-
Notifications
You must be signed in to change notification settings - Fork 0
219 lines (203 loc) · 8.31 KB
/
all-build-push-scan-harbor.yml
File metadata and controls
219 lines (203 loc) · 8.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: Build, Push and Scan Harbor Images
on:
workflow_call:
inputs:
image_name:
description: 'Name of the Docker image'
required: true
type: string
organization:
description: 'Harbor organization name'
required: true
type: string
registry:
description: 'Docker registry URL'
required: false
type: string
default: 'registry.mconf.com'
dockerfile_path:
description: 'Path to Dockerfile'
required: false
type: string
default: './Dockerfile'
platforms:
description: 'Target platforms for the build'
required: false
type: string
default: 'linux/amd64'
build-args:
description: 'Build arguments for Docker build'
type: string
required: false
default: ''
context_path:
description: 'Path to build context directory'
type: string
required: false
default: '.'
build_target:
description: 'Docker build target stage for multi-stage builds'
type: string
required: false
default: ''
push_enabled:
description: 'Enable pushing to registry (default: auto-detect tags)'
type: boolean
required: false
scan_enabled:
description: 'Enable Trivy scanning (default: auto-detect if secrets present)'
type: boolean
required: false
runs-on:
type: string
required: false
default: '["self-hosted", "ubuntu-22.04"]'
secrets:
HARBOR_USERNAME:
description: 'Harbor registry username'
required: false
HARBOR_PASSWORD:
description: 'Harbor registry password'
required: false
DOCKERHUB_USERNAME:
description: 'DockerHub username for login (optional)'
required: false
DOCKERHUB_PASSWORD:
description: 'DockerHub password (required if DOCKERHUB_USERNAME is provided)'
required: false
SSH_PRIVATE_KEY:
description: 'SSH private key for accessing private repositories (optional)'
required: false
TRIVY_EXPLORER_AUTH_TOKEN:
description: 'Authentication token for Trivy Explorer'
required: false
TRIVY_EXPLORER_URL:
description: 'URL for Trivy Explorer'
required: false
permissions:
contents: read
jobs:
build-push-scan:
name: Build, Push and Scan Docker
runs-on: ${{ fromJSON(inputs.runs-on) }}
timeout-minutes: 30
outputs:
image_digest: ${{ steps.build.outputs.digest }}
image_tags: ${{ steps.meta.outputs.tags }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
# Auto-detect push: enabled for tags, disabled otherwise (unless explicitly set)
PUSH_ENABLED: ${{ inputs.push_enabled != '' && inputs.push_enabled || startsWith(github.ref, 'refs/tags/') }}
# Auto-detect scan: enabled if Trivy secrets are present (unless explicitly disabled)
SCAN_ENABLED: ${{ inputs.scan_enabled != '' && inputs.scan_enabled || (secrets.TRIVY_EXPLORER_URL != '' && secrets.TRIVY_EXPLORER_AUTH_TOKEN != '') }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
image=moby/buildkit:v0.13.0
- name: Log in to Harbor Registry
if: env.PUSH_ENABLED == 'true'
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ secrets.HARBOR_USERNAME }}
password: ${{ secrets.HARBOR_PASSWORD }}
- name: Login to DockerHub
if: env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_PASSWORD != ''
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Install SSH Agent
if: ${{ env.SSH_PRIVATE_KEY != '' }}
run: sudo apt-get update && sudo apt-get install -y openssh-client
- name: Configure Git to Access Private Modules
if: ${{ env.SSH_PRIVATE_KEY != '' }}
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.image_name }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern=latest
type=raw,value=edge,enable={{is_default_branch}}
type=sha,prefix=sha-
- name: Build and conditionally push image
id: build
uses: docker/build-push-action@v5
with:
context: ${{ inputs.context_path }}
file: ${{ inputs.dockerfile_path }}
target: ${{ inputs.build_target }}
ssh: ${{ env.SSH_PRIVATE_KEY != '' && format('default={0}', env.SSH_AUTH_SOCK) || '' }}
push: ${{ env.PUSH_ENABLED == 'true' }}
load: ${{ env.SCAN_ENABLED == 'true' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: |
type=gha,scope=${{ inputs.image_name }}
type=registry,ref=${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.image_name }}:buildcache,image-manifest=true
cache-to: |
type=gha,mode=max,scope=${{ inputs.image_name }},ignore-error=true
type=registry,ref=${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.image_name }}:buildcache,mode=max,image-manifest=true,ignore-error=true
platforms: ${{ inputs.platforms }}
build-args: ${{ inputs.build-args }}
provenance: false
sbom: false
- name: Output build summary
run: |
echo "Build Summary:" >> $GITHUB_STEP_SUMMARY
echo "- Image: ${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.image_name }}" >> $GITHUB_STEP_SUMMARY
echo "- Push enabled: ${{ env.PUSH_ENABLED }}" >> $GITHUB_STEP_SUMMARY
echo "- Scan enabled: ${{ env.SCAN_ENABLED }}" >> $GITHUB_STEP_SUMMARY
echo "- Platforms: ${{ inputs.platforms }}" >> $GITHUB_STEP_SUMMARY
if [ "${{ env.PUSH_ENABLED }}" == "true" ]; then
echo "- Image digest: ${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY
fi
- name: Generate Unique Identifier
if: env.SCAN_ENABLED == 'true'
id: generate-uuid
run: echo "UUID=$(cat /proc/sys/kernel/random/uuid)" >> "$GITHUB_ENV"
- name: Get SHA image tag for scanning
if: env.SCAN_ENABLED == 'true'
id: sha-tag
run: |
SHA_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep ":sha-" | head -1)
echo "value=$SHA_TAG" >> "$GITHUB_OUTPUT"
- name: Run Trivy on Docker Image
if: env.SCAN_ENABLED == 'true'
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.sha-tag.outputs.value }}
ignore-unfixed: true
format: "json"
output: "/tmp/${{ env.UUID }}.json"
severity: "CRITICAL,HIGH"
- name: Upload Trivy results to Trivy Explorer
if: env.SCAN_ENABLED == 'true'
id: upload_trivy
run: |
RESPONSE=$(curl -s -H "Content-Type: application/json" -H "Authorization: ${{ secrets.TRIVY_EXPLORER_AUTH_TOKEN }}" --data "@/tmp/${{ env.UUID }}.json" ${{ secrets.TRIVY_EXPLORER_URL }})
echo "Response: $RESPONSE"
REPORT_URL=$(echo "$RESPONSE" | jq -r '.url')
echo "report_url=$REPORT_URL" >> "$GITHUB_OUTPUT"
- name: Add Trivy Report Link to Job Summary
if: env.SCAN_ENABLED == 'true'
run: |
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "## Trivy Security Scan" >> "$GITHUB_STEP_SUMMARY"
echo "A security scan report has been generated." >> "$GITHUB_STEP_SUMMARY"
echo "[View Detailed Report](${{ steps.upload_trivy.outputs.report_url }})" >> "$GITHUB_STEP_SUMMARY"