Using CKAN Backports Repository for Building Images >2.9.11

.github/workflows/docker-build.py.yml

@@ -0,0 +1,234 @@
+name: Build and push Python ckan-spatial images
+
+on:
+  pull_request:
+    types:
+        - closed
+    branches:
+        - master
+        - 'ckan-*.*'
+        - '!ckan-main'
+        - '!dev/ckan-*.*.*'
+        - '!feature/*'
+        - '!fix/*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: mjanez/ckan-spatial
+  CONTEXT: .
+  BRANCH: ${{ github.head_ref }}
+  DOCKERFILE: Dockerfile.py3.*
+
+jobs:
+  build_and_push_base:
+    name: Build and push base image
+    runs-on: ubuntu-latest
+    outputs:
+      ckan_version: ${{ steps.extract_version.outputs.ckan_version }}
+      docker_labels: ${{ steps.meta.outputs.labels }}
+      docker_annotations: ${{ steps.meta.outputs.annotations }}
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Determine Dockerfile
+        id: determine_dockerfile
+        run: |
+          if [[ "${{ env.DOCKERFILE }}" == "Dockerfile.py3.*" ]]; then
+            REAL_DOCKERFILE=$(find ./${{ env.BRANCH }}/base -name "Dockerfile.py3.*" | head -n 1)
+            REAL_DOCKERFILE_NAME=$(basename $REAL_DOCKERFILE)
+            echo "DOCKERFILE=${REAL_DOCKERFILE_NAME}" >> $GITHUB_ENV
+          else
+            echo "DOCKERFILE=${{ env.DOCKERFILE }}" >> $GITHUB_ENV
+          fi
+
+      - name: Extract CKAN_VERSION from base Dockerfile
+        id: extract_version
+        run: |
+          CKAN_VERSION=$(grep -oP '(?<=^ARG CKAN_VERSION=ckan-)[0-9]+\.[0-9]+\.[0-9]+' ./${{ env.BRANCH }}/base/${{ env.DOCKERFILE }})
+          echo "ckan_version=${CKAN_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Generate suffix tag
+        id: generate_suffix
+        run: |
+          if [ "${{ env.DOCKERFILE }}" = "Dockerfile" ]; then
+            echo "suffix_tag=" >> $GITHUB_OUTPUT
+          else
+            SUFFIX=$(echo ${{ env.DOCKERFILE }} | sed -E 's/Dockerfile\.py([0-9]+)\./py\1./')
+            echo "suffix_tag=-${SUFFIX}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-base
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
+            org.opencontainers.image.version=${{ steps.extract_version.outputs.ckan_version }}
+          annotations: |
+            org.opencontainers.image.description=This image contains CKAN, an open-source data management system, along with its dependencies and configurations for spatial data support.
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+
+      - name: Build and push base image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-base:${{ steps.extract_version.outputs.ckan_version }}${{ steps.generate_suffix.outputs.suffix_tag }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          context: ${{ env.CONTEXT }}/${{ env.BRANCH }}/base
+          file: ${{ env.CONTEXT }}/${{ env.BRANCH }}/base/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}/${{ env.BRANCH }}/base/${{ env.DOCKERFILE }}
+          no-fail: true
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-base:${{ steps.extract_version.outputs.ckan_version }}${{ steps.generate_suffix.outputs.suffix_tag }}
+          format: sarif
+          output: trivy-results-base.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results-base.sarif
+
+  build_and_push_dev:
+    name: Build and push development image from base
+    runs-on: ubuntu-latest
+    needs: build_and_push_base
+    env:
+      CKAN_VERSION: ${{ needs.build_and_push_base.outputs.ckan_version }}
+      DOCKER_LABELS: ${{ needs.build_and_push_base.outputs.docker_labels }}
+      DOCKER_ANNOTATIONS: ${{ needs.build_and_push_base.outputs.docker_annotations }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Determine Dockerfile
+        id: determine_dockerfile
+        run: |
+          if [[ "${{ env.DOCKERFILE }}" == "Dockerfile.py3.*" ]]; then
+            REAL_DOCKERFILE=$(find ./${{ env.BRANCH }}/base -name "Dockerfile.py3.*" | head -n 1)
+            REAL_DOCKERFILE_NAME=$(basename $REAL_DOCKERFILE)
+            echo "DOCKERFILE=${REAL_DOCKERFILE_NAME}" >> $GITHUB_ENV
+          else
+            echo "DOCKERFILE=${{ env.DOCKERFILE }}" >> $GITHUB_ENV
+          fi
+
+      - name: Generate suffix tag
+        id: generate_suffix
+        run: |
+          if [ "${{ env.DOCKERFILE }}" = "Dockerfile" ]; then
+            echo "suffix_tag=" >> $GITHUB_OUTPUT
+          else
+            SUFFIX=$(echo ${{ env.DOCKERFILE }} | sed -E 's/Dockerfile\.py([0-9]+)\./py\1./')
+            echo "suffix_tag=-${SUFFIX}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push dev image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-dev:${{ env.CKAN_VERSION }}${{ steps.generate_suffix.outputs.suffix_tag }}
+          labels: ${{ env.DOCKER_LABELS }}
+          annotations: ${{ env.DOCKER_ANNOTATIONS }}
+          context: ${{ env.CONTEXT }}/${{ env.BRANCH }}/dev
+          file: ${{ env.CONTEXT }}/${{ env.BRANCH }}/dev/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}/${{ env.BRANCH }}/dev/${{ env.DOCKERFILE }}
+          no-fail: true
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-dev:${{ env.CKAN_VERSION }}${{ steps.generate_suffix.outputs.suffix_tag }}
+          format: sarif
+          output: trivy-results-dev.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results-dev.sarif
+
+  build_and_push_test:
+    name: Build and push test image from dev
+    runs-on: ubuntu-latest
+    needs: [build_and_push_base, build_and_push_dev]
+    env:
+      CKAN_VERSION: ${{ needs.build_and_push_base.outputs.ckan_version }}
+      DOCKER_LABELS: ${{ needs.build_and_push_base.outputs.docker_labels }}
+      DOCKER_ANNOTATIONS: ${{ needs.build_and_push_base.outputs.docker_annotations }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push test image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          # Test only use base Dockerfile
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-test:${{ env.CKAN_VERSION }}
+          labels: ${{ env.DOCKER_LABELS }}
+          annotations: ${{ env.DOCKER_ANNOTATIONS }}
+          context: ${{ env.CONTEXT }}/${{ env.BRANCH }}/test
+          # Test only use base Dockerfile
+          file: ${{ env.CONTEXT }}/${{ env.BRANCH }}/test/Dockerfile
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          # Test only use base Dockerfile
+          dockerfile: ${{ env.CONTEXT }}/${{ env.BRANCH }}/test/Dockerfile
+          no-fail: true
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          # Test only use base Dockerfile
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-test:${{ env.CKAN_VERSION }}
+          format: sarif
+          output: trivy-results-test.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results-test.sarif