Skip to content

Commit

Permalink
patch: removed use-dockerhub
Browse files Browse the repository at this point in the history 
We can determine if it's a GHCR from the image-repo value and if so, append a username where required, otherwise we can presume the image repo is the image repo as it should be.
  • Loading branch information
@drew-viles
drew-viles authored Jan 27, 2024
1 parent b30f9c1 commit 0cdabf1
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 53 deletions.
6 changes: 3 additions & 3 deletions .github/pull_request_template.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@
# Why is it required?

# PR checklist
- [ ] Run tests locally
- [ ] Updated Readme
- [ ] Updated Changelog
- [ ] Run container-security-action-demo against this branch
- [ ] Updated Readme (where required)
- [ ] Updated Changelog (where required)
6 changes: 5 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,16 @@

[//]: # (### Deprecated/Removed:)

## [ 2024/01/23 - v0.0.2 ]
## [ 2024/01/27 - v0.0.2 ]

### Added/Changed:

* Changed aws- prefixed to s3-prefixed to remove any confusion around aws requirement
* Updated action versions
* Added step to determine the repo type based on the repo name. If there is no period, it's presumed a DockerHub registry

### Removed
* removed `use-dockerhub` as it's determined based on the repo-name.

## [ 2024/01/23 - v0.0.1 ]

Expand Down
53 changes: 27 additions & 26 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,38 +75,39 @@ files.
## Signing images with Cosign

The Cosign image signing works by using the standard process used by Cosign.
You will need to generate the [Cosign keys as described in their documentation](https://docs.sigstore.dev/key_management/overview/) and store these as a secret in GitHub.
You will need to generate
the [Cosign keys as described in their documentation](https://docs.sigstore.dev/key_management/overview/) and store
these as a secret in GitHub.
This can then be supplied via the `cosign-private-key` and `cosign-password` inputs.

**Hardware token verification is currently not supported.**

## Inputs

| Name | Description | Required | Default |
|------------------------|----------------------------------------------------|----------|--------------------------------|
| use-dockerhub | Set to true to use dockerhub. | false | false |
| image-repo | The repo to push the image to. | true | - |
| repo-username | The username to log into the repo. | true | - |
| repo-password | The password to log into the repo. | true | - |
| image-name | The name of the image to build. | true | - |
| image-tag | The tag to build the image with. | true | - |
| add-latest-tag | Adds a latest tag to the image | true | false |
| cosign-private-key | A private key to sign the image using Cosign. | true | - |
| cosign-password | The password to unlock the private key. | true | - |
| cosign-tlog | Set to true to upload to tlog for transparency. | false | 'false' |
| publish-image | If true, the image will be published to the repo. | false | 'false' |
| check-severity | Comma-delimited list of severities to check for. | false | high |
| sbom-fail-on-detection | Exit code for Trivy SBOM scan. | false | "1" |
| scan-fail-on-detection | Exit code for Trivy scan. | false | "2" |
| trivyignore-file | Trivy ignore file to prevent pipeline failure. | false | "trivyignore" |
| trivyignore-from-s3 | Supply trivyignore via S3. | false | false |
| s3-endpoint | Custom AWS S3 endpoint if not standard. | false | "https://some-s3-endpoint.com" |
| s3-region | The AWS Region. | false | "us-east-1" |
| s3-access-key | The S3 access key. | false | "" |
| s3-secret-key | The S3 secret key. | false | "" |
| s3-bucket | The S3 bucket for trivyignore file. | false | "trivy" |
| s3-path | The path in the S3 bucket to the trivyignore file. | false | "trivyignore" |
| dockerfile-path | Path to the Dockerfile. | false | "." |
| Name | Description | Required | Default |
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------|
| image-repo | The repo to push the image to. This should just be the base url, eg: my-repo or ghcr.io or, if using DockerHub, just the username you'd usually use for your repo (you must also specify use-dockerhub). | true | - |
| repo-username | The username to log into the repo. | true | - |
| repo-password | The password to log into the repo. | true | - |
| image-name | The name of the image to build. | true | - |
| image-tag | The tag to build the image with. | true | - |
| add-latest-tag | Adds a latest tag to the image | true | false |
| cosign-private-key | A private key to sign the image using Cosign. | true | - |
| cosign-password | The password to unlock the private key. | true | - |
| cosign-tlog | Set to true to upload to tlog for transparency. | false | 'false' |
| publish-image | If true, the image will be published to the repo. | false | 'false' |
| check-severity | Comma-delimited list of severities to check for. | false | high |
| sbom-fail-on-detection | Exit code for Trivy SBOM scan. | false | "1" |
| scan-fail-on-detection | Exit code for Trivy scan. | false | "2" |
| trivyignore-file | Trivy ignore file to prevent pipeline failure. | false | "trivyignore" |
| trivyignore-from-s3 | Supply trivyignore via S3. | false | false |
| s3-endpoint | Custom AWS S3 endpoint if not standard. | false | "https://some-s3-endpoint.com" |
| s3-region | The AWS Region. | false | "us-east-1" |
| s3-access-key | The S3 access key. | false | "" |
| s3-secret-key | The S3 secret key. | false | "" |
| s3-bucket | The S3 bucket for trivyignore file. | false | "trivy" |
| s3-path | The path in the S3 bucket to the trivyignore file. | false | "trivyignore" |
| dockerfile-path | Path to the Dockerfile. | false | "." |

