From 443e80980677662024368a47974ff0c4eb506fb6 Mon Sep 17 00:00:00 2001 From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:06:57 +0200 Subject: [PATCH 1/5] feat(docker-build): make image-tag and dockerfile optional --- .github/workflows/docker-build.yml | 48 +++++++++++++++--------------- docker-build/README.md | 40 ++++++++++++++----------- 2 files changed, 47 insertions(+), 41 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index aa0d1ff..bcda7e1 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -3,41 +3,41 @@ name: Build, Test and Push Docker Image on: workflow_call: inputs: - dockerfile: - description: 'Path to Dockerfile' - default: 'Dockerfile' - type: string image-name: - description: 'Name of Docker Image' + description: "Name of Docker Image" type: string required: true + dockerfile: + description: "Path to Dockerfile" + default: "Dockerfile" + type: string image-tag: - description: 'Tag of Docker Image' + description: "Tag of Docker Image" + default: "latest" type: string - required: true security-scan: - description: 'Enable Security Scan' + description: "Enable Security Scan" default: true type: boolean security-report: - description: 'Enable Security Report' - default: 'sarif' + description: "Enable Security Report" + default: "sarif" type: string hadolint: - description: 'Enable Hadolint' + description: "Enable Hadolint" default: true type: boolean push: - description: 'Push Docker Image to Registry' + description: "Push Docker Image to Registry" default: false type: boolean context: - description: 'Path to Docker Build Context' - default: '.' + description: "Path to Docker Build Context" + default: "." type: string registry: - description: 'Docker Registry' - default: 'docker.io' + description: "Docker Registry" + default: "docker.io" type: string secrets: username: @@ -88,10 +88,10 @@ jobs: uses: aquasecurity/trivy-action@0.29.0 with: input: vuln-image.tar - format: 'table' + format: "table" ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + vuln-type: "os,library" + severity: "CRITICAL,HIGH" hide-progress: true output: trivy.txt @@ -109,8 +109,8 @@ jobs: uses: peter-evans/find-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: 'Trivy Security Scan Results' + comment-author: "github-actions[bot]" + body-includes: "Trivy Security Scan Results" - name: Create or update Trivy comment if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' @@ -134,7 +134,7 @@ jobs: if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif' uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: "trivy-results.sarif" - name: Run Hadolint Dockerfile linter id: hadolint @@ -159,8 +159,8 @@ jobs: uses: peter-evans/find-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: 'Hadolint Dockerfile Lint Results' + comment-author: "github-actions[bot]" + body-includes: "Hadolint Dockerfile Lint Results" - name: Create or update Hadolint comment if: ${{ inputs.hadolint && steps.read_hadolint.outputs.report != '' }} diff --git a/docker-build/README.md b/docker-build/README.md index dffe9d5..112e12f 100644 --- a/docker-build/README.md +++ b/docker-build/README.md @@ -1,9 +1,11 @@ # ๐Ÿณ Docker Build Workflow ## ๐Ÿ” Overview + This reusable GitHub Actions workflow automates the process of building and pushing Docker images to Docker Hub. It simplifies the Docker build process in your CI/CD pipeline by handling authentication, building, and tagging in a standardized way. Perfect for teams looking to streamline their containerization workflow with minimal configuration. ## โœจ Features + - ๐Ÿ” Securely authenticates with Docker Hub using best practices - ๐Ÿ—๏ธ Builds optimized Docker images from a specified Dockerfile - ๐Ÿท๏ธ Intelligently tags and pushes images to Docker Hub @@ -13,17 +15,18 @@ This reusable GitHub Actions workflow automates the process of building and push ## โš™๏ธ Inputs -| Name | Description | Required | Default | -|------|-------------|----------|---------| -| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | Yes | - | -| `tag` | Tag to apply to the built image (e.g., 'myimage:latest', 'myorg/myimage:v1.2.3') | Yes | - | +| Name | Description | Required | Default | +| ------------ | -------------------------------------------------------------------------------- | -------- | -------------- | +| `image-name` | Tag to apply to the built image (e.g., 'myimage:latest', 'myorg/myimage:v1.2.3') | true | - | +| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | +| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | ## ๐Ÿ” Secrets -| Name | Description | Required | -|------|-------------|----------| -| `dockerhub_username` | Username for Docker Hub authentication | Yes | -| `dockerhub_pat` | Personal Access Token for Docker Hub authentication (with appropriate permissions) | Yes | +| Name | Description | Required | +| -------------------- | ---------------------------------------------------------------------------------- | -------- | +| `dockerhub_username` | Username for Docker Hub authentication | Yes | +| `dockerhub_pat` | Personal Access Token for Docker Hub authentication (with appropriate permissions) | Yes | ## ๐Ÿ’ป Example Usage @@ -32,10 +35,10 @@ name: Build and Push Docker Image on: push: - branches: [ main ] + branches: [main] # Also trigger on tag creation for release versioning tags: - - 'v*.