Skip to content

Commit

Permalink
feat!: Docker CI - Security added & Tagging updates - 2 (#1327)
Browse files Browse the repository at this point in the history 
## Overview

ℹ️ Same content as:
[1320](#1320), I had an
issue and the PR was closed...

Hello team,

Hope you’re doing well

The following PR contains some changes in the Docker CI, build &
publish.

I’ve added some features:
- File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml`
*We will be able to use a matrix for building the container in different
architectures.*

- This CI is triggered when
  - When push to any branch
  - When creating `PRs`
  - When there's a new hotfix (when push to main branch)
  - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)`
- Only push new Docker images when they are in `main` or `v*` (blocking
forks for security)

- Security:
[Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this
is the first step during the build, it scans the image and provide us a
table summary in case we have any CVE, if everything goes well, it
continues with the next step.
*It’s not going to block the CI in case of bugs, though I think it will
be good for us, stop it and fix them.*

- Docker tagging:
  - Git short SHA => for example: `a594b69`
  - Tag ID => for example: `0.0.1`
- Provided some additional metadata to the images:
  - Maintainer  =>   "maintainer": "CelestiaOrg"
  - Description => "CelestiaOrg repository celestiaorg/celestia-app"
- URL to the specific commit => "commit_url":
"a594b69"
- Docker pull command => "docker_pull_command": "docker pull
ghcr.io/celestiaorg/celestia-app:a594b691"

---

## Checklist

- [x] Required CI checks are passing
- [x] Linked issues closed with keywords

---

## Blockers

Hello team!
I'll need to add some permissions to allow the CI to have the access to
the packages.

This is an error that I'm having:
[link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432)

```
ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden
```

Thanks in advance!

cc: @evan-forbes @rootulp  @Bidon15 @sysrex

Please, ping me when you'll going to merge it, just to check that
everything goes fine 😊
Thank you team!

---
Closes Issue: [37](celestiaorg/devops#37)

(cherry picked from commit 67c90ed)
  • Loading branch information
@tty47 @evan-forbes
tty47 authored and evan-forbes committed May 26, 2023
1 parent 4212131 commit abcc9e5
Showing 1 changed file with 107 additions and 0 deletions.
107 changes: 107 additions & 0 deletions .github/workflows/docker-build-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
name: Docker Build & Publish

on:
push:
branches:
- "**"
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
pull_request:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
MAINTAINER: CelestiaOrg
DESCRIPTION: CelestiaOrg repository ${{ github.repository }}

jobs:
docker-security:
runs-on: "ubuntu-latest"
steps:
- name: Checkout
uses: "actions/checkout@v3"

- name: Build and Push
uses: docker/build-push-action@v3
with:
push: false
platforms: linux/amd64
# we're building the container before the scan, use the local tag for
# refer to it later
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local

- name: Run Trivy vulnerability scanner
# source: https://github.com/aquasecurity/trivy-action
# https://github.com/marketplace/actions/aqua-security-trivy
uses: aquasecurity/trivy-action@master
with:
# here we use the local tag that we've built before
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local'
format: 'table'
#exit-code: '1' # uncomment to stop the CI if the scanner fails
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

docker-build:
runs-on: "ubuntu-latest"
# wait until the security scanner will be done
needs: docker-security
permissions:
contents: write
packages: write

steps:
- name: Checkout
uses: "actions/checkout@v3"

- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Add SHORT_SHA to ENV
run: echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV

- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# yamllint disable
labels: |
maintainer=${{ env.MAINTAINER }}
commitUrl=https://github.com/${{ github.repository }}/commit/${{ github.sha }}
dockerPull=docker pull ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.SHORT_SHA }}
org.opencontainers.image.description=${{ env.DESCRIPTION }}
tags: |
# output minimal (short sha)
type=raw,value={{sha}}
# output v0.2.1
type=semver,pattern=v{{version}}
# pull request event
type=ref,enable=true,prefix=pr-,suffix=,event=pr
# yamllint enable

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

# We always build the image but we only push if we are on the `main`
# branch or a versioned `v*` branch
- name: Build and PushDocker Image
uses: docker/build-push-action@v3
with:
platforms: linux/amd64,linux/arm64
# yamllint disable
# The following line, is execute as an if statement, only push when
# the branch is main or starts with v*
push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
# yamllint enable
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: Dockerfile

0 comments on commit abcc9e5

Please sign in to comment.