## TODO (AKA nice to haves but may not come!):

Expand Down
50 changes: 27 additions & 23 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,10 @@ branding:
icon: layers
color: purple
inputs:
use-dockerhub:
description: "Set to true to use dockerhub."
required: false
image-repo:
description: "The repo to push the image to."
description: "The repo to push the image to. This should just be the base url, eg: my-repo or ghcr.io or, if using DockerHub, just the username you'd usually use for your repo."
required: true

repo-username:
description: "The username to log into the repo."
required: true
Expand Down Expand Up @@ -61,7 +59,7 @@ inputs:
trivyignore-from-s3:
description: "If disabled, the trivyignore can be supplied via the repo itself but actions/checkout@v4 must be used before calling this action."
required: false
default: false
default: "false"
s3-endpoint:
description: "If the endpoint isn't a standard AWS one, pass it in here."
required: false
Expand Down Expand Up @@ -189,36 +187,42 @@ runs:
if: inputs.publish-image == 'true'
uses: sigstore/[email protected]

### USING DOCKERHUB ###
- name: Determine Registry
if: inputs.publish-image == 'true'
shell: bash
run: |
IS_DOCKERHUB="true"
REPO="${{ inputs.image-repo }}"
if echo "${{ inputs.image-repo }}" | grep -E -q '\.'; then
IS_DOCKERHUB="false"
fi
if [ "${{ inputs.image-repo }}" == "ghcr.io" ]; then
REPO="${{ inputs.image-repo }}/${{ inputs.repo-username }}"
fi
echo "IS_DOCKERHUB=${IS_DOCKERHUB}" >> "$GITHUB_ENV"
echo "REPO=${REPO}" >> "$GITHUB_ENV"
# Login into registry
- name: Login to GitHub Container Registry
if: inputs.publish-image == 'true' && inputs.use-dockerhub == 'true'
### USING DOCKERHUB ###
- name: Login to Docker Registry
if: inputs.publish-image == 'true' && env.IS_DOCKERHUB == 'true'
uses: docker/login-action@v3
with:
username: ${{ inputs.repo-username }}
password: ${{ inputs.repo-password }}

### USING ALT REPO ###
# Login into registry
- name: Login to GitHub Container Registry
if: inputs.publish-image == 'true' && inputs.use-dockerhub != 'true'
### USING NON-DOCKERHUB ###
- name: Login to Container Registry
if: inputs.publish-image == 'true' && env.IS_DOCKERHUB == 'false'
uses: docker/login-action@v3
with:
registry: ${{ inputs.image-repo }}
username: ${{ inputs.repo-username }}
password: ${{ inputs.repo-password }}

- name: Get Repo
shell: bash
if: inputs.publish-image == 'true'
run: |
export REPO=${{ inputs.image-repo }}/${{ inputs.repo-username }}
if [ ${{inputs.use-dockerhub}} ]; then
echo "REPO=${{ inputs.image-repo }}" >> "$GITHUB_ENV"
else
echo "REPO=${{ inputs.image-repo }}/${{ inputs.repo-username }}" >> "$GITHUB_ENV"
fi
# Push the image with the user-defined tag
- name: Build and push
if: inputs.publish-image == 'true'
Expand Down

0 comments on commit 0cdabf1

Please sign in to comment.