-
-
Notifications
You must be signed in to change notification settings - Fork 40
/
reusable-docker.yml
243 lines (209 loc) · 8.9 KB
/
reusable-docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
name: Reusable workflow - Docker
on:
workflow_call:
inputs:
FOLDER:
required: true
type: string
AWS_ACCOUNT_NAME:
required: true
type: string
AWS_ACCOUNT_ID:
required: true
type: string
AWS_REGION:
required: true
type: string
AWS_ROLE:
required: true
type: string
REGISTRY:
required: true
type: string
IMAGE_NAME:
required: true
type: string
IMAGE_TAG:
required: false
type: string
default: 'latest'
jobs:
# ============================================================================
# BUILD
# ============================================================================
build:
name: build
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
id-token: write
outputs:
digest: ${{ steps.build-and-push-step.outputs.digest }}
steps:
- name: 📂 Checkout repository
uses: actions/checkout@v3.0.2
# ========================================================================
# Install Tooling
# ========================================================================
# Install cosign except on PR
- name: 🔻 Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.9.0'
# Setup docker build
- name: 🔻 Setup Docker buildx
uses: docker/setup-buildx-action@v2
# ========================================================================
# Authenticate to AWS/ECR (except on PR)
# ========================================================================
# Get OIDC Token
- name: 🎟 Configure AWS Credentials
if: github.event_name != 'pull_request'
uses: aws-actions/configure-aws-credentials@v1.6.1
with:
aws-region: ${{ inputs.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ inputs.AWS_ACCOUNT_ID }}:role/${{ inputs.AWS_ROLE }}
role-session-name: GithubActionsSession
# Login against ECR
- name: 🎟 Login to Amazon ECR
if: github.event_name != 'pull_request'
uses: aws-actions/amazon-ecr-login@v1
# ========================================================================
# Build locally and run Trivy (only in PR)
# ========================================================================
- name: 🚧 Build locally
if: github.event_name == 'pull_request'
id: build_local
uses: docker/build-push-action@master
with:
push: false
file: ${{ inputs.FOLDER }}/Dockerfile
tags: ${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
# Needed for trivy
outputs: type=docker
- name: 🛡 Run Trivy vulnerability scanner
if: github.event_name == 'pull_request'
id: docker_trivy
uses: aquasecurity/trivy-action@0.2.5
continue-on-error: true
with:
image-ref: ${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
format: 'table'
# WARN ONLY
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# ========================================================================
# PR Output (only in PR)
# ========================================================================
- name: 📄 Show Build Output
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
env:
BUILD: ${{ steps.build_local.outputs.metadata }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Image: 📋 \`${{ inputs.IMAGE_NAME }}\`
| | Step | Result |
| --- | ---------- | -------------------------------------------- |
| 📖 | **Build** | \`${{ steps.build_local.outcome }}\` |
| 🛡 | **Trivy** | \`${{ steps.docker_trivy.outcome }}\` |
### Build:
<details>
<summary>Build output</summary>
\`\`\`${process.env.BUILD}
\`\`\`
</details>
---
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# ========================================================================
# Build Image and push to ECR (except on PR)
# ========================================================================
# Extract metadata (tags, labels) for Docker
- name: 📭 Extract Docker metadata
if: ${{ github.event_name != 'pull_request' }}
id: meta
uses: docker/metadata-action@v3.6.0
with:
images: ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}
# Build and push container image with Buildx (don't push on PR)
- name: 🔨 Build and push container image
if: github.ref == 'refs/heads/main' && ${{ github.event_name != 'pull_request' }}
id: build-and-push-step
uses: docker/build-push-action@master
with:
push: ${{ github.event_name != 'pull_request' }}
file: ${{ inputs.FOLDER }}/Dockerfile
labels: ${{ steps.meta.outputs.labels }}
# Use tags: ${{ steps.meta.outputs.tags }} if you want to tag the image with branch name
tags: ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
# ========================================================================
# Sign Image Digest (except on PR)
# ========================================================================
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the
# repository is public to avoid leaking data
# If you would like to publish transparency data even for private images,
# pass --force to cosign below
- name: 🔏 Sign the published image
if: github.ref == 'refs/heads/main' && ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: 'true'
run: cosign sign ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}@${{ steps.build-and-push-step.outputs.digest }} -a "repo=${{ github.repository }}" -a "ref=${{ github.sha }}"
sbom:
name: sbom
runs-on: ubuntu-20.04
needs: [build]
# Don't run in PR
if: github.event_name != 'pull_request'
permissions:
contents: read
id-token: write
env:
IMAGE_DIGEST: ${{ needs.build.outputs.digest }}
steps:
# ========================================================================
# Install Tooling
# ========================================================================
# Install cosign except on PR
- name: 🔻 Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.9.0'
# Install syft
- name: 🔻 Install Syft
uses: anchore/sbom-action/download-syft@v0.11.0
# ========================================================================
# Authenticate to AWS/ECR (except on PR)
# ========================================================================
# Get OIDC Token
- name: 🎟 Configure AWS Credentials
if: github.event_name != 'pull_request'
uses: aws-actions/configure-aws-credentials@v1.6.1
with:
aws-region: ${{ inputs.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ inputs.AWS_ACCOUNT_ID }}:role/${{ inputs.AWS_ROLE }}
role-session-name: GithubActionsSession
# Login against ECR
- name: 🎟 Login to Amazon ECR
if: github.event_name != 'pull_request'
uses: aws-actions/amazon-ecr-login@v1
# ========================================================================
# Create SBOM and attach it to image
# ========================================================================
- name: 🎫 Attach SBOM to image
env:
COSIGN_EXPERIMENTAL: 'true'
run: |
syft "${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}@${IMAGE_DIGEST}" -o spdx-json=sbom-spdx.json
cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}@${IMAGE_DIGEST}"
echo "::notice title=Verify SBOM attestation::COSIGN_EXPERIMENTAL=1 cosign verify-attestation ${{ inputs.REGISTRY }}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType == \"https://spdx.dev/Document\") | .predicate.Data | fromjson'"