forked from nais/docker-build-push
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
138 lines (137 loc) · 4.83 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: "NAIS Docker Build Push"
description: "Build and push docker image to the NAIS registry"
inputs:
push_image:
description: "Push image to registry"
required: true
default: "true"
dockerfile:
description: "Dockerfile"
required: true
default: "Dockerfile"
docker_context:
description: "Docker context"
required: true
default: "."
tag:
description: "Custom docker tag"
required: false
project_id:
description: "Google Cloud project ID"
required: true
identity_provider:
description: "Workload Identity Provider"
required: true
team:
description: "Team slug"
required: true
cache_from:
description: "Docker buildx cache from"
required: false
default: "type=gha"
cache_to:
description: "Docker buildx cache to"
required: false
default: "type=gha,mode=max"
image_suffix:
description: "Adds a suffiks to the generated docker image name"
required: false
pull:
description: "Pull image before building"
required: false
default: "true"
build_args:
description: "List of build-time variables"
required: false
build_secrets:
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
required: false
salsa:
description: "enable image attestation for SLSA"
required: false
default: "true"
byosbom:
description: "Bring your own, use existing SBOM for SLSA"
required: false
default: "auto-generate-for-me-please.json"
outputs:
salsa:
description: "SLSA attestation"
value: ${{ steps.set-outputs.outputs.SALSA }}
digest:
description: "Image digest"
value: ${{ steps.set-outputs.outputs.DIGEST }}
tag:
description: "Release tag"
value: ${{ steps.set-outputs.outputs.NEW_VERSION }}
image:
description: "Image name"
value: ${{ steps.set-outputs.outputs.IMAGE }}
runs:
using: "composite"
steps:
- name: NAIS login
uses: nais/login@v0
id: login
with:
project_id: ${{ inputs.project_id }}
identity_provider: ${{ inputs.identity_provider }}
team: ${{ inputs.team }}
- name: Setup environment
shell: bash
id: "setup"
run: |
if [ ! -f "${{ inputs.dockerfile }}" ]; then
echo "::error ::Dockerfile not found: ${{ inputs.dockerfile }}. Do you need to prepend context or working directory?"
exit 1
elif [ ! -d "${{ inputs.docker_context }}" ]; then
echo "::error ::Docker context not found: ${{ inputs.docker_context }}."
exit 1
fi
suffix="${{ inputs.image_suffix }}"
echo "REPO_NAME=${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}$( [[ -n "$suffix" ]] && echo -n "-$suffix" )" >> $GITHUB_OUTPUT
- name: Docker meta
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # ratchet:docker/metadata-action@v5
with:
images: |
${{ steps.login.outputs.registry }}/${{ steps.setup.outputs.REPO_NAME }}
tags: |
type=sha,prefix={{date 'YYYY.MM.DD-HH.mm'}}-,priority=9002
type=raw,enable=${{ inputs.tag != '' }},value=${{ inputs.tag }},priority=9001
- name: Build and push
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # ratchet:docker/build-push-action@v5
id: build_push
with:
context: ${{ inputs.docker_context }}
file: ${{ inputs.dockerfile }}
push: ${{ inputs.push_image }}
pull: ${{ inputs.pull }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: ${{ inputs.cache_from }}
cache-to: ${{ inputs.cache_to }}
build-args: ${{ inputs.build_args }}
secrets: ${{ inputs.build_secrets }}
- name: Check for errors
if: ${{ failure() && steps.build_push.outcome == 'failure' }}
shell: bash
run: |
echo "::error ::Failed during image build. Is your docker_context set to where your build files are?"
exit 1
- name: Generate SBOM, attest and sign image
if: ${{ inputs.push_image == 'true' && inputs.salsa == 'true' }}
id: attest-sign
uses: nais/[email protected]
with:
image_ref: ${{ steps.login.outputs.registry }}/${{ steps.setup.outputs.REPO_NAME }}@${{ steps.build_push.outputs.digest }}
sbom: ${{ inputs.byosbom }}
# For some reason, nested composite outputs aren't properly evaluated, so we need to set them again.
- name: Set outputs
shell: bash
id: set-outputs
run: |
echo "NEW_VERSION=${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
echo "IMAGE=${{ fromJSON(steps.meta.outputs.json).tags[0] }}" >> $GITHUB_OUTPUT
echo "DIGEST=${{ steps.build_push.outputs.digest }}" >> $GITHUB_OUTPUT
echo "SALSA=${{ steps.attest-sign.outputs.sbom }}" >> $GITHUB_OUTPUT