From 55aaf4897ac4ccf24232871513176175bb44033c Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 09:30:15 +0200 Subject: [PATCH 01/10] fix: container build action Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 44 ++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 2a09298..280ca30 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -12,8 +12,14 @@ on: default: 'Dockerfile' jobs: + + pre-commit: + uses: ./.github/workflows/pre-commit.yml + secrets: inherit + build: runs-on: ubuntu-latest + needs: [pre-commit] steps: - uses: actions/checkout@v4 @@ -28,6 +34,9 @@ jobs: id: get_dir run: | echo "docker_directory=$(dirname ${{ inputs.dockerfile }})" >> $GITHUB_OUTPUT + if [ -z "${{ env.platforms }}" ]; then + echo "platforms=linux/amd64" >> $GITHUB_ENV + fi - name: Prepare tagging id: prep @@ -41,8 +50,8 @@ jobs: IMAGE_REPO="${{ secrets.IMAGE_REPO }}" fi VERSION="dev" - if [[ '${{ needs.prebuild.outputs.version }}' != '' ]]; then - VERSION="${{ needs.prebuild.outputs.version }}" + if [[ '${{ needs.pre-commit.outputs.version }}' != '' ]]; then + VERSION="${{ needs.pre-commit.outputs.version }}" fi if [ "${{ github.event_name }}" = "schedule" ]; then VERSION="nightly" @@ -81,24 +90,41 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- + - name: Build + id: docker_build + uses: docker/build-push-action@v5 + with: + builder: ${{ steps.buildx.outputs.name }} + context: ${{ steps.get_dir.outputs.docker_directory }} + file: ${{ inputs.dockerfile }} + load: true + tags: ${{ steps.prep.outputs.tags }} + platforms: ${{ env.platforms }} + + - name: Scan Docker Image + uses: mondoohq/actions/docker-image@v11.0.0 + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} + with: + image: ${{ steps.prep.outputs.tags }} + - name: Login to Quay - if: needs.prebuild.outputs.version != '' && env.QUAY_USER != '' + if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' uses: docker/login-action@v3 with: - registry: quay.io - username: ${{ env.QUAY_USER }} - password: ${{ env.QUAY_TOKEN }} + registry: quay.io + username: ${{ env.QUAY_USER }} + password: ${{ env.QUAY_TOKEN }} - name: Login to GitHub Container Registry - if: needs.prebuild.outputs.version != '' + if: needs.pre-commit.outputs.version != '' uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ env.BOT_ACCESS_TOKEN }} - - name: Build and push - id: docker_build + - name: Build uses: docker/build-push-action@v5 with: builder: ${{ steps.buildx.outputs.name }} From 270cd5d9d7441dce8a0713c36a530aea5791b1f1 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 09:34:35 +0200 Subject: [PATCH 02/10] fix: update if Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 280ca30..c1153ab 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -90,7 +90,7 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- - - name: Build + - name: Build Container Image id: docker_build uses: docker/build-push-action@v5 with: @@ -124,7 +124,8 @@ jobs: username: ${{ github.repository_owner }} password: ${{ env.BOT_ACCESS_TOKEN }} - - name: Build + - name: Publish container + if: needs.pre-commit.outputs.version != '' uses: docker/build-push-action@v5 with: builder: ${{ steps.buildx.outputs.name }} From 8ef3bd696d491200e2c336266f3ccd6c5c2598df Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 09:51:04 +0200 Subject: [PATCH 03/10] adaptive score threshold Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index c1153ab..527b2c4 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -37,6 +37,9 @@ jobs: if [ -z "${{ env.platforms }}" ]; then echo "platforms=linux/amd64" >> $GITHUB_ENV fi + if [ -z "${{ env.score }}" ]; then + echo "score=60" >> $GITHUB_ENV + fi] - name: Prepare tagging id: prep @@ -107,6 +110,7 @@ jobs: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: image: ${{ steps.prep.outputs.tags }} + score-threshold: ${{ env.score }} - name: Login to Quay if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' From dfdef19df700059080ee217aacc79cc892e500be Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 09:52:45 +0200 Subject: [PATCH 04/10] adaptive score threshold Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 527b2c4..1dbe50f 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -39,7 +39,7 @@ jobs: fi if [ -z "${{ env.score }}" ]; then echo "score=60" >> $GITHUB_ENV - fi] + fi - name: Prepare tagging id: prep From e832538491ca0523f8052fe6363ee66bbe1b8682 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 10:01:12 +0200 Subject: [PATCH 05/10] without caching Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 1dbe50f..c528206 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -86,7 +86,7 @@ jobs: platforms: ${{ env.platforms }} - name: Cache Docker layers - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} From 6df37ca92df033edf9b8228bbe61ae032f28f487 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 10:06:33 +0200 Subject: [PATCH 06/10] fix: update vars Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index c528206..d8fbcc2 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -34,11 +34,11 @@ jobs: id: get_dir run: | echo "docker_directory=$(dirname ${{ inputs.dockerfile }})" >> $GITHUB_OUTPUT - if [ -z "${{ env.platforms }}" ]; then - echo "platforms=linux/amd64" >> $GITHUB_ENV + if [ -z "${{ env.PLATFORMS }}" ]; then + echo "PLATFORMS=linux/amd64" >> $GITHUB_ENV fi - if [ -z "${{ env.score }}" ]; then - echo "score=60" >> $GITHUB_ENV + if [ -z "${{ env.SCORE }}" ]; then + echo "SCORE=60" >> $GITHUB_ENV fi - name: Prepare tagging @@ -83,15 +83,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: - platforms: ${{ env.platforms }} - - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- + platforms: ${{ env.PLATFORMS }} - name: Build Container Image id: docker_build @@ -102,7 +94,7 @@ jobs: file: ${{ inputs.dockerfile }} load: true tags: ${{ steps.prep.outputs.tags }} - platforms: ${{ env.platforms }} + platforms: ${{ env.PLATFORMS }} - name: Scan Docker Image uses: mondoohq/actions/docker-image@v11.0.0 @@ -110,7 +102,7 @@ jobs: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: image: ${{ steps.prep.outputs.tags }} - score-threshold: ${{ env.score }} + score-threshold: ${{ env.SCORE }} - name: Login to Quay if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' @@ -137,4 +129,4 @@ jobs: file: ${{ inputs.dockerfile }} push: ${{ github.event_name != 'pull_request' && needs.prebuild.outputs.version != '' }} tags: ${{ steps.prep.outputs.tags }} - platforms: ${{ env.platforms }} + platforms: ${{ env.PLATFORMS }} From 449f2cd2720944fc01de31052c69f6b81bcf8124 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 10:32:46 +0200 Subject: [PATCH 07/10] refactor: using inputs Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 44 +++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index d8fbcc2..4aa1f4d 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -5,11 +5,32 @@ name: Container Workflow template" on: workflow_call: inputs: + dockerfile: description: 'The path to the Dockerfile' required: true type: string default: 'Dockerfile' + score: + description: 'The score threshold for the image' + required: false + type: number + default: 60 + platforms: + description: 'The platforms to build for' + required: false + type: string + default: 'linux/amd64' + image_name: + description: 'The name of the image' + required: false + type: string + default: '' + image_repo: + description: 'The repository of the image' + required: false + type: string + default: ${{ github.repository_owner }} jobs: @@ -34,23 +55,14 @@ jobs: id: get_dir run: | echo "docker_directory=$(dirname ${{ inputs.dockerfile }})" >> $GITHUB_OUTPUT - if [ -z "${{ env.PLATFORMS }}" ]; then - echo "PLATFORMS=linux/amd64" >> $GITHUB_ENV - fi - if [ -z "${{ env.SCORE }}" ]; then - echo "SCORE=60" >> $GITHUB_ENV - fi - name: Prepare tagging id: prep run: | IMAGE_NAME=$(basename ${{ github.repository }}) - IMAGE_REPO=${{ github.repository_owner }} - if [[ -n "${{ secrets.IMAGE_NAME }}" ]]; then - IMAGE_NAME="${{ secrets.IMAGE_NAME }}" - fi - if [[ -n "${{ secrets.IMAGE_REPO }}" ]]; then - IMAGE_REPO="${{ secrets.IMAGE_REPO }}" + IMAGE_REPO=${{ inputs.image_repo }} + if [[ -n "${{ inputs.image_name }}" ]]; then + IMAGE_NAME="${{ inputs.image_name }}" fi VERSION="dev" if [[ '${{ needs.pre-commit.outputs.version }}' != '' ]]; then @@ -83,7 +95,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: - platforms: ${{ env.PLATFORMS }} + platforms: ${{ inputs.platforms }} - name: Build Container Image id: docker_build @@ -94,7 +106,7 @@ jobs: file: ${{ inputs.dockerfile }} load: true tags: ${{ steps.prep.outputs.tags }} - platforms: ${{ env.PLATFORMS }} + platforms: ${{ inputs.platforms }} - name: Scan Docker Image uses: mondoohq/actions/docker-image@v11.0.0 @@ -102,7 +114,7 @@ jobs: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: image: ${{ steps.prep.outputs.tags }} - score-threshold: ${{ env.SCORE }} + score-threshold: ${{ inputs.score }} - name: Login to Quay if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' @@ -129,4 +141,4 @@ jobs: file: ${{ inputs.dockerfile }} push: ${{ github.event_name != 'pull_request' && needs.prebuild.outputs.version != '' }} tags: ${{ steps.prep.outputs.tags }} - platforms: ${{ env.PLATFORMS }} + platforms: ${{ inputs.platforms }} From e3c21bb6501dabed5c5ff06660b617a164b67026 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 10:37:08 +0200 Subject: [PATCH 08/10] fix: adding debug log level Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 4aa1f4d..1a98b56 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -115,6 +115,7 @@ jobs: with: image: ${{ steps.prep.outputs.tags }} score-threshold: ${{ inputs.score }} + log-level: debug - name: Login to Quay if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' From 077602252de819bae897786ec311231baeec1bf6 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 10:40:55 +0200 Subject: [PATCH 09/10] fix: no debug Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 1a98b56..4aa1f4d 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -115,7 +115,6 @@ jobs: with: image: ${{ steps.prep.outputs.tags }} score-threshold: ${{ inputs.score }} - log-level: debug - name: Login to Quay if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != '' From 337da6128050d9586b081d8273451dc577f92459 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Tue, 7 May 2024 11:08:20 +0200 Subject: [PATCH 10/10] fix: adding dedicated image to scan Signed-off-by: Martin Buchleitner --- .github/workflows/container.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 4aa1f4d..e02bf53 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -87,6 +87,7 @@ jobs: fi echo "settings tag ${TAGS}" echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "ghcr_tag=${GHCR_IMAGE}:${VERSION}" >> $GITHUB_OUTPUT - name: Set up Docker Buildx id: buildx @@ -113,7 +114,7 @@ jobs: env: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: - image: ${{ steps.prep.outputs.tags }} + image: ${{ steps.prep.outputs.ghcr_tag }} score-threshold: ${{ inputs.score }} - name: Login to Quay