-
Notifications
You must be signed in to change notification settings - Fork 0
207 lines (193 loc) · 8.87 KB
/
build_multi_arch_image.yml
File metadata and controls
207 lines (193 loc) · 8.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: Build and push docker image
'on':
workflow_call:
inputs:
tag_latest:
required: true
type: boolean
docker_tag:
required: true
type: string
container_name:
required: true
type: string
jobs:
build_image:
name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }}
permissions:
id-token: write
runs-on: '${{ matrix.runner }}'
strategy:
fail-fast: false
matrix:
include:
- arch: amd64
runner: ubuntu-22.04
- arch: arm64
runner: ubuntu-22.04-arm
steps:
- name: Free Disk Space for Docker
uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
with:
remove_android: true
remove_dotnet: true
remove_haskell: true
remove_tool_cache: true
rm_cmd: rm
remove_packages: >-
azure-cli google-cloud-cli microsoft-edge-stable
google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
dotnet-sdk-*
remove_packages_one_command: true
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
fetch-depth: 0
- name: setup node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
with:
node-version-file: .tool-versions
- name: make install
run: |
make install-node
- name: Build container
run: |
make build-image
docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}"
docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img"
# create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist
combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml"
common="src/common/.trivyignore.yaml"
specific="src/${CONTAINER_NAME}/.trivyignore.yaml"
echo "vulnerabilities:" > "$combined"
if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi
if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi
echo "Combined trivy ignore file created at $combined"
cat "$combined"
env:
ARCHITECTURE: '${{ matrix.arch }}'
DOCKER_TAG: '${{ inputs.docker_tag }}'
CONTAINER_NAME: '${{ inputs.container_name }}'
BASE_VERSION: ${{ inputs.docker_tag}}
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
name: Upload combined trivy ignore file
with:
name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}"
path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
name: Upload docker images
with:
name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
path: |
eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
- name: Check docker vulnerabilities - json output
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
with:
scan-type: "image"
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
severity: "CRITICAL,HIGH"
scanners: "vuln"
vuln-type: "os,library"
format: "json"
output: "scan_results_docker.json"
exit-code: "0"
trivy-config: src/${{ inputs.container_name }}/trivy.yaml
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
name: Upload scan results
with:
name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
path: scan_results_docker.json
- name: Check docker vulnerabilities - table output
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
with:
scan-type: "image"
image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
severity: "CRITICAL,HIGH"
scanners: "vuln"
vuln-type: "os,library"
format: "table"
output: "scan_results_docker.txt"
exit-code: "1"
trivy-config: src/${{ inputs.container_name }}/trivy.yaml
- name: Show docker vulnerability output
if: always()
run: |
echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
if [ -f scan_results_docker.txt ]; then
cat scan_results_docker.txt
fi
env:
ARCHITECTURE: '${{ matrix.arch }}'
DOCKER_TAG: '${{ inputs.docker_tag }}'
publish_image:
name: Publish image for ${{ inputs.container_name }}
runs-on: ubuntu-22.04
needs: build_image
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- name: Free Disk Space for Docker
uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
with:
remove_android: true
remove_dotnet: true
remove_haskell: true
remove_tool_cache: true
rm_cmd: rm
remove_packages: >-
azure-cli google-cloud-cli microsoft-edge-stable
google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
dotnet-sdk-*
remove_packages_one_command: true
- name: Download amd64 images
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img
- name: Download arm64 images
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img
- name: Login to github container registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
- name: Load and push multi-arch tagged image
run: |
echo "loading images"
docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img"
docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img"
echo "pushing images"
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64"
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
echo "creating manifest"
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64"
echo "pushing manifest"
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}"
env:
DOCKER_TAG: ${{ inputs.docker_tag }}
CONTAINER_NAME: '${{ inputs.container_name }}'
- name: Load and push multi-arch latest image
if: ${{ inputs.tag_latest }}
run: |
echo "Tagging latest images"
docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
echo "pushing images"
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64"
docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
echo "creating manifest"
docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \
--amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64"
echo "pushing manifest"
docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest"
env:
DOCKER_TAG: ${{ inputs.docker_tag }}
CONTAINER_NAME: '${{ inputs.container_name }}'