sleeper/.github/workflows/docker-cli.yaml at develop · gchq/sleeper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
on:
  workflow_call:
    inputs:
      pushImages:
        default: false
        required: false
        type: boolean

env:
  DOCKER_PLATFORMS: linux/amd64,linux/arm64/v8
  DEPENDENCIES_IMAGE: localhost:5000/sleeper-dependencies:current
  BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
  TRIVY_IGNOREFILE: code-style/.trivyignore.cli.yaml
  TRIVY_SHOW_SUPPRESSED: true

jobs:
  setup:
    runs-on: ubuntu-latest

    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000

    steps:
      - uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: network=host
      - name: Plan build
        id: plan
        run: |
          ./.github/scripts/planCliBuild.sh \
            "${{ github.repository_owner }}" \
            "${{ github.ref }}"
      - name: Build Docker dependencies
        uses: docker/build-push-action@v6
        with:
          context: ./scripts/cli/dependencies
          push: true
          sbom: false
          provenance: false
          tags: ${{ env.DEPENDENCIES_IMAGE }}
          platforms: ${{ env.DOCKER_PLATFORMS }}
          labels: |
            git-commit=${{ github.sha }}
            build-url=${{ env.BUILD_URL }}
      - name: Pull dependencies image from registry
        run: docker pull ${{ env.DEPENDENCIES_IMAGE }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.34.0
        with:
          image-ref: ${{ env.DEPENDENCIES_IMAGE }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          version: latest
      - name: Save dependencies image to tarball
        run: docker save ${{ env.DEPENDENCIES_IMAGE }} --output /tmp/dependencies-image.tar
      - name: Upload dependencies image as artifact
        uses: actions/upload-artifact@v5
        with:
          name: dependencies-image
          path: /tmp/dependencies-image.tar
    outputs:
      builderTag: ${{ steps.plan.outputs.builderTag }}
      envTag: ${{ steps.plan.outputs.envTag }}
      deployTag: ${{ steps.plan.outputs.deployTag }}
      builderPackage: ${{ steps.plan.outputs.builderPackage }}
      envPackage: ${{ steps.plan.outputs.envPackage }}
      deployPackage: ${{ steps.plan.outputs.deployPackage }}
      platforms: ${{ env.DOCKER_PLATFORMS }}
      buildUrl: ${{ env.BUILD_URL }}
  builder:
    needs: setup
    uses: ./.github/workflows/docker-cli-image.yaml
    with:
      pushImages: ${{ inputs.pushImages }}
      context: ./scripts/cli/builder
      pushTag: ${{ needs.setup.outputs.builderTag }}
      packageName: ${{ needs.setup.outputs.builderPackage }}
      platforms: ${{ needs.setup.outputs.platforms }}
      buildUrl: ${{ needs.setup.outputs.buildUrl }}
      runTrivy: false # The builder image is too big, Trivy runs out of disk space in the GitHub Actions runner
  environment:
    needs: setup
    uses: ./.github/workflows/docker-cli-image.yaml
    with:
      mavenCmd: ./scripts/cli/environment/buildMaven.sh package -Pquick -DskipRust --batch-mode -Dmaven.repo.local=../.m2/repository
      pushImages: ${{ inputs.pushImages }}
      context: ./scripts/cli/environment
      pushTag: ${{ needs.setup.outputs.envTag }}
      packageName: ${{ needs.setup.outputs.envPackage }}
      platforms: ${{ needs.setup.outputs.platforms }}
      buildUrl: ${{ needs.setup.outputs.buildUrl }}