*.*' + - "v*.*.*" jobs: build: @@ -43,14 +46,14 @@ jobs: steps: - uses: actions/checkout@v3 with: - fetch-depth: 0 # Fetch all history for proper versioning + fetch-depth: 0 # Fetch all history for proper versioning - name: Build and Push Docker Image uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 with: - dockerfile: 'Dockerfile' - tag: 'my-image:latest' - secrets: + image-name: "username/my-image" + dockerfile: "Dockerfile" + secrets: dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} ``` @@ -58,6 +61,7 @@ jobs: ## ๐Ÿ” Advanced Usage ### Multi-Platform Build Example + ```yaml name: Build Multi-Platform Docker Image @@ -80,14 +84,15 @@ jobs: - name: Build and Push Docker Image uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 with: - dockerfile: 'Dockerfile' - tag: 'myorg/myapp:${{ github.event.release.tag_name }}' - secrets: + dockerfile: "Dockerfile" + tag: "myorg/myapp:${{ github.event.release.tag_name }}" + secrets: dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} ``` ## ๐Ÿ“ Notes + - ๐Ÿ”’ Ensure your Docker Hub credentials are stored securely as GitHub Secrets - ๐Ÿ”„ The workflow will automatically handle the Docker build and push process - ๐Ÿท๏ธ You can specify any valid Docker tag format in the `tag` input @@ -95,6 +100,7 @@ jobs: - ๐Ÿงช For testing purposes, you can use the `--dry-run` flag in your own implementation ## ๐Ÿ› ๏ธ Troubleshooting + - If you encounter authentication issues, verify your Docker Hub credentials are correct and have appropriate permissions - For build failures, check your Dockerfile syntax and ensure all referenced files exist - Large images may take longer to push - consider optimizing your Dockerfile with multi-stage builds From 0613878dcb3d8a4b01496935927409d867db3101 Mon Sep 17 00:00:00 2001 From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:17:04 +0200 Subject: [PATCH 2/5] feat(docker-build): allow dry-runs by always running build (even if push is disabled) --- .github/workflows/docker-build.yml | 1 - docker-build/README.md | 11 ++++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index bcda7e1..51909e0 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -67,7 +67,6 @@ jobs: password: ${{ secrets.password }} - name: Build Docker Image - if: ${{ inputs.push }} uses: docker/build-push-action@v6 with: context: ${{ inputs.context }} diff --git a/docker-build/README.md b/docker-build/README.md index 112e12f..2456b58 100644 --- a/docker-build/README.md +++ b/docker-build/README.md @@ -15,11 +15,12 @@ This reusable GitHub Actions workflow automates the process of building and push ## โš™๏ธ Inputs -| Name | Description | Required | Default | -| ------------ | -------------------------------------------------------------------------------- | -------- | -------------- | -| `image-name` | Tag to apply to the built image (e.g., 'myimage:latest', 'myorg/myimage:v1.2.3') | true | - | -| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | -| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | +| Name | Description | Required | Default | +| ------------ | ----------------------------------------------------------------------------- | -------- | -------------- | +| `image-name` | Name of Docker Image (e.g., 'myimage', 'myorg/myimage') | true | - | +| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | +| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | +| `push` | Push Docker Image to Registry | No | `false` | ## ๐Ÿ” Secrets From d62cb42621b30a9e7c3d99dce914548a154574f8 Mon Sep 17 00:00:00 2001 From: pjt <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Tue, 1 Jul 2025 17:05:58 +0200 Subject: [PATCH 3/5] docs(docker-build): fix bad workflow reference --- docker-build/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-build/README.md b/docker-build/README.md index 2456b58..72f8853 100644 --- a/docker-build/README.md +++ b/docker-build/README.md @@ -50,7 +50,7 @@ jobs: fetch-depth: 0 # Fetch all history for proper versioning - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.2.0 with: image-name: "username/my-image" dockerfile: "Dockerfile" @@ -83,7 +83,7 @@ jobs: uses: docker/setup-buildx-action@v2 - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.2.0 with: dockerfile: "Dockerfile" tag: "myorg/myapp:${{ github.event.release.tag_name }}" From a1f3c7cfedeb72eb0ebe05a78d153882d3777016 Mon Sep 17 00:00:00 2001 From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Wed, 2 Jul 2025 11:40:19 +0200 Subject: [PATCH 4/5] fix(docker-build): fix sarif security-report --- .github/workflows/docker-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 51909e0..c3b03c5 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -87,12 +87,12 @@ jobs: uses: aquasecurity/trivy-action@0.29.0 with: input: vuln-image.tar - format: "table" + format: ${{ (inputs.security-report == 'sarif' && 'sarif') || 'table' }} ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" hide-progress: true - output: trivy.txt + output: ${{ (inputs.security-report == 'sarif' && 'trivy-results.sarif') || 'trivy.txt' }} - name: Read Trivy report file id: read_trivy From 7337e1192ac9cd51128eb577229fdf95a2712e58 