feat(base-image): update base image #172

Workflow file for this run

.github/workflows/datahub-actions-docker.yml at 5ddda00

	name: datahub-actions docker
	on:
	push:
	branches:
	- main
	paths-ignore:
	- 'build/**'
	- '**.md'
	pull_request:
	branches:
	- main
	paths:
	- 'docker/**'
	- '.github/workflows/datahub-actions-docker.yml'
	paths_ignore:
	- 'build/**'
	- '**.md'
	release:
	types: [published, edited]
	workflow_dispatch:

	jobs:
	setup:
	runs-on: ubuntu-latest
	outputs:
	tag: ${{ steps.tag.outputs.tag }}
	publish: ${{ steps.publish.outputs.publish }}
	unique_tag: ${{ steps.tag.outputs.unique_tag }}
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Compute Tag
	id: tag
	run: \|
	echo "GITHUB_REF: $GITHUB_REF"
	SHORT_SHA=$(git rev-parse --short "$GITHUB_SHA")
	TAG=$(echo ${GITHUB_REF} \| sed -e "s,refs/heads/main,head\,${SHORT_SHA},g" -e 's,refs/tags/,,g' -e 's,refs/pull/$[0-9]$.,pr\1,g')
	UNIQUE_TAG=$(echo ${GITHUB_REF} \| sed -e "s,refs/heads/main,${SHORT_SHA},g" -e 's,refs/tags/,,g' -e 's,refs/pull/$[0-9]$.,pr\1,g')
	echo "tag=$TAG" >> $GITHUB_OUTPUT
	echo "unique_tag=$UNIQUE_TAG" >> $GITHUB_OUTPUT
	- name: Check whether publishing enabled
	id: publish
	env:
	ENABLE_PUBLISH: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
	run: \|
	echo "Enable publish: ${{ env.ENABLE_PUBLISH != '' }}"
	echo "publish=${{ env.ENABLE_PUBLISH != '' }}" >> $GITHUB_OUTPUT
	push_to_registries:
	name: Build and Push Docker Image to DockerHub
	runs-on: ubuntu-latest
	if: ${{ needs.setup.outputs.publish == 'true' }}
	needs: setup
	steps:
	- name: Check out the repo
	uses: actions/checkout@v3
	- name: Docker meta
	id: docker_meta
	uses: crazy-max/ghaction-docker-meta@v1
	with:
	images: \|
	acryldata/datahub-actions
	tag-custom: ${{ needs.setup.outputs.tag }}
	tag-custom-only: true
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v2
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	- name: Login to DockerHub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
	password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
	- name: Build and Push Image
	uses: docker/build-push-action@v3
	with:
	file: ./docker/datahub-actions/Dockerfile
	platforms: linux/amd64,linux/arm64
	tags: ${{ steps.docker_meta.outputs.tags }}
	push: ${{ needs.setup.outputs.publish == 'true' }}
	build-args:
	"GEM_FURY_TOKEN=${{ secrets.GEMFURY_PULL_TOKEN }}"
	- name: Docker meta command separated
	id: docker_meta_comma_sep
	uses: crazy-max/ghaction-docker-meta@v1
	with:
	images: \|
	acryldata/datahub-actions
	tag-custom: ${{ needs.setup.outputs.tag }}
	tag-custom-only: true
	sep-tags: ','
	- name: Docker meta
	id: docker_meta_slim
	uses: crazy-max/ghaction-docker-meta@v1
	with:
	images: \|
	acryldata/datahub-actions-slim
	tag-custom: ${{ needs.setup.outputs.tag }}
	tag-custom-only: true
	- name: Actions Docker Tag
	id: action_tag
	run: echo "tag=$(cut -d',' -f1 <<<'${{ steps.docker_meta_comma_sep.outputs.tags }}')" >> $GITHUB_OUTPUT
	- name: Build and Push Image (slim)
	uses: docker/build-push-action@v3
	with:
	file: ./docker/datahub-actions/Dockerfile.slim
	platforms: linux/amd64,linux/arm64
	tags: ${{ steps.docker_meta_slim.outputs.tags }}
	push: ${{ needs.setup.outputs.publish == 'true' }}
	build-args:
	"DOCKER_BASE_IMAGE=${{ steps.action_tag.outputs.tag }}"
	# image_scan:
	# permissions:
	# contents: read # for actions/checkout to fetch code
	# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	# name: "[Monitoring] Scan action images for vulnerabilities"
	# runs-on: ubuntu-latest
	# needs: [setup, push_to_registries]
	# steps:
	# - name: Checkout # adding checkout step just to make trivy upload happy
	# uses: actions/checkout@v3
	# - name: Download image
	# uses: ishworkh/docker-image-artifact-download@v1
	# if: ${{ needs.setup.outputs.publish != 'true' }}
	# with:
	# image: acryldata/datahub-actions:${{ needs.setup.outputs.unique_tag }}
	# - name: Run Trivy vulnerability scanner
	# uses: aquasecurity/trivy-action@master
	# env:
	# TRIVY_OFFLINE_SCAN: true
	# with:
	# image-ref: acryldata/datahub-actions:${{ needs.setup.outputs.unique_tag }}
	# format: 'template'
	# template: '@/contrib/sarif.tpl'
	# output: 'trivy-results.sarif'
	# severity: 'CRITICAL,HIGH'
	# ignore-unfixed: true
	# vuln-type: "os,library"
	# - name: Upload Trivy scan results to GitHub Security tab
	# uses: github/codeql-action/upload-sarif@v2
	# with:
	# sarif_file: 'trivy-results.sarif'
	image_scan_slim:
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	name: "[Monitoring] Scan slim action images for vulnerabilities"
	runs-on: ubuntu-latest
	needs: [setup, push_to_registries]
	steps:
	- name: Checkout # adding checkout step just to make trivy upload happy
	uses: actions/checkout@v3
	- name: Download image (slim)
	uses: ishworkh/docker-image-artifact-download@v1
	if: ${{ needs.setup.outputs.publish != 'true' }}
	with:
	image: acryldata/datahub-actions-slim:${{ needs.setup.outputs.unique_tag }}
	- name: Run Trivy vulnerability scanner (slim)
	uses: aquasecurity/trivy-action@master
	env:
	TRIVY_OFFLINE_SCAN: true
	with:
	image-ref: acryldata/datahub-actions-slim:${{ needs.setup.outputs.unique_tag }}
	format: 'template'
	template: '@/contrib/sarif.tpl'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	ignore-unfixed: true
	vuln-type: "os,library"
	- name: Upload Trivy scan results to GitHub Security tab (slim)
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(base-image): update base image #172

Workflow file

feat(base-image): update base image #172

Jobs

Run details

Workflow file for this run