forked from repo-mirrors/cnpg-postgres-containers
c330729d7f
Build images without barman-cloud, to be used with backup plugins. Other changes: - Implement timestamp-based versioning for images - Simplify build workflows for enhanced local testing and contribution - Adopt OCI annotations and generate SBOMs for improved transparency Closes #132 Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com> Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
147 lines
4.1 KiB
YAML
147 lines
4.1 KiB
YAML
name: Bake images
|
|
|
|
on:
|
|
schedule:
|
|
- cron: 0 8 * * 1
|
|
workflow_dispatch:
|
|
inputs:
|
|
environment:
|
|
type: choice
|
|
options:
|
|
- testing
|
|
- production
|
|
default: testing
|
|
description: "Choose the environment to bake the images for"
|
|
|
|
jobs:
|
|
# Start by building images for testing. We want to run security checks before pushing those to production.
|
|
testbuild:
|
|
name: Build for testing
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write
|
|
outputs:
|
|
metadata: ${{ steps.build.outputs.metadata }}
|
|
images: ${{ steps.images.outputs.images }}
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to the GitHub Container registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# TODO: review this when GitHub has linux/arm64 runners available (Q1 2025?)
|
|
# https://github.com/github/roadmap/issues/970
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
with:
|
|
platforms: 'arm64'
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build and push
|
|
uses: docker/bake-action@v6
|
|
id: build
|
|
env:
|
|
environment: testing
|
|
registry: ghcr.io/${{ github.repository_owner }}
|
|
revision: ${{ github.sha }}
|
|
with:
|
|
push: true
|
|
|
|
# Get a list of the images that were built and pushed. We only care about a single tag for each image.
|
|
- name: Generated images
|
|
id: images
|
|
run: |
|
|
echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >> "$GITHUB_OUTPUT"
|
|
|
|
security:
|
|
name: Security checks
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- testbuild
|
|
strategy:
|
|
matrix:
|
|
image: ${{fromJson(needs.testbuild.outputs.images)}}
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to the GitHub Container registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Dockle
|
|
uses: erzz/dockle-action@v1
|
|
with:
|
|
image: ${{ matrix.image }}
|
|
exit-code: '1'
|
|
|
|
- name: Snyk
|
|
uses: snyk/actions/docker@master
|
|
continue-on-error: true
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
image: "${{ matrix.image }}"
|
|
args: --severity-threshold=high --file=Dockerfile
|
|
|
|
- name: Upload result to GitHub Code Scanning
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
continue-on-error: true
|
|
with:
|
|
sarif_file: snyk.sarif
|
|
|
|
# Build the image for production.
|
|
#
|
|
# TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
|
|
# if we get here and we are building for production.
|
|
prodbuild:
|
|
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
|
|
name: Build for production
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- security
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to the GitHub Container registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
with:
|
|
platforms: 'arm64'
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build and push
|
|
uses: docker/bake-action@v6
|
|
id: build
|
|
env:
|
|
environment: production
|
|
registry: ghcr.io/${{ github.repository_owner }}
|
|
revision: ${{ github.sha }}
|
|
with:
|
|
push: true
|