      uses: docker/build-push-action@v4
+      with:
+        context: ${{ inputs.base-directory }}/${{ inputs.image-dir }}
+        platforms: linux/amd64,linux/arm64/v8
+        tags: |
+          quay.io/alfresco/${{ env.IMAGE_NAME }}
+          ghcr.io/alfresco/${{ env.IMAGE_NAME }}
+          ${{ steps.login-ecr.outputs.registry }}/${{ env.IMAGE_NAME }}
+        labels: ${{ steps.meta.outputs.labels }}
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        provenance: false
@@ -0,0 +1,33 @@
+name: Scan docker image directories
+description: Scan the directories Dockerfile
+inputs:
+  base-directory:
+    description: base directory to be scanned
+    required: false
+    default: .
+outputs:
+  image-dirs-as-json:
+    description: list of directories containing Dockerfile formatted as JSON
+    value: ${{ steps.scan-image-dirs.outputs.image-dirs-as-json }}
+runs:
+  using: composite
+  steps:
+    - id: scan-image-dirs
+      name: Scan Image Dirs
+      shell: bash
+      working-directory: ${{ inputs.base-directory }}
+      run: |
+        IMAGE_DIRS=$(find . -type f -mindepth 2 -name Dockerfile | grep -v target | xargs -I% dirname % | xargs || echo "")
+        echo "image dirs IMAGE_DIRS=$IMAGE_DIRS"
+        FILTERED_IMAGE_DIRS=()
+        for IMAGE_DIR in $IMAGE_DIRS; do
+          echo checking $IMAGE_DIR
+          if [ "$(yq '.project.properties.["docker.skip"]' $IMAGE_DIR/pom.xml)" != "true" ]; then
+            echo add $IMAGE_DIR
+            FILTERED_IMAGE_DIRS+=($IMAGE_DIR)
+          fi
+        done
+        echo "filtered image dirs FILTERED_IMAGE_DIRS=${FILTERED_IMAGE_DIRS[@]}"
+        IMAGE_DIRS_AS_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${FILTERED_IMAGE_DIRS[@]}")
+        echo "generated image dirs matrix IMAGE_DIRS_AS_JSON=$IMAGE_DIRS_AS_JSON"
+        echo "image-dirs-as-json=$IMAGE_DIRS_AS_JSON" >> $GITHUB_OUTPUT
@@ -31,7 +31,9 @@ Here follows the list of GitHub Actions topics available in the current document
     - [automate-dependabot](#automate-dependabot)
     - [automate-propagation](#automate-propagation)
     - [configure-git-author](#configure-git-author)
+    - [docker-build-image](#docker-build-image)
     - [docker-dump-containers-logs](#docker-dump-containers-logs)
+    - [docker-scan-image-dirs](#docker-scan-image-dirs)
     - [env-load-from-yaml](#env-load-from-yaml)
     - [free-hosted-runner-disk-space](#free-hosted-runner-disk-space)
     - [get-branch-name](#get-branch-name)
@@ -344,6 +346,55 @@ Configures the git username and email to associate commits with the provided ide
 
 The two vars in the previous snippet are [workflow configuration variables](https://github.blog/changelog/2023-01-10-github-actions-support-for-configuration-variables-in-workflows/) that can be created at organization level and shared across different repositories.
 
+### docker-build-image
+
+Build docker image based on supplied jar files. It replaces `image-dir` and `image-tag` in the
+docker file and build it. After the build if `grype-scan-enabled` is `true` it scans the image using grype and upload the result in GitHub security.
+Finally, it push the created image into:
+
+- RedHat quay.io
+- GitHub ghcr
+- AWS ECR
+
+```yaml
+      - uses: Alfresco/alfresco-build-tools/.github/actions/docker-build-image@ref
+        with:
+          image-tag: ${{ needs.build.outputs.version }}
+          image-dir: ${{ matrix.image-dir }}
+          docker-username: ${{ secrets.DOCKER_USERNAME }}
+          docker-password: ${{ secrets.DOCKER_PASSWORD }}
+          quay-username: ${{ secrets.QUAY_USERNAME }}
+          quay-password: ${{ secrets.QUAY_PASSWORD }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
+          aws-access-key-id: ${{ secrets.HXPS_DEV_SVC_ECR_WRITE_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.HXPS_DEV_SVC_ECR_WRITE_AWS_SECRET_ACCESS_KEY }}
+          aws-account-id: ${{ vars.ACCOUNT_ID }}
+          # aws-region: ${{ vars.AWS_REGION }} # optional
+          # aws-role-name: ${{ vars.AWS_ROLE_NAME }} # optional
+          # grype-scan-enabled: true # optional
+          # preview-label: ${{ vars.PREVIEW_LABEL }} # optional
+
+```
+
+| Input                 | Required | Description                                                          |
+|-----------------------|----------|----------------------------------------------------------------------|
+| base-directory        | false    | base working directory directory                                     |
+| image-tag             | true     | tag to be created                                                    |
+| image-dir             | true     | Directory holding the Dockerfile. Relative path from base-directory. |
+| docker-username       | true     | Docker.io user name                                                  |
+| docker-password       | true     | Docker.io password                                                   |
+| quay-username         | true     | Quay.io user name                                                    |
+| quay-password         | true     | Quay.io password                                                     |
+| ghcr-username         | false    | User name to connect to GHCR                                         |
+| ghcr-token            | true     | Github token to connect to GHCR                                      |
+| aws-access-key-id     | false    | AWS access key id to connect to ECR                                  |
+| aws-secret-access-key | false    | AWS secret access key to connect to ECR                              |
+| aws-account-id        | true     | AWS account id to connect to ECR                                     |
+| aws-region            | false    | AWS region to use while pushing to ECR                               |
+| aws-role-name         | false    | AWS role name                                                        |
+| grype-scan-enabled    | false    | Define whether a Grype scan should be executed or not                |
+| preview-label         | false    | The label name for creating a preview version                        |
+
 ### docker-dump-containers-logs
 
 Dumps Docker containers logs. Each container's log will be stored in a separate `<container_name>.log` file. All files will be archived by default under `containers-logs-<job_id>-<job_retry_number>-<timestamp>.tar.gz` and will be available to download via the workflow's summary page.
@@ -353,6 +404,14 @@ It is also possible to specify the output archive name when providing the `outpu
       - uses: Alfresco/alfresco-build-tools/.github/actions/docker-dump-containers-logs@ref
 ```
 
+### docker-scan-image-dirs
+
+Scan the directories were the Dockerfiles are to feed the scanner.
+
+```yaml
+      - uses: Alfresco/alfresco-build-tools/.github/actions/docker-scan-image-dirs@ref
+```
+
 ### env-load-from-yaml
 
 To ease the migration to GitHub Actions of repositories that contains one or