dbp-625-Bugfix-workflow-not-found #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Builds and uploads a docker image and scans it with trivy (optional) | ||
| # Trivy scan can be disabled | ||
| # Image tag options: | ||
| # image_tag_generation: "ticket_from_branch" The ticket is extracted from the branch name (eg. OPS-123-testing -> OPS-123) | ||
| # image_tag_generation: "commit_hash" Short hash of the commit is used as tag | ||
| # image_tag_generation: "version_git_tag" Git tag with version is used as tag | ||
| # add_latest_tag: true/false "latest" gets added as additiontal image tag | ||
| name: Publish image (and run Trivy) | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| image_name: | ||
| description: "Name of the image to build" | ||
| required: true | ||
| type: string | ||
| context: | ||
| description: "Directory where the image is built, defaults to repository root" | ||
| required: false | ||
| default: "./" | ||
| type: string | ||
| container_registry: | ||
| description: "Target container registry. Currently only ghcr.io(default) is implemented." | ||
| required: false | ||
| type: string | ||
| default: "ghcr.io" | ||
| add_latest_tag: | ||
| description: "Whether latest should be added as image tag (default: false)" | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| image_tag_generation: | ||
| description: "Generation of the image tag: ticket_from_branch(default), commit_hash or version_git_tag" | ||
| required: false | ||
| type: string | ||
| default: "ticket_from_branch" | ||
| run_trivy_scan: | ||
| description: "Whether a trivy scan should run on the uploaded image (default: true)" | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| trivy_severity: | ||
| description: 'Severity filter for trivy (default "CRITICAL,HIGH")' | ||
| required: false | ||
| default: "CRITICAL,HIGH" | ||
| type: string | ||
| fail_on_vulnerabilites: | ||
| description: "Whether the workflow should fail if trivy finds vulnerabilities" | ||
| required: false | ||
| default: true | ||
| type: boolean | ||
| ignore-unfixed: | ||
| description: "Ignore vulerabilities without fix" | ||
| required: false | ||
| default: true | ||
| type: boolean | ||
| report_location: | ||
| description: "If defined it overrides the reported location (normally <organization>/<image>) of the trivy findings to a specific file (e.g. Dockerfile)" | ||
| required: false | ||
| default: "" | ||
| type: string | ||
| target: | ||
| description: "If defined you specify a build stage to stop at when building a multi-stage Dockerfile" | ||
| required: false | ||
| default: "" | ||
| type: string | ||
| jobs: | ||
| build_and_upload_image: | ||
| name: Publish image to ${{ inputs.container_registry }} | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| digest: ${{ steps.docker_build_push.outputs.digest }} | ||
| permissions: | ||
| packages: write | ||
| contents: read | ||
| steps: | ||
| - name: Checkout Code | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
| - name: Build image name and tags | ||
| id: docker_meta_img | ||
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 | ||
| with: | ||
| images: ${{ inputs.container_registry }}/${{ github.repository_owner }}/${{ inputs.image_name }} | ||
| tags: | | ||
| type=match,value={{branch}},pattern=^\w+?-\d+,enable=${{ inputs.image_tag_generation == 'ticket_from_branch' }} | ||
| type=match,value=${{ github.head_ref || ''}},pattern=^\w+?-\d+,enable=${{ inputs.image_tag_generation == 'ticket_from_branch' }} | ||
| type=sha,enable=${{ inputs.image_tag_generation == 'commit_hash' }} | ||
| type=pep440,pattern={{version}},enable=${{ inputs.image_tag_generation == 'version_git_tag' }} | ||
| flavor: | | ||
| latest=${{ inputs.add_latest_tag }} | ||
| - name: Login (GHCR) | ||
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0 | ||
| if: ${{ inputs.container_registry == 'ghcr.io' }} | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Build and push ${{ inputs.image_name }} to ${{ inputs.container_registry }} | ||
| id: docker_build_push | ||
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 #v5.1.0 | ||
| with: | ||
| context: ${{ inputs.context }} | ||
| platforms: linux/amd64 | ||
| push: true | ||
| tags: ${{ steps.docker_meta_img.outputs.tags }} | ||
| labels: ${{ steps.docker_meta_img.outputs.labels }} | ||
| target: ${{ inputs.target }} | ||
| trivy_scan: | ||
| name: Trivy scan for uploaded image | ||
| # Wait for image upload | ||
| needs: build_and_upload_image | ||
| if: ${{ inputs.run_trivy_scan }} | ||
| permissions: | ||
| packages: read | ||
| security-events: write | ||
| uses: ./.github/workflows/check-trivy.yaml@5 | ||
| with: | ||
| image_ref: '${{ inputs.container_registry }}/${{ github.repository_owner }}/${{ inputs.image_name }}@${{ needs.build_and_upload_image.outputs.digest }}' | ||
| severity: ${{ inputs.trivy_severity }} | ||
| fail_on_vulnerabilites: ${{ inputs.fail_on_vulnerabilites }} | ||
| ignore-unfixed: ${{ inputs.ignore-unfixed }} | ||
| report_location: ${{ inputs.report_location }} | ||
