Skip to content

Commit

Permalink
Add workflow (#794)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gotsysdba
gotsysdba authored Nov 30, 2023
1 parent fb2b2b7 commit 473c44a
Show file tree
Hide file tree
Showing 3 changed files with 154 additions and 0 deletions.
56 changes: 56 additions & 0 deletions .github/actions/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: 'Process Image'
description: 'Dockerfile, Build, Push Images'
inputs:
src_image:
description: Source Image
required: true
dst_image:
description: Destination Image
required: true
description:
description: Description of Image
required: true
push:
description: Boolean to push image (true) or just build (false)
required: true
runs:
using: "composite"
steps:
- name: Set date and latest Tag
shell: bash
run: |
full_dst_image=${{ inputs.dst_image }}
now=$(date +'%Y.%m.%d')
echo "date=$now" >> $GITHUB_ENV
echo "date_dst_tag=$full_dst_image-${now//./}" >> $GITHUB_ENV
echo "latest_dst_tag=${full_dst_image%:*}:latest" >> $GITHUB_ENV
- name: Write Dockerfile
shell: bash
run: |
cat <<- EOF > ${{ runner.temp }}/Dockerfile
FROM ${{ inputs.src_image }}
LABEL org.opencontainers.image.source="https://github.com/${{ github.repository }}"
LABEL org.opencontainers.image.description="${{ inputs.description }}"
LABEL org.opencontainers.image.name="${{ inputs.dst_image }}"
LABEL org.opencontainers.image.version="${{ env.date }}"
RUN (microdnf update --refresh --nodocs --best || microdnf update --refresh --nodocs --nobest) && microdnf clean all
#RUN echo "Testing Update Functionality" > /image_digest
RUN rpm -qa | sort | sha256sum | awk '{print $1}' > /image_digest
EOF
- name: Build Image
uses: docker/build-push-action@v5
if: ${{ inputs.push == 'false' }}
with:
context: "${{ runner.temp }}"
push: false
tags: ${{ env.latest_dst_tag }}

- name: Build and Push Image
uses: docker/build-push-action@v5
if: ${{ inputs.push == 'true' }}
with:
context: "${{ runner.temp }}"
push: true
tags: ${{ env.latest_dst_tag }},${{ env.date_dst_tag }}
16 changes: 16 additions & 0 deletions .github/workflows/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Workflows

## obaas-base-image

This workflow takes the GraalVM image from Oracle Container Registry, scans for vulnerabilities, applies the latest OS patches, and stages the new image in ghcr.io for use with the OBaaS Platform.

### Workflow

1. Download the latest, patched GraalVM OBaaS image from the ghcr.io
a. If no image exists in ghcr.io, download the latest GraalVM image from Oracle Container Registry and stage in ghcr.io
2. Run Trivy Vulnerability scanner against the ghcr.io image
a. If Trivy does not find any vulnerabilities, **end workflow**
b. If Trivy reports vulnerabilities, attempt to apply OS patches
3. Compare exiting ghcr.io image with attempt of patched image
a. If existing image is same as patched image (no OS updates), **end workflow**
4. Push newly patched image as latest
82 changes: 82 additions & 0 deletions .github/workflows/obaas-base-image.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: "Build OBaaS Base Image"
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
env:
src_tag: 17-muslib-ol8
dst_img: graalvm-native-image-obaas
description: "Oracle GraalVM for JDK 17 and OBaaS."
jobs:
obaas-image:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- uses: actions/checkout@v4
with:
sparse-checkout: .github

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Get latest Image Software Digest
run: |
latest_digest=$(docker run --rm --entrypoint cat ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:latest /image_digest)
echo "Current Digest: $latest_digest"
echo "latest_digest=$latest_digest" >> $GITHUB_ENV
continue-on-error: true

- name: Create New Image
if: env.latest_digest == ''
uses: ./.github/actions/process-image
with:
src_image: container-registry.oracle.com/graalvm/native-image:${{ env.src_tag }}
dst_image: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:${{ env.src_tag }}
description: ${{ env.description }}
push: true

- name: Run Trivy Vulnerability Scanner
id: trivy_scan
if: env.latest_digest != ''
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:latest
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
continue-on-error: true

- name: Update Existing Image
id: update_image
if: env.latest_digest != '' && steps.trivy_scan.outcome == 'failure'
uses: ./.github/actions/process-image
with:
src_image: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:latest
dst_image: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:${{ env.src_tag }}
description: ${{ env.description }}
push: false

- name: Get newest Image Software Digest
id: get_newest_digest
if: steps.update_image.outcome != 'skipped'
run: |
newest_digest=$(docker run --rm --entrypoint cat ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:latest /image_digest)
echo "New Digest: $newest_digest"
echo "newest_digest=$newest_digest" >> $GITHUB_ENV
- name: Push Updated Image
if: steps.get_newest_digest.outcome != 'skipped' && env.latest_digest != env.newest_digest
uses: ./.github/actions/process-image
with:
src_image: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:latest
dst_image: ghcr.io/${{ github.repository_owner }}/${{ env.dst_img }}:${{ env.src_tag }}
description: ${{ env.description }}
push: true

0 comments on commit 473c44a

Please sign in to comment.