.github/workflows/docker-image-ci.yml
name: Docker Image CI
on:
push:
branches:
- master
paths:
- "kubernetes/**"
- "!kubernetes/bin/**"
- "!kubernetes/**/*.md"
- ".github/workflows/docker-image-ci.yml"
pull_request:
paths:
- "kubernetes/**"
- "!kubernetes/bin/**"
- "!kubernetes/**/*.md"
- ".github/workflows/docker-image-ci.yml"
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4.1.7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2.10.0
- name: Cache Docker layers
uses: actions/cache@v4.0.2
with:
path: /tmp/.buildx-cache
key: ${{ github.ref }}-${{ github.sha }}
restore-keys: |
${{ github.ref }}-${{ github.sha }}
${{ github.ref }}
refs/head/main
- name: setup docker args
env:
TZ: "Asia/Tokyo"
run: |
echo "BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
echo "VCS_REF=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_ENV
- name: setup docker push actions
run: |
if [[ github.event_name == 'push' ]]; then
echo "PUSH=true" >> $GITHUB_ENV
else
echo "PUSH=false" >> $GITHUB_ENV
fi
- name: docker login
if: github.event_name == 'push'
env:
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_PASS: ${{ secrets.DOCKERHUB_PASS }}
run: docker login -u $DOCKERHUB_USER -p $DOCKERHUB_PASS
- name: Build and push - nginx
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/nginx
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/nginx:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - nginx
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/nginx
args: --severity-threshold=critical --file=kubernetes/nginx/Dockerfile
- name: rename sarif file
run: mv snyk.sarif nginx.sarif
- name: Build and push - mysql
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/mysql
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/mysql:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - mysql
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/mysql
args: --severity-threshold=critical --file=kubernetes/mysql/Dockerfile
- name: rename sarif file
run: mv snyk.sarif mysql.sarif
- name: Build and push - postgres
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/postgres
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/postgres:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - postgres
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/postgres
args: --severity-threshold=critical --file=kubernetes/postgres/Dockerfile
- name: rename sarif file
run: mv snyk.sarif postgres.sarif
- name: Build and push - mongodb
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/mongodb
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/mongodb:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - mongodb
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/mongodb
args: --severity-threshold=critical --file=kubernetes/mongodb/Dockerfile
- name: rename sarif file
run: mv snyk.sarif mongodb.sarif
- name: Build and push - cassandra
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/cassandra
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/cassandra:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - cassandra
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/cassandra
args: --severity-threshold=critical --file=kubernetes/cassandra/Dockerfile
- name: rename sarif file
run: mv snyk.sarif cassandra.sarif
- name: Build and push - rabbitmq
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/rabbitmq
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/rabbitmq:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - rabbitmq
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/rabbitmq
args: --severity-threshold=critical --file=kubernetes/rabbitmq/Dockerfile
- name: rename sarif file
run: mv snyk.sarif rabbitmq.sarif
- name: Build and push - jenkins
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/monitoring/jenkins
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/jenkins:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Build and push - ab
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/monitoring/test/ab
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/ab:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - ab
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/ab
args: --severity-threshold=critical --file=kubernetes/monitoring/test/ab/Dockerfile
- name: rename sarif file
run: mv snyk.sarif ab.sarif
- name: Build and push - postmannewman-quarkus
uses: docker/build-push-action@v4.2.1
with:
context: ./kubernetes/monitoring/test/postmannewman/quarkus
push: ${{ env.PUSH }}
tags: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus:latest
build-args: |
VCS_REF=${VCS_REF}
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Snyk to check Docker image for vulnerabilities - postmannewman-quarkus
continue-on-error: true
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus
args: --severity-threshold=critical --file=kubernetes/monitoring/test/postmannewman/quarkus/Dockerfile
- name: rename sarif file
run: mv snyk.sarif postmannewman-quarkus.sarif
- name: Upload result to GitHub Code Scanning - postmannewman-quarkus
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./