-
Notifications
You must be signed in to change notification settings - Fork 2
129 lines (110 loc) · 3.57 KB
/
build-docker.yml
File metadata and controls
129 lines (110 loc) · 3.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Build Docker image
on:
workflow_call:
inputs:
tags:
description: "List of tags as key-value pair attributes"
required: false
type: string
flavor:
description: "List of flavors as key-value pair attributes"
required: false
type: string
env:
GHCR_REPO: ghcr.io/defguard/defguard-proxy
jobs:
build-docker:
runs-on:
- self-hosted
- Linux
- ${{ matrix.runner }}
strategy:
matrix:
cpu: [arm64, amd64]
include:
- cpu: arm64
runner: ARM64
tag: arm64
- cpu: amd64
runner: X64
tag: amd64
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to GitHub container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["dockerhub-proxy.teonite.net"]
- name: Build container
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/${{ matrix.cpu }}
provenance: false
push: true
tags: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH,MEDIUM"
docker-manifest:
runs-on: [self-hosted, Linux]
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
needs: [build-docker]
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.9.2
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.GHCR_REPO }}
flavor: ${{ inputs.flavor }}
tags: ${{ inputs.tags }}
- name: Login to GitHub container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create and push manifests
run: |
tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
for tag in ${tags}
do
docker manifest rm ${tag} || true
docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
docker manifest push ${tag}
done
- name: Sign the images with GitHub OIDC Token
run: |
images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
cosign sign --yes ${images}
- name: Verify image signatures
run: |
images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/proxy" -o text