-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
130 lines (117 loc) · 4.02 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Build and publish docker images
description: Builds and publish docker images to github registry
inputs:
image-name:
description: Image name for example lh-server
required: true
context:
description: Docker build context path
default: .
dockerfile:
description: Relative route of Dockerfile
required: true
registry:
description: Either github or ecr
default: github
github-token:
description: Github secret secrets.GITHUB_TOKEN required only if registry is github
default: ""
platforms:
description: Architecture platforms
default: "linux/amd64,linux/arm64"
prefix:
description: prefix to be appended to image tag ex brach-
default: ""
tags:
description: "tags strategy configuration. For more information see: https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input"
default: ""
build-args:
description: "List of build-time variables"
required: false
outputs:
tags:
description: Tags for the built image
value: ${{ steps.meta.outputs.tags }}
runs:
using: composite
steps:
- name: Registry not recognized
shell: bash
if: ${{ inputs.registry != 'github' && inputs.registry != 'ecr' }}
run: |
echo "Registry not recognized, it should be github or ecr"
exit 1
- name: github-token is required
shell: bash
if: ${{ inputs.registry == 'github' && inputs.github-token == '' }}
run: |
echo "github-token is required when registry is github"
exit 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to github registry
if: ${{ inputs.registry == 'github'}}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ inputs.github-token }}
- name: Configure AWS credentials
if: ${{ inputs.registry == 'ecr' }}
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::637423582379:role/GithubActions-ECR
role-session-name: gha-ecr
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
if: ${{ inputs.registry == 'ecr' }}
uses: aws-actions/amazon-ecr-login@v2
- name: Set DOCKER_IMAGE to github
if: ${{ inputs.registry == 'github'}}
shell: bash
run: |
echo DOCKER_IMAGE=ghcr.io/${{ github.repository }}/${{ inputs.image-name }} >> $GITHUB_ENV
- name: Set DOCKER_IMAGE to ecr
if: ${{ inputs.registry == 'ecr' }}
shell: bash
run: |
echo DOCKER_IMAGE=${{ steps.login-ecr.outputs.registry }}/${{ inputs.image-name }} >> $GITHUB_ENV
- name: Extract metadata (tags, labels) for Docker
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.DOCKER_IMAGE }}
flavor: |
prefix=${{ inputs.prefix }}
tags: ${{ inputs.tags }}
- name: Build and push Docker images
uses: docker/build-push-action@v5
with:
context: ${{ inputs.context }}
file: ${{ inputs.dockerfile }}
platforms: ${{ inputs.platforms }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: ${{ inputs.build-args }}
# - name: Extract and export first tag
# id: extract-tag
# shell: bash
# run: |
# first_tag=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
# echo "FIRST_TAG=$first_tag" >> $GITHUB_ENV
# - name: Scan Docker image
# uses: aquasecurity/[email protected]
# with:
# image-ref: ${{ env.FIRST_TAG }} # Use the built image tag
# severity: HIGH,CRITICAL # Specify severity levels
# ignore-unfixed: true # Optional: Ignore unfixed vulnerabilities
# exit-code: '0'
- name: Annotate image
shell: bash
run: |
echo "::notice title=Published Docker Image::${{ steps.meta.outputs.tags }}"