diff --git a/.github/workflows/registry.yml b/.github/workflows/registry.yml index a0a0732..4c6ab5f 100644 --- a/.github/workflows/registry.yml +++ b/.github/workflows/registry.yml @@ -7,122 +7,57 @@ on: jobs: build: - name: Build + name: Build and Push runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Build and export - uses: docker/build-push-action@v2 - with: - context: . - tags: dnxsolutions/musketeers:latest - outputs: type=docker,dest=/tmp/musketeers.tar - - name: Upload artifact - uses: actions/upload-artifact@v2 - with: - name: musketeers - path: /tmp/musketeers.tar - ecr: - name: Push to ECR - runs-on: ubuntu-latest - needs: build - container: dnxsolutions/aws:2.1.6-dnx1 - steps: - - name: Check out the repo - uses: actions/checkout@v2 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }} - aws-region: us-east-1 - - name: Get the tag - id: get_tag - run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/} - - name: Download docker artifact - uses: actions/download-artifact@v2 - with: - name: musketeers - path: /tmp - - name: Load, tag, and push image - env: - ECR_REGISTRY: public.ecr.aws - ECR_REPOSITORY: dnxsolutions/musketeers - IMAGE_TAG: ${{ steps.get_tag.outputs.tag }} - run: | - apk add docker - aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - docker load --input /tmp/musketeers.tar - docker image ls -a - docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest - docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest - docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - docker-hub: - name: Push to Docker Hub - runs-on: ubuntu-latest - needs: build - steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + images: | + dnxsolutions/musketeers + ghcr.io/dnxlabs/musketeers + public.ecr.aws/dnxsolutions/musketeers + tags: | + type=raw,value=latest + type=ref,event=tag + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 + - name: Login to DockerHub uses: docker/login-action@v1 with: username: ${{ secrets.DNX_DOCKERHUB_USERNAME }} password: ${{ secrets.DNX_DOCKERHUB_TOKEN }} - - name: Get the tag - id: get_tag - run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/} - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: musketeers - path: /tmp - - name: Load, tag, and push image - env: - DOCKERHUB_REPOSITORY: dnxsolutions/musketeers - IMAGE_TAG: ${{ steps.get_tag.outputs.tag }} - run: | - docker load --input /tmp/musketeers.tar - docker image ls -a - docker push $DOCKERHUB_REPOSITORY:latest - docker tag $DOCKERHUB_REPOSITORY:latest $DOCKERHUB_REPOSITORY:$IMAGE_TAG - docker push $DOCKERHUB_REPOSITORY:$IMAGE_TAG - ghcr: - name: Push to GitHub Registry - runs-on: ubuntu-latest - needs: build - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - name: Login to GitHub Container Registry uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Get the tag - id: get_tag - run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/} - - name: Download artifact - uses: actions/download-artifact@v2 + + - name: Login to Public ECR + uses: docker/login-action@v1 with: - name: musketeers - path: /tmp - - name: Load, tag, and push image + registry: public.ecr.aws + username: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }} + password: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }} env: - BASE_REPOSITORY: dnxsolutions/musketeers - GHCR_REPOSITORY: ghcr.io/dnxlabs/musketeers - IMAGE_TAG: ${{ steps.get_tag.outputs.tag }} - run: | - docker load --input /tmp/musketeers.tar - docker image ls -a - docker tag $BASE_REPOSITORY:latest $GHCR_REPOSITORY:latest - docker push $GHCR_REPOSITORY:latest - docker tag $GHCR_REPOSITORY:latest $GHCR_REPOSITORY:$IMAGE_TAG - docker push $GHCR_REPOSITORY:$IMAGE_TAG \ No newline at end of file + AWS_REGION: us-east-1 + + - name: Build and Push + uses: docker/build-push-action@v2 + with: + context: . + platforms: linux/arm64/v8, linux/arm/v5, linux/arm/v7, linux/368, linux/s390x, linux/ppc64le, linux/amd64, + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 1be960e..02bf3cb 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -9,17 +9,25 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 - - - name: Set tag var - id: vars - run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA} + - name: Checkout the code + uses: actions/checkout@v2 - name: Build the Docker image - run: docker build . --file Dockerfile --tag docker-kubectl:${{ steps.vars.outputs.docker_tag }} + run: docker build . --file Dockerfile --tag dnxsolutions/musketeers:latest + + - name: Scan image + uses: anchore/scan-action@v3 + id: scan + with: + image: dnxsolutions/musketeers:latest + fail-build: true + severity-cutoff: critical + acs-report-enable: true + + - name: Inspect action SARIF report + run: cat ${{ steps.scan.outputs.sarif }} - - name: Scan with Phonito Security - uses: phonito/phonito-scanner-action@master + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 with: - image: docker-kubectl:${{ steps.vars.outputs.docker_tag }} - phonito-token: ${{ secrets.PHONITO_TOKEN }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file