Mon Sep 17 00:00:00 2001 From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Wed, 2 Jul 2025 13:22:50 +0200 Subject: [PATCH 5/5] docs(docker-build): fix documentation --- .github/workflows/docker-build.yml | 34 +++++++-------- docker-build/README.md | 68 +++++++++--------------------- 2 files changed, 38 insertions(+), 64 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index c3b03c5..1ed9641 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -7,38 +7,38 @@ on: description: "Name of Docker Image" type: string required: true + image-tag: + description: "Tag of Docker Image" + default: "latest" + type: string dockerfile: description: "Path to Dockerfile" default: "Dockerfile" type: string - image-tag: - description: "Tag of Docker Image" - default: "latest" + context: + description: "Path to Docker Build Context" + default: "." type: string + registry: + description: "Docker Registry" + default: "docker.io" + type: string + push: + description: "Push Docker Image to Registry" + default: false + type: boolean security-scan: - description: "Enable Security Scan" + description: "Enable Trivy Security Scan" default: true type: boolean security-report: - description: "Enable Security Report" + description: 'Security Report Mode (`"sarif"` | `"comment"`; ignored if `security-scan: false`)' default: "sarif" type: string hadolint: description: "Enable Hadolint" default: true type: boolean - push: - description: "Push Docker Image to Registry" - default: false - type: boolean - context: - description: "Path to Docker Build Context" - default: "." - type: string - registry: - description: "Docker Registry" - default: "docker.io" - type: string secrets: username: required: false diff --git a/docker-build/README.md b/docker-build/README.md index 72f8853..2f09c92 100644 --- a/docker-build/README.md +++ b/docker-build/README.md @@ -9,25 +9,32 @@ This reusable GitHub Actions workflow automates the process of building and push - ๐Ÿ” Securely authenticates with Docker Hub using best practices - ๐Ÿ—๏ธ Builds optimized Docker images from a specified Dockerfile - ๐Ÿท๏ธ Intelligently tags and pushes images to Docker Hub +- ๐Ÿ”Ž Scan for vulnerabilities +- ๐Ÿ‘ Lint dockerfile - ๐Ÿ›ก๏ธ Handles authentication securely using GitHub Secrets - ๐Ÿš€ Optimizes build performance with layer caching - ๐Ÿ“ฆ Supports multi-platform builds (AMD64, ARM64) ## โš™๏ธ Inputs -| Name | Description | Required | Default | -| ------------ | ----------------------------------------------------------------------------- | -------- | -------------- | -| `image-name` | Name of Docker Image (e.g., 'myimage', 'myorg/myimage') | true | - | -| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | -| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | -| `push` | Push Docker Image to Registry | No | `false` | +| Name | Description | Required | Default | +| ----------------- | ---------------------------------------------------------------------------------- | -------- | -------------- | +| `image-name` | Name of Docker Image (e.g., 'myimage', 'myorg/myimage') | true | - | +| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` | +| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` | +| `context` | Path to Docker Build Context | No | `"."` | +| `registry` | Docker Registry | No | `"docker.io"` | +| `push` | Push Docker Image to Registry | No | `false` | +| `security-scan` | Enable Trivy Security Scan | No | `true` | +| `security-report` | Security Report Mode (`"sarif"` \| `"comment"`; ignored if `security-scan: false`) | No | `"sarif"` | +| `hadolint` | Enable Hadolint | No | `true` | ## ๐Ÿ” Secrets -| Name | Description | Required | -| -------------------- | ---------------------------------------------------------------------------------- | -------- | -| `dockerhub_username` | Username for Docker Hub authentication | Yes | -| `dockerhub_pat` | Personal Access Token for Docker Hub authentication (with appropriate permissions) | Yes | +| Name | Description | Required | +| ---------- | --------------------------------------------------------------------------------------------------- | -------- | +| `username` | Username for Docker Registry authentication | Yes | +| `password` | Password or Personal Access Token for Docker registry authentication (with appropriate permissions) | Yes | ## ๐Ÿ’ป Example Usage @@ -45,51 +52,18 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 # Fetch all history for proper versioning - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.2.0 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main # โš ๏ธ use tagged version here with: image-name: "username/my-image" dockerfile: "Dockerfile" secrets: - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} -``` - -## ๐Ÿ” Advanced Usage - -### Multi-Platform Build Example - -```yaml -name: Build Multi-Platform Docker Image - -on: - release: - types: [published] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build and Push Docker Image - uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.2.0 - with: - dockerfile: "Dockerfile" - tag: "myorg/myapp:${{ github.event.release.tag_name }}" - secrets: - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PAT }} ``` ## ๐Ÿ“ Notes