|
35 | 35 | description: "Image url/name without registry. Default is github.repository" |
36 | 36 | default: "${{ github.repository }}" |
37 | 37 | type: string |
38 | | - image-platforms: |
39 | | - description: "Image platforms to build for. Default is linux/amd64" |
40 | | - default: linux/amd64 |
41 | | - type: string |
42 | | - use-greenbonebot: |
43 | | - description: "Use the greenbonebot token as registry login. Default is false" |
44 | | - default: "false" |
45 | | - type: string |
46 | 38 | notify: |
47 | 39 | description: "Enable mattermost notify. Default is true" |
48 | 40 | default: "true" |
|
67 | 59 | required: false |
68 | 60 | MATTERMOST_WEBHOOK_URL: |
69 | 61 | required: false |
70 | | - DOCKERHUB_USERNAME: |
71 | | - required: false |
72 | | - DOCKERHUB_TOKEN: |
73 | | - required: false |
74 | 62 | GREENBONE_REGISTRY: |
75 | 63 | required: false |
76 | 64 | GREENBONE_REGISTRY_USER: |
|
85 | 73 | outputs: |
86 | 74 | digest: |
87 | 75 | description: "The container digest" |
88 | | - value: ${{ jobs.building-container.outputs.digest }} |
| 76 | + value: ${{ jobs.build.outputs.digest }} |
89 | 77 |
|
90 | 78 | jobs: |
91 | | - # We have to look, if our self hosted runner are be able to have this in hand. |
92 | | - # Otherwise we need to keep this for PR builds. |
93 | | - building-container-ghcr: |
94 | | - runs-on: "ubuntu-latest" |
95 | | - outputs: |
96 | | - digest: ${{ steps.build-and-push.outputs.digest }} |
97 | | - steps: |
98 | | - - name: Checkout repository |
99 | | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
100 | | - |
101 | | - - name: Container build push 3rd gen |
102 | | - id: build-and-push |
103 | | - uses: greenbone/actions/container-build-push-generic@v3 |
104 | | - with: |
105 | | - build-context: ${{ inputs.build-context }} |
106 | | - build-docker-file: ${{ inputs.build-docker-file }} |
107 | | - build-args: ${{ inputs.build-args }} |
108 | | - build-secrets: ${{ contains(inputs.build-secret-greenbonebot, 'true') && format('GREENBONE_BOT_PACKAGES_READ_TOKEN={0}', secrets.GREENBONE_BOT_PACKAGES_READ_TOKEN) || inputs.build-secrets }} |
109 | | - cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} |
110 | | - cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} |
111 | | - # The tlog function does not currently support an ed25519 key. |
112 | | - cosign-tlog-upload: "false" |
113 | | - image-url: ${{ inputs.image-url }} |
114 | | - image-labels: ${{ inputs.image-labels }} |
115 | | - image-tags: | |
116 | | - # create container tag for git tags |
117 | | - type=ref,event=tag,value=latest |
118 | | - type=match,pattern=v(.*),group=1 |
119 | | - type=ref,event=pr |
120 | | - # use unstable for main branch |
121 | | - type=raw,value=unstable,enable={{is_default_branch}} |
122 | | - # use unstable-release for release branches |
123 | | - type=raw,value=unstable-release,enable=${{startsWith(github.ref, 'refs/heads/release/')}} |
124 | | - image-platforms: ${{ inputs.image-platforms }} |
125 | | - registry: ${{ vars.IMAGE_REGISTRY }} |
126 | | - registry-username: ${{ github.actor }} |
127 | | - registry-password: ${{ contains(inputs.use-greenbonebot, 'true') && secrets.GREENBONE_BOT_TOKEN || secrets.GITHUB_TOKEN }} |
128 | | - scout-user: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_USERNAME || '' }} |
129 | | - scout-password: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_TOKEN || '' }} |
130 | | - |
131 | | - building-container-greenbone: |
132 | | - # At the moment, we use this job only to build tagged releases and not for every PR build. |
133 | | - # Once we have enough capacity, we can change this and remove the GHCR build job. |
134 | | - if: (inputs.service) && (startsWith(github.ref, 'refs/tags/v')) |
135 | | - runs-on: self-hosted-generic |
| 79 | + meta: |
