refactoring multi-target build to use docker bake and docker build cl… #659
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push Heimdall Server to Docker Hub on every merge to master and tag as latest | |
| on: | |
| push: | |
| branches: [master, multi-platform-build] | |
| permissions: | |
| contents: read | |
| jobs: | |
| docker: | |
| name: Build and Push to Docker Hub | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the Heimdall Repository | |
| uses: actions/checkout@v5 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PAT }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver: cloud | |
| endpoint: "mitre/mitre-builder" | |
| - name: Build and push multi-platform server image | |
| uses: docker/bake-action@v5 | |
| env: | |
| TAG_SUFFIX: ${{ github.sha }} | |
| with: | |
| files: docker-bake.hcl | |
| targets: server-ci | |
| push: true | |
| - name: Create branch-specific tag | |
| if: github.ref == 'refs/heads/multi-platform-build' | |
| run: | | |
| docker buildx imagetools create -t mitre/heimdall2:multi-platform-build \ | |
| mitre/heimdall2:${{ github.sha }} | |
| - name: Get Docker SHA for Iron Bank | |
| shell: bash | |
| id: get-docker-sha | |
| run: | | |
| MAX_RETRIES=5 | |
| RETRY_DELAY=0.5 # in seconds | |
| RETRY_COUNT=0 | |
| SUCCESS=false | |
| while [ "$RETRY_COUNT" -lt "$MAX_RETRIES" ]; do | |
| if docker pull mitre/heimdall2:${{ github.sha }}; then | |
| SUCCESS=true | |
| break | |
| else | |
| RETRY_COUNT="$((RETRY_COUNT + 1))" | |
| echo "Retry $RETRY_COUNT/$MAX_RETRIES: Docker pull failed. Retrying in $RETRY_DELAY seconds..." | |
| sleep "$RETRY_DELAY" | |
| fi | |
| done | |
| if [ "$SUCCESS" = true ]; then | |
| echo "DOCKER_SHA=$(docker inspect --format='{{index .RepoDigests 0}}' mitre/heimdall2:${{ github.sha }} | cut -d '@' -f 2)" >> $GITHUB_ENV | |
| else | |
| echo "Docker pull failed after $MAX_RETRIES attempts." | |
| exit 1 | |
| fi | |
| - name: Upgrade Iron Bank | |
| uses: mitre/ironbank_release_action@v1 | |
| with: | |
| name: Heimdall | |
| version: ${{ github.sha }} | |
| ironbank_pat: ${{ secrets.SAF_IRONBANK_REPO1_PAT }} | |
| ironbank_username: ${{ secrets.SAF_IRONBANK_REPO1_USERNAME }} | |
| ironbank_project_id: 17076 | |
| ironbank_project_clone_url: repo1.dso.mil/dsop/mitre/security-automation-framework/heimdall2-mainline.git | |
| git_commit_author_name: "Automated Heimdall Release" | |
| git_commit_author_email: "saf@mitre.org" | |
| update_commands: | | |
| yq e -i '.args.HEIMDALL_VERSION=\"${{ github.sha }}\" | .tags[0]=\"${{ github.sha }}\" | .labels.\"org.opencontainers.image.version\"=\"${{ github.sha }}\" | .resources[1].tag=\"mitre/heimdall2:${{ github.sha }}\" | .resources[1].url=\"docker://docker.io/mitre/heimdall2@${{ env.DOCKER_SHA }}\"' hardening_manifest.yaml | |
| sed -i s/HEIMDALL_VERSION=\.\*/HEIMDALL_VERSION=${{ github.sha }}/ Dockerfile |