diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 74c4161..a9caf07 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -1,4 +1,4 @@ -name: Build and push Docker images +name: Build Docker images inputs: image-name: @@ -84,65 +84,65 @@ runs: - name: List manifest run: docker buildx imagetools inspect ${{ env.IMAGE_ID }}:${{ env.TAG }} shell: bash - - name: Tag major version - if: startsWith(github.ref, 'refs/tags/') - uses: docker/build-push-action@v6 - with: - context: ${{ inputs.docker-context }} - platforms: linux/amd64,linux/arm64 - labels: | - runnumber=${{ github.run_id }} - build-args: | - BASE_IMAGE=${{ inputs.base-image }} - BASE_IMAGE_TAG=${{ env.MAJOR_VERSION }} - TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} - TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile - USER_IMAGE=${{ inputs.user-image }} - push: true - tags: ${{ env.IMAGE_ID }}:${{ env.MAJOR_VERSION }} - provenance: false - - name: Tag minor version - if: startsWith(github.ref, 'refs/tags/') - uses: docker/build-push-action@v6 - with: - context: ${{ inputs.docker-context }} - platforms: linux/amd64,linux/arm64 - labels: | - runnumber=${{ github.run_id }} - build-args: | - BASE_IMAGE=${{ inputs.base-image }} - BASE_IMAGE_TAG=${{ env.MINOR_VERSION }} - TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} - TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile - USER_IMAGE=${{ inputs.user-image }} - push: true - tags: ${{ env.IMAGE_ID }}:${{ env.MINOR_VERSION }} - provenance: false - - name: Tag latest - if: startsWith(github.ref, 'refs/tags/') - uses: docker/build-push-action@v6 - with: - context: ${{ inputs.docker-context }} - platforms: linux/amd64,linux/arm64 - labels: | - runnumber=${{ github.run_id }} - build-args: | - BASE_IMAGE=${{ inputs.base-image }} - BASE_IMAGE_TAG=latest - TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} - TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile - USER_IMAGE=${{ inputs.user-image }} - push: true - tags: ${{ env.IMAGE_ID }}:latest - provenance: false - - name: Scan for vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: ${{ env.IMAGE_ID }}:${{ env.TAG }} - format: "sarif" - output: "trivy-results.sarif" - ignore-unfixed: true - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results.sarif" + # - name: Tag major version + # if: startsWith(github.ref, 'refs/tags/') + # uses: docker/build-push-action@v6 + # with: + # context: ${{ inputs.docker-context }} + # platforms: linux/amd64,linux/arm64 + # labels: | + # runnumber=${{ github.run_id }} + # build-args: | + # BASE_IMAGE=${{ inputs.base-image }} + # BASE_IMAGE_TAG=${{ env.MAJOR_VERSION }} + # TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + # TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + # USER_IMAGE=${{ inputs.user-image }} + # push: true + # tags: ${{ env.IMAGE_ID }}:${{ env.MAJOR_VERSION }} + # provenance: false + # - name: Tag minor version + # if: startsWith(github.ref, 'refs/tags/') + # uses: docker/build-push-action@v6 + # with: + # context: ${{ inputs.docker-context }} + # platforms: linux/amd64,linux/arm64 + # labels: | + # runnumber=${{ github.run_id }} + # build-args: | + # BASE_IMAGE=${{ inputs.base-image }} + # BASE_IMAGE_TAG=${{ env.MINOR_VERSION }} + # TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + # TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + # USER_IMAGE=${{ inputs.user-image }} + # push: true + # tags: ${{ env.IMAGE_ID }}:${{ env.MINOR_VERSION }} + # provenance: false + # - name: Tag latest + # if: startsWith(github.ref, 'refs/tags/') + # uses: docker/build-push-action@v6 + # with: + # context: ${{ inputs.docker-context }} + # platforms: linux/amd64,linux/arm64 + # labels: | + # runnumber=${{ github.run_id }} + # build-args: | + # BASE_IMAGE=${{ inputs.base-image }} + # BASE_IMAGE_TAG=latest + # TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + # TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + # USER_IMAGE=${{ inputs.user-image }} + # push: true + # tags: ${{ env.IMAGE_ID }}:latest + # provenance: false + # - name: Scan for vulnerabilities + # uses: aquasecurity/trivy-action@0.28.0 + # with: + # image-ref: ${{ env.IMAGE_ID }}:${{ env.TAG }} + # format: "sarif" + # output: "trivy-results.sarif" + # ignore-unfixed: true + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: "trivy-results.sarif" diff --git a/.github/actions/push/action.yml b/.github/actions/push/action.yml new file mode 100644 index 0000000..4867582 --- /dev/null +++ b/.github/actions/push/action.yml @@ -0,0 +1,136 @@ +name: Push Docker image + +inputs: + image-name: + required: true + type: string + image-tag: + required: true + type: string + docker-context: + required: true + type: string + base-image: + required: false + type: string + user-image: + required: false + type: string + default: appuser + ignore-linting-rules: + required: false + type: string + github-token: + required: true + type: string + +runs: + using: "composite" + steps: + # - uses: hadolint/hadolint-action@v3.1.0 + # with: + # dockerfile: ${{ inputs.docker-context }}/Dockerfile + # ignore: SC1091,${{ inputs.ignore-linting-rules }} + # - name: ShellCheck + # run: | + # cd ${{ inputs.docker-context }} + # [ -d "./bin" ] && shellcheck --external-sources --exclude=SC1091 ./bin/* + # shellcheck --external-sources --exclude=SC2148 ./Dockerfile + # shell: bash + - name: Log in to registry + run: echo "${{ inputs.github-token }}" | docker login ghcr.io -u $ --password-stdin + shell: bash + - name: Prepare image tag + id: generate-tags + run: | + VERSION_MAJOR=$(echo "${{ inputs.image-tag }}" | awk -F'.' '{print $1}') + VERSION_MINOR=$(echo "${{ inputs.image-tag }}" | awk -F'.' '{print $2}') + echo "TAG=$VERSION" >> "$GITHUB_ENV" + echo "MAJOR_VERSION=$VERSION_MAJOR" >> "$GITHUB_ENV" + echo "MINOR_VERSION=$VERSION_MAJOR.$VERSION_MINOR" >> "$GITHUB_ENV" + shell: bash + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push images + uses: docker/build-push-action@v6 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + labels: | + runnumber=${{ github.run_id }} + build-args: | + BASE_IMAGE=${{ inputs.base-image }} + BASE_IMAGE_TAG=${{ env.TAG }} + TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + USER_IMAGE=${{ inputs.user-image }} + push: true + tags: ${{ env.IMAGE_ID }}:${{ env.TAG }} + provenance: false + - name: List manifest + run: docker buildx imagetools inspect ${{ env.IMAGE_ID }}:${{ env.TAG }} + shell: bash + - name: Tag major version + if: startsWith(github.ref, 'refs/tags/') + uses: docker/build-push-action@v6 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + labels: | + runnumber=${{ github.run_id }} + build-args: | + BASE_IMAGE=${{ inputs.base-image }} + BASE_IMAGE_TAG=${{ env.MAJOR_VERSION }} + TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + USER_IMAGE=${{ inputs.user-image }} + push: true + tags: ${{ env.IMAGE_ID }}:${{ env.MAJOR_VERSION }} + provenance: false + - name: Tag minor version + if: startsWith(github.ref, 'refs/tags/') + uses: docker/build-push-action@v6 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + labels: | + runnumber=${{ github.run_id }} + build-args: | + BASE_IMAGE=${{ inputs.base-image }} + BASE_IMAGE_TAG=${{ env.MINOR_VERSION }} + TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + USER_IMAGE=${{ inputs.user-image }} + push: true + tags: ${{ env.IMAGE_ID }}:${{ env.MINOR_VERSION }} + provenance: false + - name: Tag latest + if: startsWith(github.ref, 'refs/tags/') + uses: docker/build-push-action@v6 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + labels: | + runnumber=${{ github.run_id }} + build-args: | + BASE_IMAGE=${{ inputs.base-image }} + BASE_IMAGE_TAG=latest + TNA_DOCKER_IMAGE_VERSION=${{ env.TAG }} + TNA_DOCKER_IMAGE_SOURCE=${{ github.server_url }}/${{ github.repository }}/blob/main/${{ inputs.docker-context }}/Dockerfile + USER_IMAGE=${{ inputs.user-image }} + push: true + tags: ${{ env.IMAGE_ID }}:latest + provenance: false + - name: Scan for vulnerabilities + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.IMAGE_ID }}:${{ env.TAG }} + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" diff --git a/.github/actions/test/action.yml b/.github/actions/test/action.yml index e9eecdc..441d20f 100644 --- a/.github/actions/test/action.yml +++ b/.github/actions/test/action.yml @@ -22,7 +22,7 @@ runs: with: repository: ${{ inputs.application-repository }} path: test - - name: TODO + - name: DEBUG run: | echo "inputs.application-repository: ${{ inputs.application-repository }}" echo "inputs.image: ${{ inputs.image }}" @@ -30,11 +30,12 @@ runs: ls -alh ls -alh test shell: bash - - name: Update docker-compose.yml + - name: Start application run: | cd test + docker images cat docker-compose.yml - yq '(.services.app.build.args.IMAGE|="${{ inputs.image }}")' docker-compose.yml > tmp.$$.yml && mv tmp.$$.yml docker-compose.yml + yq '(.services.app.build.args.IMAGE|="ghcr.io/${{ github.repository_owner }}/${{ inputs.image }}")' docker-compose.yml > tmp.$$.yml && mv tmp.$$.yml docker-compose.yml yq '(.services.app.build.args.IMAGE_TAG|="${{ inputs.image-tag }}")' docker-compose.yml > tmp.$$.yml && mv tmp.$$.yml docker-compose.yml cat docker-compose.yml PORT=$(yq '(.services.app.ports)' docker-compose.yml | sed -e 's/^\- \(.*\)\:.*$/\1/') diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78957e1..94d4f90 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Build and publish +name: Build, test and publish permissions: contents: read @@ -25,28 +25,28 @@ concurrency: cancel-in-progress: true jobs: - python: - name: Python - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Build and push - id: build - uses: ./.github/actions/build - with: - image-name: tna-python - docker-context: docker/tna-python - ignore-linting-rules: DL3002,DL3006 - github-token: ${{ secrets.GITHUB_TOKEN }} - - name: Test - uses: ./.github/actions/test - with: - application-repository: nationalarchives/flask-application-template - service: app - # image: ghcr.io/${{ github.repository_owner }}/tna-python - image: tna-python - image-tag: ${{ steps.build.outputs.tag }} + # python: + # name: Python + # runs-on: ubuntu-latest + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # - name: Build + # id: build + # uses: ./.github/actions/build + # with: + # image-name: tna-python + # docker-context: docker/tna-python + # ignore-linting-rules: DL3002,DL3006 + # github-token: ${{ secrets.GITHUB_TOKEN }} + # - name: Test + # uses: ./.github/actions/test + # with: + # application-repository: nationalarchives/flask-application-template + # service: app + # image: ghcr.io/${{ github.repository_owner }}/tna-python + # image: tna-python + # image-tag: ${{ steps.build.outputs.tag }} # python-root: # name: Python (root) @@ -54,7 +54,7 @@ jobs: # steps: # - name: Checkout # uses: actions/checkout@v4 - # - name: Build and push + # - name: Build # id: build # uses: ./.github/actions/build # with: @@ -71,7 +71,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: Build and push + - name: Build id: build uses: ./.github/actions/build with: @@ -87,6 +87,13 @@ jobs: # image: ghcr.io/${{ github.repository_owner }}/tna-python-django image: tna-python-django image-tag: ${{ steps.build.outputs.tag }} + - name: Push + uses: ./.github/actions/push + with: + image-name: tna-python-django + base-image: ghcr.io/nationalarchives/tna-python + docker-context: docker/tna-python-django + github-token: ${{ secrets.GITHUB_TOKEN }} # python-django-root: # name: Python Django (root) @@ -95,7 +102,7 @@ jobs: # steps: # - name: Checkout # uses: actions/checkout@v4 - # - name: Build and push + # - name: Build # id: build # uses: ./.github/actions/build # with: @@ -112,7 +119,7 @@ jobs: # steps: # - name: Checkout # uses: actions/checkout@v4 - # - name: Build and push + # - name: Build # id: build # uses: ./.github/actions/build # with: