-
Notifications
You must be signed in to change notification settings - Fork 8
129 lines (113 loc) · 4.2 KB
/
container-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Reusable Container Build
on:
workflow_call:
inputs:
build-version:
description: "Version of Logprep to build"
required: true
type: string
tags:
description: "Tags to apply to the image"
required: true
type: string
jobs:
containerbuild:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [ "3.10", "3.11", "3.12" ]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Image Tags
id: image-tag
run: |
python - <<EOF
import os
image = "ghcr.io/fkie-cad/logprep"
version = "${{ matrix.python-version }}"
tags = "${{ inputs.tags }}".split(",")
full_image = [f"{image}:py{version}-{tag.strip()}" for tag in tags]
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"tags={', '.join(full_image)}")
EOF
- name: Build image and export to Docker
uses: docker/build-push-action@v6
id: build
with:
context: .
load: true
build-args: |
LOGPREP_VERSION=${{ inputs.build-version }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: ${{ steps.image-tag.outputs.tags }}
- name: Extract image ID from sha256
id: imageid
run: |
python - <<EOF
import os
digest = "${{ steps.build.outputs.ImageID }}"
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"imageid={digest.split(':')[1]}")
EOF
- name: Ensure logprep is available in image
run: |
docker run --rm ${{ steps.imageid.outputs.imageid }} --version
- name: Push image
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
build-args: |
LOGPREP_VERSION=${{ inputs.build-version }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: ${{ steps.image-tag.outputs.tags }}
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.1'
- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
artifact-name: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
output-file: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.imageid.outputs.imageid }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Scan image using Trivy
uses: aquasecurity/[email protected]
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
trivy-config: trivy.yaml
# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db