jeedom-rpi/.github/workflows/dockerimage-buildx-template.yml at master · edgd1er/jeedom-rpi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: reusable worflow template Docker buildx armhf+amd64

on:
  workflow_call:
    inputs:
      image-name:
        required: true
        type: string
      build-context:
        required: true
        type: string
      build-dockerfile:
        description: 'Dockerfile'
        default: './Docker/Dockerfile'
        type: string
      jdm_version:
        description: 'jeedom version'
        required: true
        default: 'latest'
        type: string
      tag:
        description: 'docker tag'
        required: true
        default: 'v4-latest'
        type: string
      push:
        description: 'push to registry'
        required: true
        default: false
        type: boolean
      version:
        description: 'master'
        default: 'master'
        required: true
        type: string
      distro:
        description: 'base OS'
        required: true
        type: string
        default: "bullseye-slim"

jobs:
  buildx:
    runs-on: ubuntu-latest
    steps:
      - name: env
        run: env
      - name: Checkout
        uses: actions/checkout@v6
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: all
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: latest
          install: true
          use: true
      - name: Builder instance name
        run: echo ${{ steps.buildx.outputs.name }}
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Login to Docker hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: ${{ inputs.build-context }}
          file: ${{ inputs.build-dockerfile }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          # removed linux/arm64
          platforms: linux/amd64,linux/arm/v7,linux/arm64
          push: ${{ inputs.push }}
          no-cache-filters: final
          build-args: |
            VERSION=${{ inputs.version }}
            DISTRO=${{ inputs.distro }}
            JDM_VERSION=${{ inputs.jdm_version }}
            aptCacher: ''
          tags: ${{ secrets.DOCKER_USER }}/${{ inputs.image-name }}:${{ inputs.tag }}

  inspect-security:
    runs-on: ubuntu-latest
    needs: buildx
    steps:
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ secrets.DOCKER_USER }}/${{ inputs.image-name }}:${{ inputs.tag }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/${{ secrets.DOCKER_USER }}/${{ inputs.image-name }}:${{ inputs.tag }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'