-
Notifications
You must be signed in to change notification settings - Fork 0
172 lines (151 loc) · 5.85 KB
/
build_push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
---
name: Build and Publish Image
env:
REGISTRY: ghcr.io
OS_NAME: ubuntu
OS_VERSION: jammy
on:
workflow_dispatch:
inputs:
r_version:
description: R Version
required: true
type: choice
default: "4.3.2"
options:
- "4.3.2"
- "release"
quarto_version:
description: Quarto version
required: true
type: choice
default: "1.3.450"
options:
- "1.3.450"
pandoc_version:
description: Pandoc version
required: true
type: choice
default: "2.9.2.1"
options:
- "2.9.2.1"
cran_snapshot_date:
description: CRAN packages snapshot date (YYYY-MM-DD)
required: true
default: "2024-01-12"
type: string
custom_tag:
description: Custom image tag
required: false
default: ""
type: string
jobs:
build_publish:
name: Build and Publish Image
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout project ⬇️
uses: actions/checkout@v4
- name: Set up Docker Buildx 📐
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Log in to the container registry 🗝️
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set build variables ✏️
id: build_vars
shell: bash
run: |
echo "IMAGE_DATE_TAG=$(date +%Y.%m.%d)" >> $GITHUB_OUTPUT
CRAN_DATE=$(echo ${{ github.event.inputs.cran_snapshot_date }} | sed 's/-/\./g')
IMAGE_NAME=${{ env.REGISTRY }}/${{ github.repository_owner }}/r_${{ github.event.inputs.r_version }}_cran_${CRAN_DATE}
echo "IMAGE_NAME=${IMAGE_NAME,,}" >> $GITHUB_OUTPUT
- name: Docker metadata 🐋
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ steps.build_vars.outputs.IMAGE_NAME }}
tags: |
${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
${{ github.event.inputs.custom_tag }}
type=raw,value=latest,enable=${{ github.ref_name == 'main' }}
labels: |
org.opencontainers.image.description=Image used in CI workflows by the Boehringer-Ingelheim organisation
org.opencontainers.image.vendor=Boehringer-Ingelheim
- name: Build and push image 🛠️
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
platforms: linux/amd64
cache-from: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache
cache-to: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache,mode=min
build-args: |
R_VERSION=${{ github.event.inputs.r_version }}
CRAN_DATE=${{ github.event.inputs.cran_snapshot_date }}
OS_NAME=${{ env.OS_NAME }}
OS_VERSION=${{ env.OS_VERSION }}
PANDOC_VERSION=${{ github.event.inputs.pandoc_version }}
QUARTO_VERSION=${{ github.event.inputs.quarto_version }}
outputs:
IMAGE: ${{ steps.build_vars.outputs.IMAGE_NAME }}
TAG: ${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
create-release:
if: github.ref_name == 'main'
needs: build_publish
name: Create release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Generate release body 📜
id: build-release
shell: bash
run: |
NORMALISED_IMAGE=$(echo '${{ needs.build_publish.outputs.IMAGE }}' | sed 's/\//_/g')
echo "TAGGED_IMAGE=${{ needs.build_publish.outputs.IMAGE }}:${{ needs.build_publish.outputs.TAG }}" >> $GITHUB_OUTPUT
echo "MANIFEST_OUTPUT_FILENAME=Image_manifest_$NORMALISED_IMAGE.json" >> $GITHUB_OUTPUT
echo "R_PKG_OUTPUT_FILENAME=R_package_list_$NORMALISED_IMAGE.csv" >> $GITHUB_OUTPUT
echo "SBOM_OUTPUT_FILENAME=SBOM_for_$NORMALISED_IMAGE.spdx.json" >> $GITHUB_OUTPUT
- name: Generate image manifest and R package list 🛞
shell: bash
run: |
docker manifest inspect ${{ steps.build-release.outputs.TAGGED_IMAGE }} > ${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }}
docker run -v ${PWD}:/app ${{ steps.build-release.outputs.TAGGED_IMAGE }} \
R -q -e 'write.csv(installed.packages(), file="/app/${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }}")'
- name: Generate SBOM 📃
uses: anchore/sbom-action@v0
with:
image: "${{ steps.build-release.outputs.TAGGED_IMAGE }}"
output-file: "${{ github.workspace }}/${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }}"
- name: Upload artifacts to release ⬆️
uses: marvinpinto/action-automatic-releases@latest
with:
prerelease: false
repo_token: "${{ secrets.GITHUB_TOKEN }}"
automatic_release_tag: ${{ needs.build_publish.outputs.TAG }}
title: ${{ needs.build_publish.outputs.TAG }}
files: |
${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }}
${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }}
${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }}
sec_ops:
if: github.ref_name == 'main'
needs: build_publish
permissions:
security-events: write
name: Update security artifacts
uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@main
with:
image_tag: "${{ needs.build_publish.outputs.image }}:${{ needs.build_publish.outputs.tag }}"