Skip to content

Enahnce DataEngine Swagger Endpoints Description #664

Enahnce DataEngine Swagger Endpoints Description

Enahnce DataEngine Swagger Endpoints Description #664

Workflow file for this run

name: Docker
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
on:
workflow_dispatch:
inputs:
build_arm64:
description: 'Build and publish ARM64 image (multi-arch manifest)'
type: boolean
default: false
push:
branches:
- 'main'
- 'develop'
- 'release/**'
- 'hotfix/**'
# Publish semver tags as releases.
tags: [ 'v**' ]
pull_request:
branches:
- 'main'
- 'develop'
- 'release/**'
- 'hotfix/**'
permissions:
contents: read
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository_owner }}/dataengine
DOCKERFILE_PATH: source/AAS.TwinEngine.DataEngine/Dockerfile
BUILD_CONTEXT: source
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
# Set up QEMU for ARM64 cross-compilation on AMD64 runners
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
# ARM64 is included for main, develop, hotfix, release branches, version tags, and manual trigger.
# Pull requests (e.g. feature → develop) build AMD64 only; ARM64 is built on merge (push event).
- name: Determine build platforms
id: platforms
run: |
PLATFORMS="linux/amd64"
if [[ "${{ github.ref }}" == refs/heads/main ]] || \
[[ "${{ github.ref }}" == refs/heads/develop ]] || \
[[ "${{ github.ref }}" == refs/heads/hotfix/* ]] || \
[[ "${{ github.ref }}" == refs/heads/release/* ]] || \
[[ "${{ github.ref }}" == refs/tags/v* ]] || \
[[ "${{ inputs.build_arm64 }}" == "true" ]]; then
PLATFORMS="linux/amd64,linux/arm64"
fi
echo "platforms=$PLATFORMS" >> $GITHUB_OUTPUT
echo "include_arm64=$([ "$PLATFORMS" = "linux/amd64,linux/arm64" ] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
flavor: |
latest=false
tags: |
type=semver,pattern={{raw}}
# Priority is set to ensure the develop-{{sha}} tag is preferred over other tags for the develop branch
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}
# The following tag is only applied to regular branches except 'develop' and 'release/*' (i.e., not for tags or PRs)
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}}
type=ref,event=pr
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
sbom: true
provenance: mode=max
context: ${{ env.BUILD_CONTEXT }}
file: ${{ env.DOCKERFILE_PATH }}
platforms: ${{ steps.platforms.outputs.platforms }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Extract the pure application SBOM from the artifact stage, we want to handle it separately from the container SBOM
# This automaticaly re-uses the previously generated stage from cache, so we get the exact sbom from previous build step
- name: Export Application SBOM from artifact stage
if: ${{ github.event_name != 'pull_request' }}
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: ${{ env.BUILD_CONTEXT }}
file: ${{ env.DOCKERFILE_PATH }}
target: app-sbom-artifact
push: false
outputs: type=local,dest=sbom-output
# Extract the tag with the highest priority from the list for Trivy scanning
- name: Get highest priority image tag
if: ${{ github.event_name != 'pull_request' }}
id: highest-priority-tag
run: |
# The first tag in the list is the one with the highest priority
echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT
# Generate container SBOM.
- name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
if: ${{ github.event_name != 'pull_request' }}
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
env:
TRIVY_PLATFORM: linux/amd64
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'sbom-output/sbom_container_amd64.cyclonedx.json'
image-ref: ${{ steps.highest-priority-tag.outputs.value }}
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields
# Scan ARM64 image separately when a multi-arch build was produced
- name: Run Trivy scan for ARM64 image
if: ${{ github.event_name != 'pull_request' && steps.platforms.outputs.include_arm64 == 'true' }}
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
env:
TRIVY_PLATFORM: linux/arm64
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'sbom-output/sbom_container_arm64.cyclonedx.json'
image-ref: ${{ steps.highest-priority-tag.outputs.value }}
skip-dirs: '/App'
- name: Upload trivy/container AND application SBOMs as a Github artifact
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sbom
path: '${{ github.workspace }}/sbom-output/'