| 80 | + name: Meta Data |
| 81 | + runs-on: ubuntu-latest |
136 | 82 | outputs: |
137 | | - digest: ${{ steps.build-and-push.outputs.digest }} |
138 | | - image-url: ${{ steps.image-url.outputs.url }} |
139 | | - image-name: ${{ steps.image-url.outputs.name }} |
| 83 | + url: ${{ steps.image-url.outputs.url }} |
| 84 | + name: ${{ steps.image-url.outputs.name }} |
140 | 85 | steps: |
141 | | - - name: Checkout repository |
142 | | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
143 | | - |
144 | | - # Since all image URLs are derived from the GitHub repository URL, we need to reformat them to obtain the correct product OCI URLs. |
145 | | - # We can remove this step after incorporate everything directly into the respective workflow calls within the service repositories. |
146 | 86 | - name: Create image url |
147 | 87 | id: image-url |
148 | 88 | shell: bash |
@@ -189,89 +129,59 @@ jobs: |
189 | 129 | echo "url=$url" >> $GITHUB_OUTPUT |
190 | 130 | echo "name=$(basename ${{ inputs.image-url }})" >> $GITHUB_OUTPUT |
191 | 131 |
|
192 | | - - name: Container build push 3rd gen |
193 | | - id: build-and-push |
194 | | - uses: greenbone/actions/container-build-push-generic@v3 |
195 | | - with: |
196 | | - build-context: ${{ inputs.build-context }} |
197 | | - build-docker-file: ${{ inputs.build-docker-file }} |
198 | | - build-args: ${{ inputs.build-args }} |
199 | | - build-secrets: ${{ contains(inputs.build-secret-greenbonebot, 'true') && format('GREENBONE_BOT_PACKAGES_READ_TOKEN={0}', secrets.GREENBONE_BOT_PACKAGES_READ_TOKEN) || inputs.build-secrets }} |
200 | | - cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} |
201 | | - cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} |
202 | | - # The tlog function does not currently support an ed25519 key. |
203 | | - cosign-tlog-upload: "false" |
204 | | - image-url: ${{ steps.image-url.outputs.url }} |
205 | | - image-labels: ${{ inputs.image-labels }} |
206 | | - image-tags: | |
207 | | - # create container tag for git tags |
208 | | - type=ref,event=tag,value=latest |
209 | | - type=match,pattern=v(.*),group=1 |
210 | | - type=ref,event=pr |
211 | | - # use unstable for main branch |
212 | | - type=raw,value=unstable,enable={{is_default_branch}} |
213 | | - # use unstable-release for release branches |
214 | | - type=raw,value=unstable-release,enable=${{startsWith(github.ref, 'refs/heads/release/')}} |
215 | | - registry: ${{ vars.GREENBONE_REGISTRY }} |
216 | | - registry-username: ${{ secrets.GREENBONE_REGISTRY_USER }} |
217 | | - registry-password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} |
| 132 | + build: |
| 133 | + name: Container build push 3rd gen |
| 134 | + needs: meta |
| 135 | + uses: greenbone/workflows/.github/workflows/container-push.yml@main |
| 136 | + with: |
| 137 | + build-context: ${{ inputs.build-context }} |
| 138 | + build-docker-file: ${{ inputs.build-docker-file }} |
| 139 | + build-args: ${{ inputs.build-args }} |
| 140 | + build-secrets: ${{ inputs.build-secrets }} |
| 141 | + build-secrets-name: ${{ contains(inputs.build-secret-greenbonebot, 'true') && 'GREENBONE_BOT_PACKAGES_READ_TOKEN' }} |
| 142 | + image-labels: ${{ inputs.image-labels }} |
| 143 | + image-urls: | |
| 144 | + ghcr.io/${{ inputs.image-url }} |
| 145 | + ${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }} |
| 146 | + secrets: inherit |
218 | 147 |
|
219 | 148 | push-sbom: |
220 | 149 | name: Scan image and push SBOM |
221 | 150 | if: inputs.service && startsWith(github.ref, 'refs/tags/v') |
222 | | - needs: building-container-greenbone |
| 151 | + needs: build |
223 | 152 | uses: greenbone/workflows/.github/workflows/generate-and-push-sbom-with-trivy-3rd-gen.yml@main |
224 | 153 | with: |
225 | | - image-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.building-container-greenbone.outputs.image-url }}:${{ github.ref_name }}" |
226 | | - image-registry-username-secret-name: "GREENBONE_REGISTRY_READ_USER" |
227 | | - image-registry-password-secret-name: "GREENBONE_REGISTRY_READ_TOKEN" |
228 | | - output-file-name: "${{ needs.building-container-greenbone.outputs.image-name }}.${{ github.ref_name }}.sbom.json" |
229 | | - artifact-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.building-container-greenbone.outputs.image-url }}-sbom:${{ github.ref_name }}" |
| 154 | + image-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }}:${{ github.ref_name }}" |
| 155 | + image-registry-username-secret-name: "GREENBONE_REGISTRY_USER" |
| 156 | + image-registry-password-secret-name: "GREENBONE_REGISTRY_TOKEN" |
| 157 | + output-file-name: "${{ needs.meta.outputs.name }}.${{ github.ref_name }}.sbom.json" |
| 158 | + artifact-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }}-sbom:${{ github.ref_name }}" |
230 | 159 | secrets: inherit |
231 | 160 |
|
232 | | - harbor-replication: |
233 | | - if: inputs.service && startsWith(github.ref, 'refs/tags/v') |
234 | | - needs: |
235 | | - - building-container-greenbone |
236 | | - runs-on: self-hosted-generic |
237 | | - steps: |
238 | | - - name: Trigger harbor replication |
239 | | - shell: bash |
240 | | - run: | |
241 | | - if ! [ '${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' ]; then |
242 | | - echo "Secret GREENBONE_REGISTRY_REPLICATION_TOKEN does not exist" |
243 | | - exit 0 |
244 | | - fi |
245 | | - curl --fail-with-body -X POST \ |
246 | | - https://${{ vars.GREENBONE_REGISTRY }}/api/v2.0/replication/executions \ |
247 | | - -u '${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}:${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' \ |
248 | | - -H "Content-Type: application/json" \ |
249 | | - -d '{"policy_id": 1}' |
250 | | -
|
251 | | - building-product-compose: |
| 161 | + automatix: |
252 | 162 | if: inputs.service && startsWith(github.ref, 'refs/tags/v') |
253 | 163 | needs: |
254 | | - - building-container-ghcr |
255 | | - - building-container-greenbone |
| 164 | + - meta |
| 165 | + - build |
256 | 166 | - harbor-replication |
257 | | - runs-on: "ubuntu-latest" |
| 167 | + runs-on: ubuntu-latest |
258 | 168 | steps: |
259 | 169 | - name: Trigger product compose upgrade |
260 | 170 | uses: greenbone/actions/trigger-workflow@v3 |
261 | 171 | with: |
262 | 172 | token: ${{ secrets.GREENBONE_BOT_TOKEN }} |
263 | | - repository: "greenbone/automatix" |
264 | | - workflow: "push.yml" |
265 | | - inputs: '{"service": "${{ inputs.service }}", "image-url": "${{ needs.building-container-greenbone.outputs.image-url }}", "digest": "${{ needs.building-container-greenbone.outputs.digest }}", "version": "${{ github.ref_name }}"}' |
| 173 | + repository: greenbone/automatix |
| 174 | + workflow: push.yml |
| 175 | + inputs: '{"service": "${{ inputs.service }}", "image-url": "${{ needs.meta.outputs.url }}", "digest": "${{ needs.build.outputs.digest }}", "version": "${{ github.ref_name }}"}' |
266 | 176 |
|
267 | 177 | notify: |
268 | 178 | needs: |
269 | | - - building-container-ghcr |
270 | | - - building-container-greenbone |
| 179 | + - meta |
| 180 | + - build |
271 | 181 | - push-sbom |
272 | 182 | - harbor-replication |
273 | | - - building-product-compose |
274 | | - if: ${{ !cancelled() && startsWith(github.ref, 'refs/tags/v') && startsWith(inputs.notify, 'true') }} |
| 183 | + - automatix |
| 184 | + if: ${{ !cancelled() && inputs.service && startsWith(github.ref, 'refs/tags/v') && startsWith(inputs.notify, 'true') }} |
275 | 185 | uses: greenbone/workflows/.github/workflows/notify-mattermost-3rd-gen.yml@main |
276 | 186 | with: |
277 | 187 | status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }} |
|
0 commit comments