Add workflows for building and promoting security images

hlebkanonik · hlebkanonik · commit f950a067de10 · 2026-04-27T12:39:15.000+02:00
- Introduced `build-security-image.yaml` to automate the building of security Docker images on pushes to branches prefixed with 'secure/'.
- Added `promote-security-image.yaml` to extract image tags from pull request titles and promote images to GCP Artifact Registry upon approval of pull requests targeting 'master' or 'main' from 'secure/' branches.
diff --git a/.github/workflows/build-security-image.yaml b/.github/workflows/build-security-image.yaml
@@ -0,0 +1,42 @@
+name: Build Security Image
+
+on:
+  push:
+    branches:
+      - 'secure/*'
+  create:
+
+jobs:
+  variables-setup:
+    name: Setting variables for docker build
+    runs-on: ubuntu-latest
+    if: >-
+      github.event_name == 'push' ||
+      (
+        github.event_name == 'create' &&
+        github.event.ref_type == 'branch' &&
+        startsWith(github.ref_name, 'secure/')
+      )
+    steps:
+      - name: Create variables
+        id: vars
+        run: |
+          echo "image-tag=$(echo '${{ github.ref_name }}' | sed 's|secure/||')" >> $GITHUB_OUTPUT
+          echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+    outputs:
+      image-tag: ${{ steps.vars.outputs.image-tag }}
+      date: ${{ steps.vars.outputs.date }}
+
+  build-security-image:
+    name: Build security Docker image
+    needs: variables-setup
+    uses: reportportal/.github/.github/workflows/build-docker-image.yaml@main
+    with:
+      aws-region: ${{ vars.AWS_REGION }}
+      build-platforms: ${{ vars.BUILD_PLATFORMS || 'linux/amd64,linux/arm64' }}
+      image-tag: ${{ needs.variables-setup.outputs.image-tag }}
+      release-mode: false
+      additional-tag: 'secure-latest'
+      date: ${{ needs.variables-setup.outputs.date }}
+      runs-on: ubuntu-latest
+    secrets: inherit
diff --git a/.github/workflows/dockerhub-release.yaml b/.github/workflows/dockerhub-release.yaml
@@ -17,7 +17,10 @@ jobs:
     name: Retag and push image 
     runs-on: ubuntu-latest
     environment: rc
-    if: github.event.review.state == 'approved' && (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
+    if: >
+      github.event.review.state == 'approved' &&
+      (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main') &&
+      (startsWith(github.event.pull_request.head.ref, 'rc/') || startsWith(github.event.pull_request.head.ref, 'hotfix/'))
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/promote-security-image.yaml b/.github/workflows/promote-security-image.yaml
@@ -0,0 +1,45 @@
+name: Promote Security Image
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  extract-image-tag:
+    name: Extract image tag from PR title
+    if: >-
+      github.event.review.state == 'approved' &&
+      startsWith(github.event.pull_request.head.ref, 'secure/') &&
+      (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
+    runs-on: ubuntu-latest
+    outputs:
+      image-tag: ${{ steps.extract.outputs.image-tag }}
+    steps:
+      - name: Extract image tag from PR title
+        id: extract
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          NORM=$(echo "${PR_TITLE}" | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)[[:space:]]+[rR]([0-9]+)/\1-r\2/g')
+          IMAGE_TAG=$(echo "${NORM}" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+-r[0-9]+' | tail -1)
+          if [ -z "${IMAGE_TAG}" ]; then
+            echo "::error::Could not extract a version tag (x.x.x-rN or x.x.x rN) from PR title: '${PR_TITLE}'"
+            exit 1
+          fi
+          echo "image-tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
+          echo "Extracted image tag: ${IMAGE_TAG}"
+
+  promote-to-gcr:
+    name: Promote ${{ github.event.repository.name }} to GCP Artifact Registry
+    needs: extract-image-tag
+    uses: reportportal/.github/.github/workflows/promote-ecr-to-gcr.yaml@main
+    with:
+      service: ${{ github.event.repository.name }}
+      image-tag: ${{ needs.extract-image-tag.outputs.image-tag }}
+      aws-region: ${{ vars.AWS_REGION }}
+    secrets:
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+      GCR_REGION: ${{ secrets.GCR_REGION }}
+      GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
