Skip to content
Build and Publish Docker Image

PILOT-6741: Add CI workflow for building and pushing CLI docker image #3

Sign in to view logs

PILOT-6741: Add CI workflow for building and pushing CLI docker image

PILOT-6741: Add CI workflow for building and pushing CLI docker image #3

Workflow file for this run

.github/workflows/build-and-publish-docker.yml at 6f8f74e
name: Build and Publish Docker Image
on:
workflow_dispatch:
inputs:
os:
description: 'Operating system of CLI binary'
required: true
type: string
release:
description: 'Release version of CLI tool'
required: true
type: string
docker_registry:
description: 'Registry endpoint to where to push the images.'
type: string
required: false
default: "indocpilot.azurecr.io"
pull_request:
jobs:
get-version:
name: Get pilot cli version
runs-on: ubuntu-24.04
outputs:
cli_version: ${{steps.get-version.outputs.cli_version}}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.sha }} # Ensures the workflow checks out the commit it was triggered on
- name: Get Version
id: get-version
shell: bash
run: |
echo "cli_version=${{ github.event.inputs.os }}-${{ github.event.inputs.release }}" >> $GITHUB_OUTPUT
build-and-push-docker-image:
needs: [get-version]
name: Build Docker images and push to repositories
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.sha }} # Ensures the workflow checks out the commit it was triggered on
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Github Packages
uses: docker/login-action@v2
with:
registry: ${{ inputs.docker_registry }}
username: ${{ secrets.docker_registry_username }}
password: ${{ secrets.docker_registry_password }}
- name: Docker metadata
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
${{ inputs.docker_registry }}/pilotcli
# generate Docker tags based on the following events/attributes
sep-tags: ','
tags: |
type=raw,prefix=,suffix=,value=${{needs.get-version.outputs.cli_version}}
- name: Image digest
run: echo ${{ steps.meta.outputs.tags }}
- name: Check if image exists
id: check_image
run: |
exists=$(docker manifest inspect ${{ inputs.docker_registry }}/pilotcli:${{needs.get-version.outputs.cli_version}} > /dev/null && echo "true" || echo "false")
if [[ $exists == "true" ]]; then
echo "Image exists, aborting"
exit 1
fi
- name: Build image and push to GitHub Container Registry
uses: docker/build-push-action@v4
with:
# relative path to the place where source code with Dockerfile is located
context: .
# Note: tags has to be all lower-case
tags: ${{ steps.meta.outputs.tags }}
# build on feature branches, push only on main branch
push: false
build-args: |
CLI_VERSION=${{ github.event.inputs.release }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: '${{ steps.meta.outputs.tags }}'
format: 'table'
severity: 'CRITICAL'
exit-code: '1'
hide-progress: true
trivyignores: .github/.trivyignore
output: scan-results.txt
env:
TRIVY_IGNORE_STATUS: 'will_not_fix'
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Publish Trivy Scan Results to Summary
if: always()
run: |
if [[ -s scan-results.txt ]]; then
{
echo "### Trivy Scan Results"
echo "Please refer to https://indocconsortium.atlassian.net/wiki/spaces/PILOT/pages/3917316126/Trivy+reports+triage to find out the next steps to fix the vulnerabilities"
echo "<details><summary>Click to expand</summary>"
echo ""
echo '```workflow-manager'
cat scan-results.txt
echo '```'
echo "</details>"
} >> $GITHUB_STEP_SUMMARY
fi