diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index aa0d1ff..1ed9641 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -3,42 +3,42 @@ name: Build, Test and Push Docker Image on: workflow_call: inputs: - dockerfile: - description: 'Path to Dockerfile' - default: 'Dockerfile' - type: string image-name: - description: 'Name of Docker Image' + description: "Name of Docker Image" type: string required: true image-tag: - description: 'Tag of Docker Image' + description: "Tag of Docker Image" + default: "latest" type: string - required: true + dockerfile: + description: "Path to Dockerfile" + default: "Dockerfile" + type: string + context: + description: "Path to Docker Build Context" + default: "." + type: string + registry: + description: "Docker Registry" + default: "docker.io" + type: string + push: + description: "Push Docker Image to Registry" + default: false + type: boolean security-scan: - description: 'Enable Security Scan' + description: "Enable Trivy Security Scan" default: true type: boolean security-report: - description: 'Enable Security Report' - default: 'sarif' + description: 'Security Report Mode (`"sarif"` | `"comment"`; ignored if `security-scan: false`)' + default: "sarif" type: string hadolint: - description: 'Enable Hadolint' + description: "Enable Hadolint" default: true type: boolean - push: - description: 'Push Docker Image to Registry' - default: false - type: boolean - context: - description: 'Path to Docker Build Context' - default: '.' - type: string - registry: - description: 'Docker Registry' - default: 'docker.io' - type: string secrets: username: required: false @@ -67,7 +67,6 @@ jobs: password: ${{ secrets.password }} - name: Build Docker Image - if: ${{ inputs.push }} uses: docker/build-push-action@v6 with: context: ${{ inputs.context }} @@ -88,12 +87,12 @@ jobs: uses: aquasecurity/trivy-action@0.29.0 with: input: vuln-image.tar - format: 'table' + format: ${{ (inputs.security-report == 'sarif' && 'sarif') || 'table' }} ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + vuln-type: "os,library" + severity: "CRITICAL,HIGH" hide-progress: true - output: trivy.txt + output: ${{ (inputs.security-report == 'sarif' && 'trivy-results.sarif') || 'trivy.txt' }} - name: Read Trivy report file id: read_trivy @@ -109,8 +108,8 @@ jobs: uses: peter-evans/find-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: 'Trivy Security Scan Results' + comment-author: "github-actions[bot]" + body-includes: "Trivy Security Scan Results" - name: Create or update Trivy comment if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' @@ -134,7 +133,7 @@ jobs: if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif' uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: "trivy-results.sarif" - name: Run Hadolint Dockerfile linter id: hadolint @@ -159,8 +158,8 @@ jobs: uses: peter-evans/find-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: 'Hadolint Dockerfile Lint Results' + comment-author: "github-actions[bot]" + body-includes: "Hadolint Dockerfile Lint Results" - name: Create or update Hadolint comment if: ${{ inputs.hadolint && steps.read_hadolint.outputs.report != '' }} diff --git a/docker-build/README.md b/docker-build/README.md index dffe9d5..2f09c92 100644 --- a/docker-build/README.md +++ b/docker-build/README.md @@ -1,29 +1,40 @@ # ๐Ÿณ Docker Build Workflow ## ๐Ÿ” Overview + This reusable GitHub Actions workflow automates the process of building and pushing Docker images to Docker Hub. It simplifies the Docker build process in your CI/CD pipeline by handling authentication, building, and tagging in a standardized way. Perfect for teams looking to streamline their containerization workflow with minimal configuration. ## โœจ Features + - ๐Ÿ” Securely authenticates with Docker Hub using best practices - ๐Ÿ—๏ธ Builds optimized Docker images from a specified Dockerfile - ๐Ÿท๏ธ Intelligently tags and pushes images to Docker Hub +- ๐Ÿ”Ž Scan for vulnerabilities +- ๐Ÿ‘ Lint dockerfile - ๐Ÿ›ก๏ธ Handles authentication securely using GitHub Secrets - ๐Ÿš€ Optimizes build performance with layer caching - ๐Ÿ“ฆ Supports multi-platform builds (AMD64, ARM64) ## โš™๏ธ Inputs -| Name | Description | Required | Default | -|------|-------------|----------|---------| -| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | Yes | - | -| `tag` | Tag to apply to the built image (e.g., 'myimage:latest', 'myorg/myimage:v1.2.3') | Yes | - | +| Name | Description | Required | Default | +| ----------------- | ---------------------------------------------------------------------------------- | -------- | -------------- | +| `image-name` | Name of Docker Image (e.g., 'myimage', 'myorg/myimage') | true | - | +| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | +| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | +| `context` | Path to Docker Build Context | No | `"."` | +| `registry` | Docker Registry | No | `"docker.io"` | +| `push` | Push Docker Image to Registry | No | `false` | +| `security-scan` | Enable Trivy Security Scan | No | `true` | +| `security-report` | Security Report Mode (`"sarif"` \| `"comment"`; ignored if `security-scan: false`) | No | `"sarif"` | +| `hadolint` | Enable Hadolint | No | `true` | ## ๐Ÿ” Secrets -| Name | Description | Required | -|------|-------------|----------| -| `dockerhub_username` | Username for Docker Hub authentication | Yes | -| `dockerhub_pat` | Personal Access Token for Docker Hub authentication (with appropriate permissions) | Yes | +| Name | Description | Required | +| ---------- | --------------------------------------------------------------------------------------------------- | -------- | +| `username` | Username for Docker Registry authentication | Yes | +| `password` | Password or Personal Access Token for Docker registry authentication (with appropriate permissions) | Yes | ## ๐Ÿ’ป Example Usage @@ -32,62 +43,31 @@ name: Build and Push Docker Image on: push: - branches: [ main ] + branches: [main] # Also trigger on tag creation for release versioning tags: - - 'v*.*.*' + - "v*.*.*" jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 # Fetch all history for proper versioning - - - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 + - uses: actions/checkout@v4 with: - dockerfile: 'Dockerfile' - tag: 'my-image:latest' - secrets: - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} -``` - -## ๐Ÿ” Advanced Usage - -### Multi-Platform Build Example -```yaml -name: Build Multi-Platform Docker Image - -on: - release: - types: [published] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + fetch-depth: 0 # Fetch all history for proper versioning - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main # โš ๏ธ use tagged version here with: - dockerfile: 'Dockerfile' - tag: 'myorg/myapp:${{ github.event.release.tag_name }}' - secrets: - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} + image-name: "username/my-image" + dockerfile: "Dockerfile" + secrets: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PAT }} ``` ## ๐Ÿ“ Notes + - ๐Ÿ”’ Ensure your Docker Hub credentials are stored securely as GitHub Secrets - ๐Ÿ”„ The workflow will automatically handle the Docker build and push process - ๐Ÿท๏ธ You can specify any valid Docker tag format in the `tag` input @@ -95,6 +75,7 @@ jobs: - ๐Ÿงช For testing purposes, you can use the `--dry-run` flag in your own implementation ## ๐Ÿ› ๏ธ Troubleshooting + - If you encounter authentication issues, verify your Docker Hub credentials are correct and have appropriate permissions - For build failures, check your Dockerfile syntax and ensure all referenced files exist - Large images may take longer to push - consider optimizing your Dockerfile with multi-stage builds