diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml index 63270fa..1b675a7 100644 --- a/.github/workflows/ci-cd.yaml +++ b/.github/workflows/ci-cd.yaml @@ -32,20 +32,17 @@ jobs: docker-build-and-image-scan: if: github.event_name == 'push' needs: test - uses: milsman2/python-app-template/.github/workflows/docker-build-and-scan.yaml@main + uses: ./.github/workflows/docker-build-and-scan.yaml with: DOCKER_PATH_CONTEXT: . DOCKER_BUILD_DOCKERFILE: ./Dockerfile DOCKER_TAGS: ${{ vars.DOCKER_USERNAME }}/${{ vars.DOCKER_REPOSITORY }}:${{ github.sha }} - DOCKER_LOAD_BOOL: false - DOCKER_PUSH_BOOL: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }} DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }} secrets: inherit - release: if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') needs: [test, docker-build-and-image-scan] - uses: milsman2/python-app-template/.github/workflows/release.yaml@main + uses: ./.github/workflows/release.yaml permissions: contents: write secrets: inherit diff --git a/.github/workflows/docker-build-and-scan.yaml b/.github/workflows/docker-build-and-scan.yaml index 75c6e7f..727d16f 100644 --- a/.github/workflows/docker-build-and-scan.yaml +++ b/.github/workflows/docker-build-and-scan.yaml @@ -12,50 +12,35 @@ on: DOCKER_TAGS: required: true type: string - DOCKER_LOAD_BOOL: - required: false - type: boolean - default: false - DOCKER_PUSH_BOOL: - required: false - type: boolean - default: false DOCKER_USERNAME: required: true type: string jobs: build-and-scan: + runs-on: ubuntu-latest env: DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }} DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }} DOCKER_TAGS: ${{ inputs.DOCKER_TAGS }} - DOCKER_LOAD_BOOL: ${{ inputs.DOCKER_LOAD_BOOL }} - DOCKER_PUSH_BOOL: ${{ inputs.DOCKER_PUSH_BOOL }} DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }} - runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v6 - - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 - - name: Login to DockerHub - uses: docker/login-action@v4 + - uses: actions/checkout@v6 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 + - uses: docker/login-action@v4 with: username: ${{ env.DOCKER_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build (and maybe push) Docker image + - name: Build & push multi-arch image uses: docker/build-push-action@v7 with: - context: ${{ env.DOCKER_PATH_CONTEXT }} - file: ${{ env.DOCKER_BUILD_DOCKERFILE}} - load: ${{ env.DOCKER_LOAD_BOOL }} - push: ${{ env.DOCKER_PUSH_BOOL }} - tags: ${{ env.DOCKER_TAGS }} - - name: Run Trivy vulnerability scanner (remote) - if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }} + context: ${{ env.DOCKER_PATH_CONTEXT }} + file: ${{ env.DOCKER_BUILD_DOCKERFILE }} + platforms: linux/amd64,linux/arm64 + push: true + tags: docker.io/${{ env.DOCKER_TAGS }} + - name: Run Trivy vulnerability scanner (multi-arch manifest) uses: aquasecurity/trivy-action@0.35.0 with: image-ref: docker.io/${{ env.DOCKER_TAGS }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a5fbb17..b0cb6fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,7 +93,5 @@ jobs: with: DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }} DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }} - DOCKER_LOAD_BOOL: false DOCKER_TAGS: ${{ inputs.DOCKER_USERNAME }}/${{ inputs.DOCKER_REPOSITORY }}:${{ needs.Semantic-Release.outputs.tag }} - DOCKER_PUSH_BOOL: true DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}