-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yaml
More file actions
211 lines (193 loc) · 7.64 KB
/
action.yaml
File metadata and controls
211 lines (193 loc) · 7.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
name: Run docker buildx build
description: Prepare the environment and run docker buildx build.
author: support@senzing.com
inputs:
aws-region:
default: "us-east-1"
description: AWS region used for ECR login
build-options:
description: Additional options to pass to docker buildx build
context:
default: "."
description: Context (directory) of the docker build process
dockerfile-path:
default: "./Dockerfile"
description:
image-repository:
description: Docker repository (e.g. senzing/senzingapi-runtime)
required: true
image-tag:
default: latest
description: Docker image tag
login-to-dockerhub:
default: true
description: Login to Dockerhub
login-to-ecr:
default: false
description: Login to ECR
ecr-registry-type:
default: public
description: ECR registry type (public or private). Public ECR requires us-east-1 region.
password:
description: Access Token for Docker registry
platforms:
default: linux/amd64,linux/arm64
description: Comma-separated list of docker platforms to build (hint - See output of docker buildx ls)
push:
default: false
description: Push image to registry
registry-server:
default: docker.io
description: Docker registry server
role-session-name:
description: AWS role session name, required for ECR login
role-to-assume:
description: AWS role to assume, required for ECR login
sign-image:
default: false
description: Sign and add attestations to the built image (true or false).
skip-checkout:
default: false
description: Skip the checkout step. Useful when you need to set up the build context before calling this action.
username:
description: Username for Docker registry
runs:
using: composite
steps:
- if: ${{ inputs.skip-checkout != 'true' }}
name: checkout repository
uses: actions/checkout@v6
with:
fetch-depth: "0"
persist-credentials: false
submodules: recursive
- name: set up QEMU
uses: docker/setup-qemu-action@v4
- name: set up Docker Buildx
uses: docker/setup-buildx-action@v4
- if: ${{ inputs.login-to-dockerhub == 'true' }}
name: DockerHub login
uses: docker/login-action@v4
with:
registry: ${{ inputs.registry-server }}
username: ${{ inputs.username }}
password: ${{ inputs.password }}
- if: ${{ inputs.login-to-ecr == 'true' }}
name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
aws-region: ${{ inputs.aws-region }}
role-session-name: ${{ inputs.role-session-name }}
role-to-assume: ${{ inputs.role-to-assume }}
- id: login-ecr
if: ${{ inputs.login-to-ecr == 'true' }}
name: login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: ${{ inputs.ecr-registry-type }}
- id: generate-tags
name: generate tags
env:
IMAGE_TAG: ${{ inputs.image-tag }}
IMAGE_REPOSITORY: ${{ inputs.image-repository }}
REGISTRY_SERVER: ${{ inputs.registry-server }}
LOGIN_TO_ECR: ${{ inputs.login-to-ecr }}
LOGIN_TO_DOCKERHUB: ${{ inputs.login-to-dockerhub }}
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
BUILD_CONTEXT: ${{ inputs.context }}
DOCKERFILE_PATH: ${{ inputs.dockerfile-path }}
run: |
CLEANED_TAG=$(echo "$IMAGE_TAG" | tr -d "/#" )
tags=""
if [[ "$LOGIN_TO_ECR" == "true" ]]; then
tags="${ECR_REGISTRY}/${IMAGE_REPOSITORY}:$CLEANED_TAG,"
tags="${tags}${ECR_REGISTRY}/${IMAGE_REPOSITORY}:latest,"
fi
if [[ "$LOGIN_TO_DOCKERHUB" == "true" ]]; then
