deploy-actions/.github/workflows/build-and-push.yml at main · mozilla-it/deploy-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# See `./docs/build-and-push.md` for usage details

name: Docker Build and Push

on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      gar_name:
        required: true
        type: string
      project_id:
        required: true
        type: string
      docker_build_args:
        required: false
        default: ""
        type: string
      workload_identity_pool_project_number:
        required: false
        default: ${{ vars.GCPV2_WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER }}
        type: string
      prebuild_script:
        type: string
        required: false
        default: |
          IMAGE_BUILD_CONTEXT_ABSPATH=$(realpath "$IMAGE_BUILD_CONTEXT")

          printf '{"commit":"%s","version":"%s","source":"%s","build":"%s"}\n' \
          "$GITHUB_SHA" \
          "$GITHUB_REF_NAME" \
          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \
          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > "$IMAGE_BUILD_CONTEXT_ABSPATH/version.json"
      postbuild_script:
        type: string
        required: false
        default: ""
      image_build_context:
        required: false
        type: string
        default: "./"
      dockerfile_path:
        required: false
        type: string
        default: "./Dockerfile"
      image_tag_metadata:
        required: false
        type: string
      should_tag_ghcr:
        required: false
        type: boolean
        default: false
      should_tag_latest:
        required: false
        type: boolean
        default: false
      gar_location:
        required: false
        type: string
        default: "us"
      service_account_name:
        required: false
        type: string
        default: "artifact-writer"
      enable_attestations:
        required: false
        type: boolean
        default: false
        description: Enable SBOM and provenance attestations for supply chain security

jobs:
  build-and-push:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.sha) || github.ref }}
          persist-credentials: false
          fetch-tags: true
      - name: Run pre-build commands
        shell: bash
        env:
          IMAGE_BUILD_CONTEXT: ${{ inputs.image_build_context }}
          PREBUILD_SCRIPT: ${{ inputs.prebuild_script }}
        if: ${{ inputs.prebuild_script != '' }}
        run: |
          set -euo pipefail
          TMP="$RUNNER_TEMP/prebuild.sh"

          if [[ -f "$PREBUILD_SCRIPT" ]]; then
            chmod +x "$PREBUILD_SCRIPT"
            bash "$PREBUILD_SCRIPT"
          else
            printf '%s\n' "$PREBUILD_SCRIPT" > "$TMP"
            chmod +x "$TMP"
            bash "$TMP"
          fi
      - name: Build and Tag Container Image
        id: build
        uses: mozilla-it/deploy-actions/docker-build@8d2c17a843ea376c58b4e88e55d1335bafd52bcb #v6.2.0
        with:
          image_name: ${{ inputs.image_name }}
          gar_name: ${{ inputs.gar_name }}
          project_id: ${{ inputs.project_id }}
          docker_build_args: ${{ inputs.docker_build_args }}
          image_build_context: ${{ inputs.image_build_context }}
          dockerfile_path: ${{ inputs.dockerfile_path }}
          image_tag_metadata: ${{ inputs.image_tag_metadata }}
          should_tag_ghcr: ${{ inputs.should_tag_ghcr }}
          should_tag_latest: ${{ inputs.should_tag_latest }}
          gar_location: ${{ inputs.gar_location }}
          enable_attestations: ${{ inputs.enable_attestations }}
      - name: Run post-build commands
        shell: bash
        if: ${{ inputs.postbuild_script != '' }}
        env:
          POSTBUILD_SCRIPT: ${{ inputs.postbuild_script }}
        run: |
          set -euo pipefail
          TMP="$RUNNER_TEMP/postbuild.sh"

          if [[ -f "$POSTBUILD_SCRIPT" ]]; then
            chmod +x "$POSTBUILD_SCRIPT"
            bash "$POSTBUILD_SCRIPT"
          else
            printf '%s\n' "$POSTBUILD_SCRIPT" > "$TMP"
            chmod +x "$TMP"
            bash "$TMP"
          fi
      - name: Push Container Image
        uses: mozilla-it/deploy-actions/docker-push@8d2c17a843ea376c58b4e88e55d1335bafd52bcb #v6.2.0
        with:
          image_tags: ${{ steps.build.outputs.image_tags }}
          should_authenticate_to_ghcr: ${{ inputs.should_tag_ghcr }}
          project_id: ${{ inputs.project_id }}
          gar_location: ${{ inputs.gar_location }}
          workload_identity_pool_project_number: ${{ inputs.workload_identity_pool_project_number }}
          service_account_name: ${{ inputs.service_account_name }}