chore(github): improve SDK container build and push action (#9034)

Author: cesararroba

…flows/sdk-build-lint-push-containers.yml …b/workflows/sdk-container-build-push.yml.github/workflows/sdk-build-lint-push-containers.yml renamed to .github/workflows/sdk-container-build-push.yml .github/workflows/sdk-build-lint-push-containers.yml renamed to .github/workflows/sdk-container-build-push.yml

@@ -1,108 +1,107 @@
-name: SDK - Build and Push containers
+name: 'SDK: Container Build and Push'
 
 on:
   push:
     branches:
-      # For `v3-latest`
-      - "v3"
-      # For `v4-latest`
-      - "v4.6"
-      # For `latest`
-      - "master"
+      - 'v3'      # For v3-latest
+      - 'v4.6'    # For v4-latest
+      - 'master'  # For latest
     paths-ignore:
-      - ".github/**"
-      - "README.md"
-      - "docs/**"
-      - "ui/**"
-      - "api/**"
-
+      - '.github/**'
+      - '!.github/workflows/sdk-container-build-push.yml'
+      - 'README.md'
+      - 'docs/**'
+      - 'ui/**'
+      - 'api/**'
   release:
-    types: [published]
+    types:
+      - 'published'
 
-env:
-  # AWS Configuration
-  AWS_REGION_STG: eu-west-1
-  AWS_REGION_PLATFORM: eu-west-1
-  AWS_REGION: us-east-1
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
-  # Container's configuration
+env:
+  # Container configuration
   IMAGE_NAME: prowler
   DOCKERFILE_PATH: ./Dockerfile
 
-  # Tags
+  # Python configuration
+  PYTHON_VERSION: '3.12'
+
+  # Tags (dynamically set based on version)
   LATEST_TAG: latest
   STABLE_TAG: stable
-  # The RELEASE_TAG is set during runtime in releases
-  RELEASE_TAG: ""
-  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
-  PROWLER_VERSION: ""
-  PROWLER_VERSION_MAJOR: ""
-  # TEMPORARY_TAG: temporary
 
-  # Python configuration
-  PYTHON_VERSION: 3.12
-
-  # Container Registries
+  # Container registries
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
 
+  # AWS configuration (for ECR)
+  AWS_REGION: us-east-1
+
 jobs:
-  # Build Prowler OSS container
   container-build-push:
-    # needs: dockerfile-linter
+    if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
+    timeout-minutes: 45
+    permissions:
+      contents: read
+      packages: write
     outputs:
-      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
-      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
     env:
-      POETRY_VIRTUALENVS_CREATE: "false"
+      POETRY_VIRTUALENVS_CREATE: 'false'
 
     steps:
-      - name: Checkout
+      - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Setup Python
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install Poetry
         run: |
-          pipx install poetry==2.*
+          pipx install poetry==2.1.1
           pipx inject poetry poetry-bumpversion
 
-      - name: Get Prowler version
+      - name: Get Prowler version and set tags
         id: get-prowler-version
         run: |
           PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
           echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
 
-          # Store prowler version major just for the release
+          # Extract major version
           PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
           echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
 
+          # Set version-specific tags
           case ${PROWLER_VERSION_MAJOR} in
-          3)
+            3)
               echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
               echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
               ;;
-
-
-          4)
+            4)
               echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
               echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
               ;;
-
-          5)
+            5)
               echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
               echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v5 detected - tags: latest, stable"
               ;;
-
-          *)
-              # Fallback if any other version is present
-              echo "Releasing another Prowler major version, aborting..."
+            *)
+              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
               exit 1
               ;;
           esac
@@ -125,26 +124,26 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Build and push container image (latest)
+      - name: Build and push SDK container (latest)
         if: github.event_name == 'push'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
           push: true
           tags: |
             ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
             ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
-          file: ${{ env.DOCKERFILE_PATH }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Build and push container image (release)
+      - name: Build and push SDK container (release)
         if: github.event_name == 'release'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          # Use local context to get changes
-          # https://github.com/docker/build-push-action#path-context
           context: .
+          file: ${{ env.DOCKERFILE_PATH }}
           push: true
           tags: |
             ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
@@ -153,50 +152,36 @@ jobs:
             ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
-          file: ${{ env.DOCKERFILE_PATH }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-#      - name: Push README to Docker Hub (toniblyx)
-#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
-#        with:
-#          username: ${{ secrets.DOCKERHUB_USERNAME }}
-#          password: ${{ secrets.DOCKERHUB_TOKEN }}
-#          repository: ${{ env.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}
-#          readme-filepath: ./README.md
-#
-#      - name: Push README to Docker Hub (prowlercloud)
-#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
-#        with:
-#          username: ${{ secrets.DOCKERHUB_USERNAME }}
-#          password: ${{ secrets.DOCKERHUB_TOKEN }}
-#          repository: ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}
-#          readme-filepath: ./README.md
-
-  dispatch-action:
+  dispatch-v3-deployment:
+    if: needs.container-build-push.outputs.prowler_version_major == '3'
     needs: container-build-push
     runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
     steps:
-      - name: Get latest commit info (latest)
+      - name: Calculate short SHA
+        id: short-sha
+        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
+      - name: Dispatch v3 deployment (latest)
         if: github.event_name == 'push'
-        run: |
-          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
-          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
 
-      - name: Dispatch event (latest)
-        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
-        run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
-
-      - name: Dispatch event (release)
-        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
-        run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
+      - name: Dispatch v3 deployment (release)
+        if: github.event_name == 'release'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"release","tag":"${{ needs.container-build-push.outputs.prowler_version }}"}'