tags="${tags}${REGISTRY_SERVER}/${IMAGE_REPOSITORY}:$CLEANED_TAG,"
tags="${tags}${REGISTRY_SERVER}/${IMAGE_REPOSITORY}:latest,"
fi
# Remove trailing comma
tags="${tags%,}"
echo "[INFO] tags are: $tags"
echo "tags=${tags}" >> "$GITHUB_OUTPUT"
# Validate context path - reject path traversal and unsafe characters
if [[ "$BUILD_CONTEXT" =~ \.\. ]] || [[ ! "$BUILD_CONTEXT" =~ ^[a-zA-Z0-9_./-]+$ ]]; then
echo "::error::Invalid context path: $BUILD_CONTEXT"
exit 1
fi
echo "context=${BUILD_CONTEXT}" >> "$GITHUB_OUTPUT"
# Validate dockerfile path
if [[ "$DOCKERFILE_PATH" =~ \.\. ]] || [[ ! "$DOCKERFILE_PATH" =~ ^[a-zA-Z0-9_./-]+$ ]]; then
echo "::error::Invalid dockerfile path: $DOCKERFILE_PATH"
exit 1
fi
echo "dockerfile=${DOCKERFILE_PATH}" >> "$GITHUB_OUTPUT"
shell: bash
- id: docker_meta_dockerhub
if: ${{ inputs.sign-image == 'true' && inputs.login-to-dockerhub == 'true' }}
uses: docker/metadata-action@v6.0.0
with:
images: ${{ inputs.registry-server }}/${{ inputs.image-repository }}
tags: |
type=semver,pattern={{version}}
type=sha,format=long
- id: docker_meta_ecr
if: ${{ inputs.sign-image == 'true' && inputs.login-to-ecr == 'true' }}
uses: docker/metadata-action@v6.0.0
with:
images: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.image-repository }}
tags: |
type=semver,pattern={{version}}
type=sha,format=long
- id: build-and-push
name: Build and push
uses: docker/build-push-action@v7
with:
annotations: ${{ steps.docker_meta_dockerhub.outputs.annotations }}
build-args: ${{ inputs.build-options }}
# zizmor: ignore[template-injection]
context: ${{ steps.generate-tags.outputs.context }}
file: ${{ steps.generate-tags.outputs.dockerfile }}
platforms: ${{ inputs.platforms }}
provenance: mode=max
push: ${{ inputs.push }}
sbom: true
tags: ${{ steps.generate-tags.outputs.tags }}
- if: ${{ inputs.sign-image == 'true' && inputs.login-to-dockerhub == 'true' }}
name: Generate DockerHub Attestations
uses: senzing-factory/github-action-docker-buildx-build/attestations@v2
with:
artifact-name-prefix: dockerhub
image-repository: ${{ inputs.image-repository }}
registry-server: ${{ inputs.registry-server }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
- if: ${{ inputs.sign-image == 'true' && inputs.login-to-ecr == 'true' }}
name: Generate ECR Attestations
uses: senzing-factory/github-action-docker-buildx-build/attestations@v2
with:
artifact-name-prefix: ecr
image-repository: ${{ inputs.image-repository }}
registry-server: ${{ steps.login-ecr.outputs.registry }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
- if: ${{ inputs.sign-image == 'true' && inputs.login-to-dockerhub == 'true' }}
name: Sign DockerHub Images
uses: senzing-factory/github-action-docker-buildx-build/signing@v2
with:
digest: ${{ steps.build-and-push.outputs.digest }}
image-tag: ${{ inputs.image-tag }}
image-tags: ${{ steps.docker_meta_dockerhub.outputs.tags }}
image-repository: ${{ inputs.image-repository }}
registry-server: ${{ inputs.registry-server }}
- if: ${{ inputs.sign-image == 'true' && inputs.login-to-ecr == 'true' }}
name: Sign ECR Images
uses: senzing-factory/github-action-docker-buildx-build/signing@v2
with:
digest: ${{ steps.build-and-push.outputs.digest }}
image-tag: ${{ inputs.image-tag }}
image-tags: ${{ steps.docker_meta_ecr.outputs.tags }}
image-repository: ${{ inputs.image-repository }}
registry-server: ${{ steps.login-ecr.outputs.registry }}
branding:
icon: upload-cloud
color: green