From 332f27a7c06c949a1393f9a1e89d61f05e225382 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 30 Aug 2024 11:41:37 +0200 Subject: [PATCH] feat: add container build ci Signed-off-by: Robert Waffen --- .github/workflows/build_container.yml | 55 ++++++++++++++++++ .github/workflows/ci.yaml | 82 +++++++++++++++++++++++++++ Dockerfile | 14 +++++ build_versions.json | 12 ++++ 4 files changed, 163 insertions(+) create mode 100644 .github/workflows/build_container.yml create mode 100644 .github/workflows/ci.yaml create mode 100644 Dockerfile create mode 100644 build_versions.json diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml new file mode 100644 index 0000000..98beccc --- /dev/null +++ b/.github/workflows/build_container.yml @@ -0,0 +1,55 @@ +--- +name: Build and publish a 🛢️ container + +on: + push: + branches: + - 'main' + tags: + - '*' + workflow_dispatch: + +jobs: + setup-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Source checkout + uses: actions/checkout@v4 + + - id: set-matrix + run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT + + build-and-push-container: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - name: Build Vox Pupuli Test Container r${{ matrix.puppet_release }} + uses: voxpupuli/gha-build-and-publish-a-container@v2 + with: + registry_password: ${{ secrets.GITHUB_TOKEN }} + build_args: | + BASE_IMAGE=${{ matrix.base_image }} + build_arch: linux/amd64,linux/arm64 + docker_username: voxpupulibot + docker_password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} + tags: | + ghcr.io/voxpupuli/test:${{ matrix.puppet_release }}-${{ github.ref_name }} + ghcr.io/voxpupuli/test:${{ matrix.puppet_release }} + ghcr.io/voxpupuli/test:latest + docker.io/voxpupuli/test:${{ matrix.puppet_release }}-${{ github.ref_name }} + docker.io/voxpupuli/test:${{ matrix.puppet_release }} + docker.io/voxpupuli/test:latest + + - name: Update Docker Hub Description + uses: peter-evans/dockerhub-description@v4 + with: + username: voxpupulibot + password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} + repository: voxpupuli/test diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..311807e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,82 @@ +--- +name: CI🚦 + +on: + pull_request: + branches: + - main + workflow_dispatch: + +jobs: + setup-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Source checkout + uses: actions/checkout@v4 + + - id: set-matrix + run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT + + build_test_container: + name: 'Build test container' + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + pull-requests: write + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build image + uses: docker/build-push-action@v6 + with: + tags: 'ci/test:${{ matrix.puppet_release }}' + push: false + build-args: | + BASE_IMAGE=${{ matrix.base_image }} + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: voxpupulibot + password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} + + - name: Analyze container image for CVEs + id: analyze-image-cves + uses: docker/scout-action@v1 + with: + command: cves + image: 'local://ci/test:${{ matrix.puppet_release }}' + sarif-file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json + write-comment: false + + - name: Compare container image to latest from Registry + id: compare-image + uses: docker/scout-action@v1 + with: + command: compare + image: 'local://ci/test:${{ matrix.puppet_release }}' + to: 'ghcr.io/voxpupuli/test:${{ matrix.puppet_release }}-main' + summary: true + keep-previous-comments: true + + - name: Upload SARIF result + id: upload-sarif + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json + + tests: + needs: + - build_test_container + runs-on: ubuntu-latest + name: Test suite + steps: + - run: echo Test suite completed diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3b827a8 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,14 @@ +ARG BASE_IMAGE=docker.io/ruby:3.2.5-alpine3.20 + +FROM $BASE_IMAGE + +LABEL org.label-schema.maintainer="Voxpupuli Team " \ + org.label-schema.vendor="Voxpupuli" \ + org.label-schema.url="https://github.com/voxpupuli/container-test" \ + org.label-schema.name="Vox Pupuli Test Box" \ + org.label-schema.license="AGPL-3.0-or-later" \ + org.label-schema.vcs-url="https://github.com/voxpupuli/container-test" \ + org.label-schema.schema-version="1.0" \ + org.label-schema.dockerfile="/Dockerfile" + +COPY Dockerfile / diff --git a/build_versions.json b/build_versions.json new file mode 100644 index 0000000..b05ce90 --- /dev/null +++ b/build_versions.json @@ -0,0 +1,12 @@ +{ + "include": [ + { + "puppet_release": 7, + "base_image": "docker.io/ruby:2.7.8-alpine3.16" + }, + { + "puppet_release": 8, + "base_image": "docker.io/ruby:3.2.5-alpine3.20" + } + ] +}