From 078b00ea4c770c67934ea119c31e3ba1a85b06b0 Mon Sep 17 00:00:00 2001 From: mjanez <96422458+mjanez@users.noreply.github.com> Date: Fri, 9 Feb 2024 09:42:05 +0100 Subject: [PATCH] Update Docker actions and workflows --- .github/workflows/docker-manual.yaml | 13 +++--- .github/workflows/docker-pr.yaml | 59 +++++++++------------------- .github/workflows/docker.yaml | 22 +++++++---- 3 files changed, 40 insertions(+), 54 deletions(-) diff --git a/.github/workflows/docker-manual.yaml b/.github/workflows/docker-manual.yaml index 31a1c89..6b753bd 100644 --- a/.github/workflows/docker-manual.yaml +++ b/.github/workflows/docker-manual.yaml @@ -5,7 +5,6 @@ on: workflow_dispatch env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - TAG: ghcr.io/${{ github.repository }}:${{ github.ref_name }} CONTEXT: . BRANCH: ${{ github.ref_name }} DOCKERFILE_PATH: /ckan-pycsw @@ -35,18 +34,21 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md org.opencontainers.image.version=${{ env.BRANCH }} + - name: Replace slashes in BRANCH to avoid errors + run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV + - name: Build and push uses: docker/build-push-action@v5 with: push: true - tags: ${{ env.TAG }} + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} labels: ${{ steps.meta.outputs.labels }} context: ${{ env.CONTEXT }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} @@ -55,16 +57,17 @@ jobs: uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + no-fail: true - name: Run Trivy container image vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 + uses: aquasecurity/trivy-action@0.17.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: trivy-results.sarif diff --git a/.github/workflows/docker-pr.yaml b/.github/workflows/docker-pr.yaml index 2be6650..0f44a94 100644 --- a/.github/workflows/docker-pr.yaml +++ b/.github/workflows/docker-pr.yaml @@ -3,21 +3,24 @@ name: Test ckan-pycsw images (PR) on: pull_request: branches: - - main - - latest + - main + - 'ckan-pycsw-*.*.*' + - '!dev/ckan-pycsw-*.*.*' + - '!feature/*' + - '!fix/*' env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - CONTEXT: . - BRANCH: ${{ github.head_ref }} - DOCKERFILE_PATH: /ckan-pycsw - DOCKERFILE: Dockerfile - HADOLINT_VERSION: 2.12.0 + REGISTRY: ghcr.io + IMAGE_NAME: ckan-pycsw + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan-pycsw + DOCKERFILE: Dockerfile + HADOLINT_VERSION: 2.12.0 jobs: docker: - name: runner/test-docker-pr:${{ github.head_ref }} + name: runner/test-ckan-pycsw-pr:${{ github.head_ref }} runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: @@ -32,41 +35,15 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md - org.opencontainers.image.version=${{ env.BRANCH }} - - - name: Build to test - uses: docker/build-push-action@v5 - id: docker-push - with: - push: false - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} - labels: ${{ steps.meta.outputs.labels }} - context: ${{ env.CONTEXT }} - file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - - - name: Linting Dockerfile and annotate code inline in the github PR viewer + + - name: Linting Dockerfiles and annotate code inline in the github PR viewer id: hadolint - uses: jbergstroem/hadolint-gh-action@v1.11.0 + uses: jbergstroem/hadolint-gh-action@v1.12.2 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} version: ${{ env.HADOLINT_VERSION }} annotate: true - error_level: -1 - - - name: Run Trivy container image vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} - format: sarif - output: trivy-results.sarif - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: trivy-results.sarif \ No newline at end of file + error_level: -1 \ No newline at end of file diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index f1d3225..0c9924a 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -3,15 +3,17 @@ name: Build and push ckan-pycsw image from PR Merge on: pull_request: types: - - closed + - closed branches: - - main - - latest + - main + - 'ckan-pycsw-*.*.*' + - '!dev/ckan-pycsw-*.*.*' + - '!feature/*' + - '!fix/*' env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }} CONTEXT: . BRANCH: ${{ github.head_ref }} DOCKERFILE_PATH: /ckan-pycsw @@ -42,18 +44,21 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md org.opencontainers.image.version=${{ env.BRANCH }} + - name: Replace slashes in BRANCH to avoid errors + run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV + - name: Build and push uses: docker/build-push-action@v5 with: push: true - tags: ${{ env.TAG }} + tags: ghcr.io/${{ github.repository }}:${{ github.head_ref }} labels: ${{ steps.meta.outputs.labels }} context: ${{ env.CONTEXT }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} @@ -62,16 +67,17 @@ jobs: uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + no-fail: true - name: Run Trivy container image vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 + uses: aquasecurity/trivy-action@0.17.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: trivy-results.sarif \ No newline at end of file