reference-implementations-afm/.github/workflows/release-docker.yml at main · RadCod3/reference-implementations-afm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Release Docker

on:
  workflow_call:
    inputs:
      context:
        description: "Docker build context directory (e.g., ballerina-interpreter)"
        required: true
        type: string
      image_name:
        description: "Docker image name without registry prefix (e.g., afm-ballerina-interpreter)"
        required: true
        type: string
      version:
        description: "Release version (e.g., 0.1.0)"
        required: true
        type: string
      branch:
        description: "Branch being released from"
        required: true
        type: string
      image_title:
        description: "Human-readable image title for OCI labels (e.g., AFM Ballerina Interpreter)"
        required: true
        type: string
      build_slim:
        description: "Whether to build and push a slim image variant"
        required: false
        default: false
        type: boolean

jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.branch }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Determine Docker tags
        id: docker-tags
        env:
          OWNER: ${{ github.repository_owner }}
          IMAGE_NAME: ${{ inputs.image_name }}
          VERSION: ${{ inputs.version }}
          UPDATE_LATEST: ${{ inputs.branch == 'main' || inputs.branch == 'dev' }}
        run: |
          # GHCR requires lowercase repository names
          OWNER_LOWER=$(echo "$OWNER" | tr '[:upper:]' '[:lower:]')
          BASE_IMAGE="ghcr.io/$OWNER_LOWER/$IMAGE_NAME"
          TAGS_FULL="$BASE_IMAGE:v$VERSION"
          [ "$UPDATE_LATEST" = "true" ] && TAGS_FULL="$TAGS_FULL,$BASE_IMAGE:latest"
          echo "TAGS_FULL=$TAGS_FULL" >> $GITHUB_OUTPUT

          TAGS_SLIM="$BASE_IMAGE:v$VERSION-slim"
          [ "$UPDATE_LATEST" = "true" ] && TAGS_SLIM="$TAGS_SLIM,$BASE_IMAGE:slim"
          echo "TAGS_SLIM=$TAGS_SLIM" >> $GITHUB_OUTPUT
          echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_OUTPUT

      - name: Build and push full image
        uses: docker/build-push-action@v5
        with:
          context: ${{ inputs.context }}
          push: true
          platforms: linux/amd64,linux/arm64
          build-args: VARIANT=full
          tags: ${{ steps.docker-tags.outputs.TAGS_FULL }}
          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.version=${{ inputs.version }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.title=${{ inputs.image_title }}
            org.opencontainers.image.licenses=Apache-2.0
          annotations: |
            index:org.opencontainers.image.source=https://github.com/${{ github.repository }}
            index:org.opencontainers.image.licenses=Apache-2.0

      - name: Build and push slim image
        if: ${{ inputs.build_slim }}
        uses: docker/build-push-action@v5
        with:
          context: ${{ inputs.context }}
          push: true
          platforms: linux/amd64,linux/arm64
          build-args: VARIANT=slim
          tags: ${{ steps.docker-tags.outputs.TAGS_SLIM }}
          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.version=${{ inputs.version }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.title=${{ inputs.image_title }} (Slim)
            org.opencontainers.image.licenses=Apache-2.0
          annotations: |
            index:org.opencontainers.image.source=https://github.com/${{ github.repository }}
            index:org.opencontainers.image.licenses=Apache-2.0

      - name: Scan full Docker image for vulnerabilities
        uses: aquasecurity/trivy-action@0.34.0
        with:
          image-ref: ${{ steps.docker-tags.outputs.BASE_IMAGE }}:v${{ inputs.version }}
          format: "sarif"
          output: "trivy-results-full.sarif"
          severity: "CRITICAL,HIGH"
          limit-severities-for-sarif: true
          exit-code: "1"

      - name: Upload full image Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: "trivy-results-full.sarif"
          category: "trivy-full-${{ inputs.image_name }}"

      - name: Scan slim Docker image for vulnerabilities
        if: ${{ always() && inputs.build_slim }}
        uses: aquasecurity/trivy-action@0.34.0
        with:
          image-ref: ${{ steps.docker-tags.outputs.BASE_IMAGE }}:v${{ inputs.version }}-slim
          format: "sarif"
          output: "trivy-results-slim.sarif"
          severity: "CRITICAL,HIGH"
          limit-severities-for-sarif: true
          exit-code: "1"

      - name: Upload slim image Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: ${{ always() && inputs.build_slim }}
        with:
          sarif_file: "trivy-results-slim.sarif"
          category: "trivy-slim-${{ inputs.image_name }}"