From a3387aa4ca272ae87baaeeb3c156554d70b75dd8 Mon Sep 17 00:00:00 2001 From: tawoe Date: Thu, 24 Oct 2024 12:20:47 +0200 Subject: [PATCH 1/5] add 'latest' tag to develop branch images --- .github/workflows/build_container_image.yml | 17 +++-- ...d_container_image_non_develop_branches.yml | 69 +++++++++++++++++++ .github/workflows/run_trivy.yml | 4 +- 3 files changed, 82 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/build_container_image_non_develop_branches.yml diff --git a/.github/workflows/build_container_image.yml b/.github/workflows/build_container_image.yml index ba31a4c..3a14279 100644 --- a/.github/workflows/build_container_image.yml +++ b/.github/workflows/build_container_image.yml @@ -1,6 +1,9 @@ -name: build and publish container +name: build and publish container - develop branch -on: [push] +on: + push: + branches: + - develop env: DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} DOCKER_HUB_REPOSITORY_NGINX: apimanager-nginx @@ -17,20 +20,20 @@ jobs: run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >>$GITHUB_OUTPUT id: extract_branch - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Build the Docker image run: | echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io - docker build . --file .github/Dockerfile_nginx_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }}-OC + docker build . --file .github/Dockerfile_nginx_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }}-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:latest-OC docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }} --all-tags echo docker apimanager-nginx-OC done - docker build . --file .github/Dockerfile_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }}-OC + docker build . --file .github/Dockerfile_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }}-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags echo docker api-manager-OC done - docker build . --file Dockerfile_nginx --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }} + docker build . --file Dockerfile_nginx --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }} --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:latest docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }} --all-tags echo docker apimanager-nginx done - docker build . --file Dockerfile --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }} + docker build . --file Dockerfile --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }} --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags echo docker api-manager done - uses: sigstore/cosign-installer@main diff --git a/.github/workflows/build_container_image_non_develop_branches.yml b/.github/workflows/build_container_image_non_develop_branches.yml new file mode 100644 index 0000000..c7d7f26 --- /dev/null +++ b/.github/workflows/build_container_image_non_develop_branches.yml @@ -0,0 +1,69 @@ +name: build and publish container - non develop branches + +on: + push: + branches: + - '*' + - '!develop' +env: + DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} + DOCKER_HUB_REPOSITORY_NGINX: apimanager-nginx + DOCKER_HUB_REPOSITORY: api-manager + + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Extract branch name + shell: bash + run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >>$GITHUB_OUTPUT + id: extract_branch + + - uses: actions/checkout@v4 + - name: Build the Docker image + run: | + echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io + docker build . --file .github/Dockerfile_nginx_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }}-OC + docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }} --all-tags + echo docker apimanager-nginx-OC done + docker build . --file .github/Dockerfile_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }}-OC + docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags + echo docker api-manager-OC done + docker build . --file Dockerfile_nginx --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }} + docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }} --all-tags + echo docker apimanager-nginx done + docker build . --file Dockerfile --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }} + docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags + echo docker api-manager done + - uses: sigstore/cosign-installer@main + - name: Write signing key to disk (only needed for `cosign sign --key`) + run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key + - name: Sign container image with annotations from our environment + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cosign sign -y --key cosign.key \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }}-OC + cosign sign -y --key cosign.key \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}-nginx" \ + docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }}-OC + cosign sign -y --key cosign.key \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ steps.extract_branch.outputs.branch }} + cosign sign -y --key cosign.key \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}-nginx" \ + docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY_NGINX }}:${{ steps.extract_branch.outputs.branch }} + + + diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index d9a0a70..89ad5d2 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -2,7 +2,9 @@ name: scan container image on: workflow_run: - workflows: [build and publish container] + workflows: + - build and publish container - develop branch + - build and publish container - non develop branches types: - completed env: From 606fe7b1ae8de6a9608f9c1ca8588f7b1f92e4b8 Mon Sep 17 00:00:00 2001 From: tawoe Date: Thu, 24 Oct 2024 12:36:03 +0200 Subject: [PATCH 2/5] add 'latest' tag to develop branch images --- .github/workflows/build_container_image.yml | 2 +- .../workflows/build_container_image_non_develop_branches.yml | 2 +- .github/workflows/run_trivy.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_container_image.yml b/.github/workflows/build_container_image.yml index 3a14279..eea0fa7 100644 --- a/.github/workflows/build_container_image.yml +++ b/.github/workflows/build_container_image.yml @@ -1,4 +1,4 @@ -name: build and publish container - develop branch +name: build and publish container develop branch on: push: diff --git a/.github/workflows/build_container_image_non_develop_branches.yml b/.github/workflows/build_container_image_non_develop_branches.yml index c7d7f26..49490a5 100644 --- a/.github/workflows/build_container_image_non_develop_branches.yml +++ b/.github/workflows/build_container_image_non_develop_branches.yml @@ -1,4 +1,4 @@ -name: build and publish container - non develop branches +name: build and publish container non develop branches on: push: diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index 89ad5d2..160353f 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -3,8 +3,8 @@ name: scan container image on: workflow_run: workflows: - - build and publish container - develop branch - - build and publish container - non develop branches + - build and publish container develop branch + - build and publish container non develop branches types: - completed env: From 724364f9aa7cf92a315b3ea5467d65210ee42ee1 Mon Sep 17 00:00:00 2001 From: tawoe Date: Thu, 24 Oct 2024 13:04:58 +0200 Subject: [PATCH 3/5] add 'latest' tag to develop branch images --- .github/workflows/build_container_image.yml | 2 +- .../workflows/build_container_image_non_develop_branches.yml | 2 +- .github/workflows/run_trivy.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_container_image.yml b/.github/workflows/build_container_image.yml index eea0fa7..fab29e8 100644 --- a/.github/workflows/build_container_image.yml +++ b/.github/workflows/build_container_image.yml @@ -1,4 +1,4 @@ -name: build and publish container develop branch +name: build and publish container develop branch on: push: diff --git a/.github/workflows/build_container_image_non_develop_branches.yml b/.github/workflows/build_container_image_non_develop_branches.yml index 49490a5..d882893 100644 --- a/.github/workflows/build_container_image_non_develop_branches.yml +++ b/.github/workflows/build_container_image_non_develop_branches.yml @@ -1,4 +1,4 @@ -name: build and publish container non develop branches +name: build and publish container non develop branches on: push: diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index 160353f..3a6e78c 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -3,8 +3,8 @@ name: scan container image on: workflow_run: workflows: - - build and publish container develop branch - - build and publish container non develop branches + - build and publish container develop branch + - build and publish container non develop branches types: - completed env: From 8c363c840341e36bb176ef9ec34a58060479f3be Mon Sep 17 00:00:00 2001 From: tawoe Date: Thu, 24 Oct 2024 13:24:39 +0200 Subject: [PATCH 4/5] add 'latest' tag to develop branch images --- .github/workflows/run_trivy.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index 3a6e78c..f631179 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -2,11 +2,8 @@ name: scan container image on: workflow_run: - workflows: - - build and publish container develop branch - - build and publish container non develop branches - types: - - completed + workflows: [build and publish container develop branch, build and publish container non develop branches] + types: [completed] env: ## Sets environment variable DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} From 658b8fdcc8c08bec80b058116a6d1f612609035c Mon Sep 17 00:00:00 2001 From: tawoe Date: Wed, 30 Oct 2024 10:50:00 +0100 Subject: [PATCH 5/5] trivy remove undefined parameters --- .github/workflows/run_trivy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index f631179..f6109fc 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -39,7 +39,6 @@ jobs: format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - security-checks: 'vuln' severity: 'CRITICAL,HIGH' timeout: '30m' cache-dir: .trivy