-
Notifications
You must be signed in to change notification settings - Fork 54
181 lines (159 loc) · 6.12 KB
/
docker-image.yml
File metadata and controls
181 lines (159 loc) · 6.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: Docker Image CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
inputs:
misp_ref:
description: 'MISP branch or tag to build'
required: true
default: 'develop'
env:
REGISTRY_IMAGE: ghcr.io/nukib/misp
BUCKET_NAME: testbucket
MINIO_ROOT_USER: testuser
MINIO_ROOT_PASSWORD: i5Qkesr8fbV0Vezn0zojaIyKvnObUtNMXFu38wlT
jobs:
build:
runs-on: ${{ matrix.runner }}
strategy:
matrix:
runner: [ ubuntu-24.04-arm, ubuntu-latest ]
timeout-minutes: 60
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Fetch variables
run: for v in $(python3 .github/workflows/docker-version.py ${{ github.event.inputs.misp_ref }}); do echo $v >> $GITHUB_ENV; done
id: variables
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-buildx-
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: .
load: true
tags: |
${{ env.REGISTRY_IMAGE }}
nukib/misp
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
build-args: |
CACHEBUST=${{ env.MISP_COMMIT }}
MISP_VERSION=${{ env.MISP_VERSION }}
- name: Image history and inspect
run: |
docker inspect ${{ env.REGISTRY_IMAGE }}
docker history ${{ env.REGISTRY_IMAGE }}
- name: Start contains for testing
env:
BUCKET_NAME: ${{ env.BUCKET_NAME }}
S3_ACCESS_KEY: ${{ env.MINIO_ROOT_USER }}
S3_SECRET_KEY: ${{ env.MINIO_ROOT_PASSWORD }}
run: |
cp .github/workflows/test/.test-env.sh ./.env_s3
MISP_IMAGE=${{ env.REGISTRY_IMAGE }} docker compose up --detach --quiet-pull
python3 .github/workflows/wait.py http://127.0.0.1:8080 # Wait until MISP container is ready
- name: Show MISP container logs
if: always()
run: |
docker ps -a
docker logs misp
- name: Test
env:
MISP_USER: admin@admin.test # default user
BUCKET_NAME: ${{ env.BUCKET_NAME }}
S3_ACCESS_KEY: ${{ env.MINIO_ROOT_USER }}
S3_SECRET_KEY: ${{ env.MINIO_ROOT_PASSWORD }}
run: |
docker exec misp su-exec apache /var/www/MISP/app/Console/cake user init # Ensure default user init
AUTHKEY=$(docker exec misp su-exec apache /var/www/MISP/app/Console/cake user change_authkey $MISP_USER | sed -n -e 's/Authentication key changed to: //p')
VERSION=$(curl --fail -v -H "Authorization: $AUTHKEY" -H "Accept: application/json" http://127.0.0.1:8080/servers/getVersion)
echo $VERSION | jq
.github/workflows/test/test_minio.sh $S3_ACCESS_KEY $S3_SECRET_KEY $BUCKET_NAME $AUTHKEY
docker restart misp # Also test restart
python3 .github/workflows/wait.py http://127.0.0.1:8080 # Wait until MISP container is ready
curl --fail -v -H "Authorization: $AUTHKEY" -H "Accept: application/json" http://127.0.0.1:8080/servers/getVersion
docker compose down
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
du -sh /tmp/.buildx-cache
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
username: nukib
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Push by digest
if: github.event_name != 'pull_request'
id: build
uses: docker/build-push-action@v6
with:
tags: |
${{ env.REGISTRY_IMAGE }}
nukib/misp
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
- name: Export digest
if: github.event_name != 'pull_request'
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v4
with:
name: digests-${{ runner.arch == 'X64' && 'amd64' || 'arm64' }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
push:
runs-on: ubuntu-latest
needs: build
if: github.event_name != 'pull_request'
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: nukib
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:latest $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
docker buildx imagetools create --tag nukib/misp:latest $(printf 'nukib/misp@sha256:%s ' *)