-
Notifications
You must be signed in to change notification settings - Fork 8
85 lines (75 loc) · 2.58 KB
/
docker-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Docker build
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+-dev[0-9]+'
pull_request:
branches:
- '*'
jobs:
build-and-push:
name: Build and push image
runs-on: ubuntu-latest
env:
IMG_BASE: ${{ github.repository }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
if: ${{ github.ref_type == 'tag' }}
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to Quay.io
uses: docker/login-action@v2
if: ${{ github.ref_type == 'tag' }}
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
if: ${{ github.ref_type == 'tag' }}
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ap-south-1
- name: Login to Amazon ECR
id: login-ecr
if: ${{ github.ref_type == 'tag' }}
uses: aws-actions/amazon-ecr-login@v1
- name: Set image tag env
# GITHUB_HEAD_REF will be set in case of PR and contains the branch name.
# GITHUB_REF_NAME contains the git tag.
run: |
if [[ $GITHUB_HEAD_REF != '' ]]; then
echo "TAG=$GITHUB_HEAD_REF" >> "$GITHUB_ENV"
else
echo "TAG=$GITHUB_REF_NAME" >> "$GITHUB_ENV"
fi
- name: Build and push image
env:
REF_TYPE: ${{ github.ref_type }}
AWS_ECR: "568976754000.dkr.ecr.ap-south-1.amazonaws.com"
run: ./scripts/build.sh
- name: Run Snyk image security scan
uses: snyk/actions/docker@master
continue-on-error: true
id: docker-image-scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMG_BASE }}:${{ env.TAG }}
args: --file=Dockerfile --severity-threshold=high --fail-on=all # fail on vulnerabilities with fix available
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
- name: Check docker image scan status
if: ${{ steps.docker-image-scan.outcome == 'failure' }}
run: exit 1