Skip to content

Commit bf02c2a

Browse files
anthony-nhsanthony-nhs
committed
build only on pull request
1 parent dc10f7d commit bf02c2a

2 files changed

Lines changed: 146 additions & 115 deletions

File tree

.github/workflows/build_multi_arch_image.yml

Lines changed: 120 additions & 83 deletions
Original file line numberDiff line numberDiff line change
@@ -1,90 +1,127 @@
11
name: Build and push docker image
2+
'on':
3+
workflow_call:
4+
inputs:
5+
publish_image:
6+
required: true
7+
type: boolean
8+
jobs:
9+
build_image:
10+
permissions:
11+
id-token: write
12+
runs-on: '${{ matrix.runner }}'
13+
strategy:
14+
matrix:
15+
include:
16+
- arch: amd64
17+
runner: ubuntu-22.04
18+
- arch: arm64
19+
runner: ubuntu-22.04-arm
20+
steps:
21+
- name: Checkout code
22+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
23+
with:
24+
fetch-depth: 0
25+
- name: setup node
26+
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
27+
with:
28+
node-version-file: .tool-versions
29+
- name: make install
30+
run: |
31+
make install-node
32+
- name: Build container
33+
run: >
34+
make build-base-image
235
3-
on:
4-
workflow_call:
36+
docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}"
537
6-
jobs:
38+
docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img"
39+
env:
40+
GH_TOKEN: '${{ github.token }}'
41+
ARCHITECTURE: '${{ matrix.arch }}'
42+
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
43+
name: Upload docker images
44+
with:
45+
name: "eps-devcontainer-base-latest-${{ matrix.arch }}.img"
46+
path: |
47+
eps-devcontainer-base-latest-${{ matrix.arch }}.img
48+
- name: Check docker vulnerabilities
49+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
50+
with:
51+
scan-type: "image"
52+
image-ref: "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}"
53+
severity: "CRITICAL,HIGH"
54+
scanners: "vuln"
55+
vuln-type: "os,library"
56+
format: "table"
57+
output: "dependency_results_docker.txt"
58+
exit-code: "1"
59+
trivy-config: trivy.yaml
60+
61+
- name: Show docker vulnerability output
62+
if: always()
63+
run: |
64+
echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}"
65+
if [ -f dependency_results_docker.txt ]; then
66+
cat dependency_results_docker.txt
67+
fi
68+
env:
69+
ARCHITECTURE: '${{ matrix.arch }}'
70+
71+
publish_image:
72+
needs: build_image
73+
runs-on: ubuntu-22.04
74+
if: ${{ inputs.publish_image }}
75+
permissions:
76+
contents: read
77+
packages: write
78+
attestations: write
79+
id-token: write
80+
steps:
81+
- name: Free Disk Space for Docker
82+
uses: >-
83+
endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
84+
with:
85+
remove_android: true
86+
remove_dotnet: true
87+
remove_haskell: true
88+
remove_tool_cache: true
89+
rm_cmd: rm
90+
remove_packages: >-
91+
azure-cli google-cloud-cli microsoft-edge-stable
92+
google-chrome-stable firefox postgresql* temurin-* *llvm* mysql*
93+
dotnet-sdk-*
94+
remove_packages_one_command: true
95+
- name: Download amd64 images
96+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
97+
with:
98+
name: eps-devcontainer-base-latest-amd64.img
99+
- name: Download arm64 images
100+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
101+
with:
102+
name: eps-devcontainer-base-latest-arm64.img
103+
- name: Load and push multi-arch image
104+
run: >
105+
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{
106+
github.actor }} --password-stdin
107+
108+
echo "loading images"
109+
110+
docker load -i eps-devcontainer-base-latest-amd64.img
111+
112+
docker load -i eps-devcontainer-base-latest-arm64.img
113+
114+
echo "pushing images"
115+
116+
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64
7117
8-
build_image:
9-
permissions:
10-
id-token: write
11-
runs-on: ${{ matrix.runner }}
12-
strategy:
13-
matrix:
14-
include:
15-
- arch: amd64
16-
runner: ubuntu-22.04
17-
- arch: arm64
18-
runner: ubuntu-22.04-arm
19-
steps:
20-
- name: Checkout code
21-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
22-
with:
23-
fetch-depth: 0
118+
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
24119
25-
# use setup-node rather than asdf so that it works multi-arch
26-
- name: setup node
27-
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
28-
with:
29-
node-version-file: .tool-versions
30-
- name: make install
31-
run: |
32-
make install-node
120+
echo "creating manifest"
33121
34-
- name: Build container
35-
run: |
36-
make build-base-image
37-
docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}
38-
docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img
39-
env:
40-
GH_TOKEN: ${{ github.token }}
41-
ARCHITECTURE: ${{ matrix.arch }}
42-
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
43-
name: Upload docker images
44-
with:
45-
name: eps-devcontainer-base-latest-${{ matrix.arch }}.img
46-
path: |
47-
eps-devcontainer-base-latest-${{ matrix.arch }}.img
122+
docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \
123+
--amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \
124+
--amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
125+
echo "pushing manifest"
48126
49-
publish_image:
50-
needs: build_image
51-
runs-on: ubuntu-22.04
52-
permissions:
53-
contents: read
54-
packages: write
55-
attestations: write
56-
id-token: write
57-
steps:
58-
- name: Free Disk Space for Docker
59-
uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
60-
with:
61-
remove_android: true
62-
remove_dotnet: true
63-
remove_haskell: true
64-
remove_tool_cache: true
65-
rm_cmd: "rm"
66-
remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*"
67-
remove_packages_one_command: true
68-
- name: Download amd64 images
69-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
70-
with:
71-
name: eps-devcontainer-base-latest-amd64.img
72-
- name: Download arm64 images
73-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
74-
with:
75-
name: eps-devcontainer-base-latest-arm64.img
76-
- name: Load and push multi-arch image
77-
run: |
78-
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
79-
echo "loading images"
80-
docker load -i eps-devcontainer-base-latest-amd64.img
81-
docker load -i eps-devcontainer-base-latest-arm64.img
82-
echo "pushing images"
83-
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64
84-
docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
85-
echo "creating manifest"
86-
docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \
87-
--amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \
88-
--amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64
89-
echo "pushing manifest"
90-
docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest
127+
docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest

.github/workflows/pull_request.yml

Lines changed: 26 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,56 +1,53 @@
11
name: pull_request
2-
3-
on:
2+
'on':
43
pull_request:
5-
branches: [main]
6-
4+
branches:
5+
- main
76
env:
8-
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
9-
7+
BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
108
jobs:
119
dependabot-auto-approve-and-merge:
1210
needs: quality_checks
13-
uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
11+
uses: >-
12+
NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
1413
secrets:
15-
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
16-
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
17-
14+
AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
15+
AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
1816
get_asdf_version:
1917
runs-on: ubuntu-22.04
2018
outputs:
21-
asdf_version: ${{ steps.asdf-version.outputs.version }}
22-
tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
19+
asdf_version: '${{ steps.asdf-version.outputs.version }}'
20+
tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}'
2321
steps:
2422
- name: Checkout code
2523
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
26-
2724
- name: Get asdf version
2825
id: asdf-version
29-
run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT"
26+
run: >-
27+
echo "version=$(awk '!/^#/ && NF {print $1; exit}'
28+
.tool-versions.asdf)" >> "$GITHUB_OUTPUT"
3029
- name: Load config value
3130
id: load-config
3231
run: |
3332
TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
3433
echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
35-
3634
quality_checks:
3735
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy
38-
needs: [get_asdf_version]
36+
needs:
37+
- get_asdf_version
3938
with:
40-
asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
39+
asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}'
4140
secrets:
42-
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
43-
41+
SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
4442
pr_title_format_check:
45-
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
46-
43+
uses: >-
44+
NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432
4745
get_issue_number:
4846
runs-on: ubuntu-22.04
4947
needs: quality_checks
5048
outputs:
51-
issue_number: ${{ steps.get_issue_number.outputs.result }}
52-
version: ${{ steps.get_issue_number.outputs.version_number }}
53-
49+
issue_number: '${{ steps.get_issue_number.outputs.result }}'
50+
version: '${{ steps.get_issue_number.outputs.version_number }}'
5451
steps:
5552
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
5653
name: get issue number
@@ -71,26 +68,23 @@ jobs:
7168
).data[0].number;
7269
}
7370
result-encoding: string
74-
7571
get_commit_id:
7672
runs-on: ubuntu-22.04
7773
outputs:
78-
commit_id: ${{ steps.commit_id.outputs.commit_id }}
79-
sha_short: ${{ steps.commit_id.outputs.sha_short }}
80-
74+
commit_id: '${{ steps.commit_id.outputs.commit_id }}'
75+
sha_short: '${{ steps.commit_id.outputs.sha_short }}'
8176
steps:
8277
- name: Checkout code
8378
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
8479
with:
85-
ref: ${{ env.BRANCH_NAME }}
86-
80+
ref: '${{ env.BRANCH_NAME }}'
8781
- name: Get Commit ID
8882
id: commit_id
8983
run: |
9084
# echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
9185
echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
9286
echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
93-
94-
9587
package_docker_image:
9688
uses: ./.github/workflows/build_multi_arch_image.yml
89+
with:
90+
publish_image: false

0 commit comments

Comments
 (0)