-
Notifications
You must be signed in to change notification settings - Fork 1
190 lines (178 loc) · 7.29 KB
/
build_multi_arch_image.yml
File metadata and controls
190 lines (178 loc) · 7.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Build and push docker image
'on':
workflow_call:
inputs:
publish_image:
required: true
type: boolean
docker_tag:
required: true
type: string
secrets:
EPS_REPO_STATUS_PEM:
required: true
jobs:
build_image:
permissions:
id-token: write
runs-on: '${{ matrix.runner }}'
strategy:
fail-fast: false
matrix:
include:
- arch: amd64
runner: ubuntu-22.04
- arch: arm64
runner: ubuntu-22.04-arm
steps:
- name: Free Disk Space for Docker
uses: >-
endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
with:
remove_android: true
remove_dotnet: true
remove_haskell: true
remove_tool_cache: true
rm_cmd: rm
remove_packages: >-
azure-cli google-cloud-cli microsoft-edge-stable
google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
dotnet-sdk-*
remove_packages_one_command: true
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
fetch-depth: 0
- name: setup node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
with:
node-version-file: .tool-versions
- name: Generate a token to get details from other repositories
id: generate-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
with:
app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }}
private-key: ${{ secrets.EPS_REPO_STATUS_PEM }}
owner: "NHSDigital"
- name: make install
run: |
make install-node
- name: Build container
run: >
make build-base-image
docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}"
docker save "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img"
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
ARCHITECTURE: '${{ matrix.arch }}'
DOCKER_TAG: '${{ inputs.docker_tag }}'
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
name: Upload docker images
with:
name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
path: |
eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
- name: Check docker vulnerabilities - json output
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
with:
scan-type: "image"
image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}"
severity: "CRITICAL,HIGH"
scanners: "vuln"
vuln-type: "os,library"
format: "json"
output: "scan_results_docker.json"
exit-code: "0"
trivy-config: trivy.yaml
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
name: Upload scan results
with:
name: "scan_results_docker_${{ matrix.arch }}.json"
path: |
"scan_results_docker.json"
- name: Check docker vulnerabilities - table output
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
with:
scan-type: "image"
image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}"
severity: "CRITICAL,HIGH"
scanners: "vuln"
vuln-type: "os,library"
format: "table"
output: "scan_results_docker.txt"
exit-code: "1"
trivy-config: trivy.yaml
- name: Show docker vulnerability output
if: always()
run: |
echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}"
if [ -f scan_results_docker.txt ]; then
cat scan_results_docker.txt
fi
env:
ARCHITECTURE: '${{ matrix.arch }}'
DOCKER_TAG: '${{ inputs.docker_tag }}'
publish_image:
needs: build_image
runs-on: ubuntu-22.04
if: ${{ inputs.publish_image }}
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- name: Free Disk Space for Docker
uses: >-
endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
with:
remove_android: true
remove_dotnet: true
remove_haskell: true
remove_tool_cache: true
rm_cmd: rm
remove_packages: >-
azure-cli google-cloud-cli microsoft-edge-stable
google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
dotnet-sdk-*
remove_packages_one_command: true
- name: Download amd64 images
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img
- name: Download arm64 images
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img
- name: Login to github container registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
- name: Load and push multi-arch image
run: |
echo "loading images"
docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img"
docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img"
echo "Tagging latest images"
docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64"
docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64"
echo "pushing images"
docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64"
docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64"
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
echo "creating manifest"
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \
--amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \
--amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64"
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \
--amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \
--amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64"
echo "pushing manifest"
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}"
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest"
env:
DOCKER_TAG: ${{ inputs.docker_tag }}