From 131c85b8c7777c655dcc8bb21b9fe7883edace2a Mon Sep 17 00:00:00 2001 From: Chris Ayers Date: Wed, 14 Feb 2024 05:49:31 +0000 Subject: [PATCH] Update Docker image build workflow --- .github/workflows/docker-image.yml | 62 ++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index ae06419..a70d1fe 100755 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -15,43 +15,71 @@ jobs: build: runs-on: ubuntu-latest env: - REPO: 'sampleapi' + IMAGE_NAME: 'sampleapi' TAG: ${{ github.sha }} steps: - name: Checkout uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@3 + with: + cosign-release: 'v2.1.1' + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Docker + uses: docker/setup-buildx-action@3 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ vars.DOCKER_LOGIN_SERVER }} + if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ vars.DOCKER_LOGIN_SERVER }} username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@5 + with: + images: ${{ vars.DOCKER_LOGIN_SERVER }}/${{ env.IMAGE_NAME }} + - name: Build Docker Image uses: docker/build-push-action@v5 with: context: src/SampleApi - load: true - push: false - tags: ${{ env.REPO }}:${{ env.TAG }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'docker.io/library/${{ env.REPO }}:${{ env.TAG }}' + image-ref: 'docker.io/library/${{ env.IMAGE_NAME }}:${{ env.TAG }}' format: 'github' github-pat: ${{ github.token }} env: TRIVY_USERNAME: Username TRIVY_PASSWORD: Password - - name: Push image to ACR - uses: docker/build-push-action@v5 - with: - context: src/SampleApi - push: true - tags: | - ${{ vars.DOCKER_LOGIN_SERVER }}/${{ env.REPO }}:latest - ${{ vars.DOCKER_LOGIN_SERVER }}/${{ env.REPO }}:${{ env.TAG }} + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}