github-actions-workflows/.github/workflows/build_container_image.yml at main · FlowFuse/github-actions-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Build container image

on:
  workflow_call:
    inputs:
      aws_access_key_id:
        description: 'AWS access key ID'
        type: string
        required: false
      build_arguments:
        description: 'Build arguments'
        type: string
        required: false
        default: ''
      build_context:
        description: 'Path to the build context'
        type: string
        required: true
      build_platform:
        description: 'Platform to build the image for'
        type: string
        required: false
        default: 'linux/amd64'
      dockerfile_path:
        description: 'Path to the Dockerfile, within $build_context, used for image build'
        type: string
        required: false
        default: 'Dockerfile'
      image_name:
        description: 'Name of the image to build'
        required: true
        type: string
      image_tag_prefix:
        description: 'Prefix for the image tag'
        required: false
        type: string
        default: ''
      npm_registry_url:
        description: 'NPM registry URL'
        type: string
        required: false
        default: registry.npmjs.org
      package_dependencies:
        description: 'List of dependencies to update'
        type: string
        required: false
        default: ''
      scan_image:
        description: 'Scan the image for vulnerabilities'
        type: boolean
        default: false
    secrets:
      temporary_registry_token:
        description: 'GitHub token'
        required: true
    outputs:
      image:
        description: 'Full image tag'
        value: ${{ jobs.build.outputs.image }}

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
      checks: write
      pull-requests: write
      security-events: write
    outputs:
      image: ${{ steps.set_outputs.outputs.image }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Set release name and image tag
        run: |
          echo "release_name=nightly" >> $GITHUB_ENV
          echo "repository_owner_lower=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV

      - name: Set build tag
        if: |
          env.release_name == 'nightly' &&
          inputs.image_name == 'node-red'
        run:
          if [ "${{ env.release_name }}" == "nightly" ]; then
            echo "build_tag=nightly" >> $GITHUB_ENV ;
          else
            echo "build_tag=latest" >> $GITHUB_ENV ;
          fi

      - name: Set dependecies versions
        if: ${{ inputs.package_dependencies != '' }}
        working-directory: ${{ inputs.build_context }}
        run: |
          echo "## Packages used to build image" >> $GITHUB_STEP_SUMMARY
          for dependency in $(echo "${{ inputs.package_dependencies }}" | tr '\n' ' ')
          do
            dependency_name=$(echo $dependency | cut -d'=' -f1)
            dependency_version=$(echo $dependency | cut -d'=' -f2)
            if [ "$dependency_name" == "$dependency_version" ]; then
              dependency_version="latest"
            fi
            dependency_semver=$(npm view $dependency_name dist-tags --json | jq -r --arg version "$dependency_version" '.[$version]')
            echo "Setting $dependency_name to $dependency_version"
            npm pkg set dependencies.$dependency_name=$dependency_semver
            echo "### :package: $dependency_name version: $dependency_semver" >> $GITHUB_STEP_SUMMARY
          done
          cat package.json

      - name: Login to temporary registry
        id: ghcr
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{github.actor}}
          password: ${{secrets.temporary_registry_token}}

      - name: Build container image
        id: build
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ inputs.build_context }}
          file: "${{ inputs.build_context }}/${{ inputs.dockerfile_path }}"
          tags: "ghcr.io/${{ env.repository_owner_lower }}/${{ inputs.image_name }}:${{ inputs.image_tag_prefix }}main"
          platforms: ${{ inputs.build_platform}}
          load: true
          push: true
          provenance: false
          build-args: ${{ inputs.build_arguments }}

      - name: Scan container image for vulnerabilities
        if: ${{ fromJson(inputs.scan_image) }}
        uses: flowforge/github-actions-workflows/actions/scan_container_image@main
        with:
          image_ref: "ghcr.io/${{ env.repository_owner_lower }}/${{ inputs.image_name }}:${{ inputs.image_tag_prefix }}main"
          check_name: "${{ inputs.image_name }}:${{ inputs.image_tag_prefix }}main"

      - name: Set workflow outputs
        id: set_outputs
        run: |
          echo "image=ghcr.io/${{ env.repository_owner_lower }}/${{ inputs.image_name }}:${{ inputs.image_tag_prefix }}main" >> $GITHUB_OUTPUT