diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 2a09298..e02bf53 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -5,15 +5,42 @@ name: Container Workflow template" on: workflow_call: inputs: + dockerfile: description: 'The path to the Dockerfile' required: true type: string default: 'Dockerfile' + score: + description: 'The score threshold for the image' + required: false + type: number + default: 60 + platforms: + description: 'The platforms to build for' + required: false + type: string + default: 'linux/amd64' + image_name: + description: 'The name of the image' + required: false + type: string + default: '' + image_repo: + description: 'The repository of the image' + required: false + type: string + default: ${{ github.repository_owner }} jobs: + + pre-commit: + uses: ./.github/workflows/pre-commit.yml + secrets: inherit + build: runs-on: ubuntu-latest + needs: [pre-commit] steps: - uses: actions/checkout@v4 @@ -33,16 +60,13 @@ jobs: id: prep run: | IMAGE_NAME=$(basename ${{ github.repository }}) - IMAGE_REPO=${{ github.repository_owner }} - if [[ -n "${{ secrets.IMAGE_NAME }}" ]]; then - IMAGE_NAME="${{ secrets.IMAGE_NAME }}" - fi - if [[ -n "${{ secrets.IMAGE_REPO }}" ]]; then - IMAGE_REPO="${{ secrets.IMAGE_REPO }}" + IMAGE_REPO=${{ inputs.image_repo }} + if [[ -n "${{ inputs.image_name }}" ]]; then + IMAGE_NAME="${{ inputs.image_name }}" fi VERSION="dev" - if [[ '${{ needs.prebuild.outputs.version }}' != '' ]]; then - VERSION="${{ needs.prebuild.outputs.version }}" + if [[ '${{ needs.pre-commit.outputs.version }}' != '' ]]; then + VERSION="${{ needs.pre-commit.outputs.version }}" fi if [ "${{ github.event_name }}" = "schedule" ]; then VERSION="nightly" @@ -63,6 +87,7 @@ jobs: fi echo "settings tag ${TAGS}" echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "ghcr_tag=${GHCR_IMAGE}:${VERSION}" >> $GITHUB_OUTPUT - name: Set up Docker Buildx id: buildx @@ -71,34 +96,45 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: - platforms: ${{ env.platforms }} + platforms: ${{ inputs.platforms }} + + - name: Build Container Image + id: docker_build + uses: docker/build-push-action@v5 + with: + builder: ${{ steps.buildx.outputs.name }} + context: ${{ steps.get_dir.outputs.docker_directory }} + file: ${{ inputs.dockerfile }} + load: true + tags: ${{ steps.prep.outputs.tags }} + platforms: ${{ inputs.platforms }} - - name: Cache Docker layers - uses: actions/cache@v2 + - name: Scan Docker Image + uses: mondoohq/actions/docker-image@v11.0.0 + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- + image: ${{ steps.prep.outputs.ghcr_tag }} + score-threshold: ${{ inputs.score }} - name: Login to Quay - if: needs.prebuild.outputs.version != '' && env.QUAY_USER != '' + if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' uses: docker/login-action@v3 with: - registry: quay.io - username: ${{ env.QUAY_USER }} - password: ${{ env.QUAY_TOKEN }} + registry: quay.io + username: ${{ env.QUAY_USER }} + password: ${{ env.QUAY_TOKEN }} - name: Login to GitHub Container Registry - if: needs.prebuild.outputs.version != '' + if: needs.pre-commit.outputs.version != '' uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ env.BOT_ACCESS_TOKEN }} - - name: Build and push - id: docker_build + - name: Publish container + if: needs.pre-commit.outputs.version != '' uses: docker/build-push-action@v5 with: builder: ${{ steps.buildx.outputs.name }} @@ -106,4 +142,4 @@ jobs: file: ${{ inputs.dockerfile }} push: ${{ github.event_name != 'pull_request' && needs.prebuild.outputs.version != '' }} tags: ${{ steps.prep.outputs.tags }} - platforms: ${{ env.platforms }} + platforms: ${{ inputs.platforms }}