diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 7384bce..49335bb 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -22,25 +22,6 @@ on: description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). default: "" type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string - registryUsername: - required: false - description: The username for the container registry - default: parcellab-dev-bot - type: string - repository_kind: - required: false - description: Using as a dummy, to be removed in the future versions - type: string enableContainerScan: required: false description: Apply the container scan diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 5494aaf..dde7d48 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -2,11 +2,20 @@ name: Reusable Container on: workflow_call: inputs: + appName: + required: true + description: The container image name + type: string contextPath: required: false description: The container context to build the image default: . type: string + enableContainerScan: + required: false + description: Apply the container scan + default: true + type: boolean extraBuildArgs: required: false description: Extra build arguments for building the docker image (KEY=VALUE separated by new lines) @@ -17,25 +26,6 @@ on: description: The file path for the Container image default: Containerfile type: string - name: - required: true - description: The container image name - type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string - registryUsername: - required: false - description: The username for the container registry - default: parcellab-dev-bot - type: string runner: required: false description: Runner type @@ -49,38 +39,64 @@ on: npmGithubReadToken: required: false description: The Github token with permissions to read NPM private packages - registryPassword: + AWS_ROLE_TO_ASSUME: required: true - description: The password for the container registry + description: AWS OIDC role for GitHub to assume + jobs: - container: + build-ecr-single: + permissions: + id-token: write + contents: read runs-on: ${{ inputs.runner }} steps: - name: Checkout current git repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to Container Registry - uses: docker/login-action@v1 + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.registryPassword }} - - name: Build and push latest version - uses: docker/build-push-action@v4 + aws-region: eu-central-1 + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + - name: Create ECR repository if it doesn't exist + run: | + aws ecr describe-repositories --repository-names ${{ inputs.appName }} || \ + aws ecr create-repository --repository-name ${{ inputs.appName }} + LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' + aws ecr put-lifecycle-policy --repository-name ${{ inputs.appName }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Build image + uses: docker/build-push-action@v6 with: build-args: | GITHUB_SHA=${{ github.sha }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} VERSION=${{ inputs.version }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} ${{ inputs.extraBuildArgs }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }} - cache-to: type=inline + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:cache context: ${{ inputs.contextPath }} + load: true file: ${{ inputs.filePath }} platforms: linux/amd64 - push: true tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:${{ inputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:${{ github.sha }} + - name: Scan for vulnerabilities + if: inputs.enableContainerScan + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push image to ECR + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }} diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ece1856..761c0e4 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -42,16 +42,6 @@ on: description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). default: "" type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string registryUsername: required: false description: The username for the container registry @@ -178,8 +168,6 @@ jobs: artifactPath: ${{ inputs.artifactPath }} imageTargets: ${{ inputs.imageTargets }} preScript: ${{ inputs.preScript }} - registryHostname: ${{ inputs.registryHostname }} - registryOrg: ${{ inputs.registryOrg }} registryUsername: ${{ inputs.registryUsername }} enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }}