diff --git a/.circleci/config.yml b/.circleci/config.yml index bd353996..a3fe3a33 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,16 +1,5 @@ version: 2 jobs: - # system_testing: - # machine: - # image: ubuntu-2204:2022.04.2 - # steps: - # - checkout - # - run: - # name: system.testing - # command: | - # ./ci/system_testing.sh - # - store_artifacts: - # path: ./test-log build_gcc48_opentracing_15: docker: - image: ubuntu:18.04 @@ -33,36 +22,13 @@ jobs: - run: ./ci/install_gcc4.8.sh - run: ./ci/install_opentracing.sh - run: ./ci/do_ci.sh build - openresty_docker_image: - machine: true - steps: - - checkout - - run: - command: docker build -t opentracing/openresty -f Dockerfile-openresty . - - push_docker_image: - machine: true - steps: - - checkout - - run: - command: ./ci/do_ci.sh push_docker_image workflows: version: 2 build_test_and_deploy: jobs: - - push_docker_image: - filters: - branches: - ignore: /.*/ - tags: &tags - only: /^v[0-9]+(\.[0-9]+)*$/ - # - system_testing - build_gcc48_opentracing_15 - build_gcc48_opentracing_16: requires: - build_gcc48_opentracing_15 - # - openresty_docker_image: - # requires: - # - system_testing diff --git a/.github/workflows/docker-openresty.yml b/.github/workflows/docker-openresty.yml new file mode 100644 index 00000000..2f12ab03 --- /dev/null +++ b/.github/workflows/docker-openresty.yml @@ -0,0 +1,109 @@ +name: Docker Openresty + +on: + push: + branches: + - master + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + pull_request: + branches: + - master + +concurrency: + group: ${{ github.ref_name }}-docker-openresty + cancel-in-progress: true + +jobs: + build-docker: + name: Build Docker Image + runs-on: ubuntu-22.04 + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + + - name: DockerHub Login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + if: github.event_name != 'pull_request' + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + if: github.event_name != 'pull_request' + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + name=opentracing/openresty,enable=${{ github.event_name != 'pull_request' }} + name=ghcr.io/opentracing-contrib/openresty,enable=${{ github.event_name != 'pull_request' }} + name=localhost:5000/opentracing/openresty + tags: | + type=edge + type=ref,event=pr + type=semver,pattern={{version}} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Build and push + uses: docker/build-push-action@v6 + with: + file: Dockerfile-openresty + pull: true + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha,scope=openresty + cache-to: type=gha,scope=openresty,mode=max + sbom: true + provenance: mode=max + + - name: Inspect SBOM and output manifest + run: | + docker buildx imagetools inspect localhost:5000/opentracing/openresty:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-openresty.json + docker buildx imagetools inspect localhost:5000/opentracing/openresty:${{ steps.meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64").SLSA }}' > provenance-openresty.json + docker buildx imagetools inspect localhost:5000/opentracing/openresty:${{ steps.meta.outputs.version }} --raw + + - name: Scan SBOM + id: scan + uses: anchore/scan-action@v3 + with: + sbom: "sbom-openresty.json" + only-fixed: true + add-cpes-if-none: true + fail-build: false + + - name: Upload scan result to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + continue-on-error: true + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + if: always() + + - name: Upload Scan Results + uses: actions/upload-artifact@v4 + continue-on-error: true + with: + name: scan-results-openresty + path: | + ${{ steps.scan.outputs.sarif }} + *.json + if: always() diff --git a/Makefile b/Makefile index 883a70bc..f957b0e3 100644 --- a/Makefile +++ b/Makefile @@ -20,4 +20,4 @@ test: .PHONY: clean clean: - rm -fr test-log + rm -fr test/test-log diff --git a/ci/do_ci.sh b/ci/do_ci.sh index bd547db3..d00da449 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -9,18 +9,6 @@ if [[ "$1" == "build" ]]; then mkdir -p "${BUILD_DIR}" ./ci/build_nginx_opentracing_module.sh exit 0 -elif [[ "$1" == "push_docker_image" ]]; then - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - VERSION_TAG="$(git describe --abbrev=0 --tags)" - VERSION="${VERSION_TAG/v/}" - - # openresty - docker build -t opentracing/openresty -f Dockerfile-openresty . - docker tag opentracing/openresty opentracing/openresty:${VERSION} - docker push opentracing/openresty:${VERSION} - docker tag opentracing/openresty opentracing/openresty:latest - docker push opentracing/openresty:latest - exit 0 else echo "Invalid do_ci.sh target" exit 1