Skip to content
Build and push image📦

Build and push image📦 #193

Sign in to view logs

Build and push image📦

Build and push image📦 #193

Workflow file for this run

.github/workflows/build.yml at df3bfa9
name: Build and push image📦
on:
workflow_dispatch:
# schedule:
# - cron: "00 12 1 * *"
# push:
# branches: ["main"]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
APP_VERSION: 1.8.2
jobs:
build:
if: github.actor == 'ammnt'
runs-on: ubuntu-24.04
permissions:
contents: write
packages: write
id-token: write
security-events: write
attestations: write
steps:
- name: Checkout repository🧱
uses: actions/[email protected]
- name: Install cosign🔒
uses: sigstore/[email protected]
with:
cosign-release: "v2.4.2"
- name: Setup Docker buildx🛠️
uses: docker/[email protected]
with:
version: v0.20.1
driver-opts: image=moby/buildkit:v0.19.0
- name: Log into GHCR🔑
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log into Docker Hub🔑
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata🔬
id: meta
uses: docker/[email protected]
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
labels: |
description="Distroless Angie built with QUIC and HTTP/3 support🚀"
maintainer="ammnt <[email protected]>"
org.opencontainers.image.description="Distroless Angie built with QUIC and HTTP/3 support🚀"
org.opencontainers.image.authors="ammnt, [email protected]"
org.opencontainers.image.title="Distroless Angie built with QUIC and HTTP/3 support🚀"
org.opencontainers.image.source="https://github.com/ammnt/angie/"
- name: Build the Docker image⛓️
id: build
uses: docker/[email protected]
with:
provenance: false
context: .
platforms: linux/amd64
load: ${{ github.event_name != 'pull_request' }}
tags: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Analyze image with Docker Scout💊
uses: docker/[email protected]
with:
command: cves,sbom
image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
sarif-file: scout.report.json
summary: false
- name: Upload Docker Scout report📊
uses: actions/[email protected]
with:
name: Scout Report
path: "${{ github.workspace }}/scout.report.json"
- name: Analyze image with Trivy💊
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
scan-type: image
format: "github"
output: "trivy.report.json"
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
github-pat: ${{ secrets.GH_TOKEN }}
- name: Upload Trivy report📊
uses: actions/[email protected]
with:
name: Trivy Report
path: "${{ github.workspace }}/trivy.report.json"
- name: Analyze image with Grype💊
id: anchore
uses: anchore/[email protected]
with:
image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
fail-build: false
severity-cutoff: critical
grype-version: v0.87.0
output-file: "${{ github.workspace }}/grype.report.json"
- name: Upload Grype report📊
uses: actions/[email protected]
with:
name: Grype Report
path: "${{ github.workspace }}/grype.report.json"
- name: Analyze image with Syft💊
uses: anchore/[email protected]
with:
syft-version: v1.19.0
image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
artifact-name: Syft Report
dependency-snapshot: false
- name: Analyze image with Snyk💊
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
args: --file=Dockerfile
- name: Upload Snyk report📊
uses: actions/[email protected]
with:
name: Snyk Report
path: "${{ github.workspace }}/snyk.sarif"
# - name: Analyze image with Clair💊
# run: |
# docker run -d --name db arminc/clair-db
# sleep 15
# docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
# sleep 1
# DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
# wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
# ./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/angie:${{ env.APP_VERSION }} || exit 0
- name: Analyze image with Dockle💊
uses: goodwithtech/dockle-action@main
with:
image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
format: "json"
output: "dockle.report.json"
exit-code: "1"
exit-level: "warn"
ignore: "CIS-DI-0010"
- name: Upload Dockle report📊
uses: actions/[email protected]
if: always()
with:
name: Dockle Report
path: "${{ github.workspace }}/dockle.report.json"
- name: Slim the Docker image🚀
id: slim
uses: kitabisa/[email protected]
env:
DSLIM_HTTP_PROBE: false
with:
target: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
tag: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
overwrite: true
version: 1.40.11
- name: Dump the Slim report📊
run: |
echo "${REPORT}" | tee -a slim.report.json
ls -lash
cat slim.report.json
env:
REPORT: ${{ steps.slim.outputs.report }}
- name: Upload the Slim report📊
uses: actions/[email protected]
with:
name: Slim Report
path: slim.report.json
- name: Explore the Docker image with Dive🔍
timeout-minutes: 2
env:
CI: true
run: |
wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
dive --ci-config "${{ github.workspace }}/.dive-ci/" ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
- name: Test the Docker image🧪
run: |
docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
curl -v http://127.0.0.1:8080 || exit 1
# - name: Push the Docker images to registries💾
# run: |
# docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ghcr.io/ammnt/angie:latest
# docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ammnt/angie:${{ env.APP_VERSION }}
# docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ammnt/angie:latest
# docker push ghcr.io/ammnt/angie --all-tags
# docker push ammnt/angie --all-tags
# DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/ammnt/angie:${{ env.APP_VERSION }} | sed -e "s|ghcr.io/ammnt/angie@||g" | sed -e "s|ammnt/angie@||g")
# echo "DIGEST=$DIGEST" >> $GITHUB_ENV
# - name: Attestation the Docker image📍
# uses: actions/[email protected]
# with:
# subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# subject-digest: ${{ env.DIGEST }}
# push-to-registry: true
# show-summary: true
# github-token: ${{ secrets.GITHUB_TOKEN }}
# - name: Sign the published Docker image🔐
# env:
# COSIGN_EXPERIMENTAL: "true"
# COSIGN_KEY: ${{secrets.COSIGN_KEY}}
# COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
# run: |
# cosign sign -y --recursive --key env://COSIGN_KEY ghcr.io/ammnt/angie@${{ env.DIGEST }}
# cosign sign -y --recursive --key env://COSIGN_KEY ammnt/angie@${{ env.DIGEST }}
# shell: bash
# - name: Check the published Docker image👌
# run: |
# docker buildx imagetools inspect ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
# docker buildx imagetools inspect ammnt/angie:${{ env.APP_VERSION }}
# docker pull ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
# docker pull ammnt/angie:${{ env.APP_VERSION }}
# cosign verify --key cosign.pub ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
# cosign verify --key cosign.pub ammnt/angie:${{ env.APP_VERSION }}
# - name: Run deploy update on the server✅
# uses: appleboy/[email protected]
# with:
# host: ${{ secrets.SERVER_HOST }}
# username: ${{ secrets.SERVER_USERNAME }}
# key: ${{ secrets.SERVER_KEY }}
# port: ${{ secrets.SERVER_PORT }}
# script: |
# cd /home/${{ secrets.SERVER_USERNAME }}/agh
# /home/${{ secrets.SERVER_USERNAME }}/bin/docker compose pull web dns
# /home/${{ secrets.SERVER_USERNAME }}/bin/docker compose up -d web dns