openvas-scanner/.github/workflows/push-container.yml at main · greenbone/openvas-scanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Container

on:
  workflow_call:
    inputs:
      is_latest_tag:
        required: true
        type: string
      is_version_tag:
        required: true
        type: string
    secrets:
      dockerhub_user:
        required: true
      dockerhub_token:
        required: true
      cosign_key_opensight:
        required: true
      cosign_password_opensight:
        required: true
      greenbone_bot_token:
        required: true
      greenbone_registry:
        required: true
      greenbone_registry_user:
        required: true
      greenbone_registry_token:
        required: true
      greenbone_registry_read_user:
        required: true
      greenbone_registry_read_token:
        required: true
      greenbone_registry_replication_user:
        required: false
      greenbone_registry_replication_token:
        required: false
      mattermost_webhook_url:
        required: true

# Grants rights to push to the Github container registry.
permissions:
  contents: read
  packages: write
  id-token: write
  pull-requests: write

jobs:
  build:
    if: ${{ github.repository == 'greenbone/openvas-scanner' }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - build:
              name: stable
              dockerfile: .docker/prod.Dockerfile
              stable-name: stable
              edge-name: edge
              tags: |
                    type=raw,value=latest,enable=${{ inputs.is_latest_tag }}
                    type=raw,value=stable,enable=${{ inputs.is_latest_tag }}
                    type=semver,pattern={{version}},enable=${{ inputs.is_version_tag }}
                    type=semver,pattern={{major}}.{{minor}},enable=${{ inputs.is_version_tag }}
                    type=semver,pattern={{major}},enable=${{ inputs.is_version_tag }}
                    type=raw,value=edge,enable=${{ github.ref_name == 'main' }}
                    type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
                    type=ref,event=pr
          - build:
              name: testing
              dockerfile: .docker/prod-testing.Dockerfile
              stable-name: testing
              edge-name: testing-edge
          - build:
              name: oldstable
              dockerfile: .docker/prod-oldstable.Dockerfile
              stable-name: oldstable
              edge-name: oldstable-edge
    name: Build and Push Container Images (${{ matrix.build.name }})
    uses: greenbone/workflows/.github/workflows/container-build-push-gea.yml@main
    with:
      name: ${{ matrix.build.name }}
      dockerfile: ${{ matrix.build.dockerfile }}
      stable-name: ${{ matrix.build.stable-name }}
      edge-name: ${{ matrix.build.edge-name }}
      enable-latest: ${{ matrix.build.name == 'stable' }}
      enable-pr: ${{ matrix.build.name == 'stable' }}
      enable-version: ${{ matrix.build.name == 'stable' }}
      labels: |
        org.opencontainers.image.vendor=Greenbone
        org.opencontainers.image.base.name=debian:stable-slim
      build-args: ${{ matrix.build.build-args }}
      prefix: ${{ matrix.build.prefix }}
      tags: ${{ matrix.tags }}
      images: |
        ghcr.io/${{ github.repository }},enable=true
        ${{ vars.GREENBONE_REGISTRY }}/community/${{ github.event.repository.name }},enable=${{ github.event_name != 'pull_request' }}
        ${{ vars.GREENBONE_REGISTRY }}/openvas-detect-dev/${{ github.event.repository.name }},enable=${{ github.event_name != 'pull_request' }}
    secrets: inherit

  notify:
    needs:
      - build
    if: ${{ !cancelled() && github.event_name != 'pull_request' && github.repository == 'greenbone/openvas-scanner' }}
    uses: greenbone/workflows/.github/workflows/notify-mattermost-2nd-gen.yml@main
    with:
      status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }}
    secrets: inherit

  trigger-replication:
    needs:
      - build
    if: ${{ !cancelled() && github.event_name != 'pull_request' && github.repository == 'greenbone/openvas-scanner' }}
    runs-on: self-hosted-generic
    steps:
      - name: Ensure all tags are replicated on the public registry
        uses: greenbone/actions/trigger-harbor-replication@v3
        if: ${{ github.event_name != 'pull_request' }}
        with:
          registry: ${{ vars.GREENBONE_REGISTRY }}
          token: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}
          user: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}

  automatix:
    name: Update Automatix
    if: ${{ !cancelled() && startsWith(github.ref, 'refs/tags/v') }}
    needs: build
    uses: greenbone/workflows/.github/workflows/automatix-service.yml@main
    with:
      service: openvas-scanner
      url: ${{ vars.GREENBONE_REGISTRY }}/openvas-detect-dev/${{ github.event.repository.name }}
      tag: ${{ github.ref_name }}
      artifact-pattern: stable
    secrets: inherit