Skip to content

Commit

Permalink
replace container build steps with reusable workflow (#732)
Browse files Browse the repository at this point in the history
* refactor: replace container build steps with reusable workflow

- Centralized container build logic into a reusable workflow file.
- Simplified workflow definitions in CI, PyPI, and GitHub release pipelines.
- Improved maintainability by eliminating duplicate container build steps.
  • Loading branch information
dtrai2 authored Dec 17, 2024
1 parent ca065f9 commit 1791db8
Show file tree
Hide file tree
Showing 4 changed files with 145 additions and 200 deletions.
99 changes: 5 additions & 94 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,97 +94,8 @@ jobs:
uses: codecov/codecov-action@v2

containerbuild:
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12"]

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build image and export to Docker
uses: docker/build-push-action@v6
with:
context: .
load: true
build-args: |
LOGPREP_VERSION=dev
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
- name: Ensure logprep is available in image
run: |
docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version
# This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
- name: Push image
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
build-args: |
LOGPREP_VERSION=dev
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json

- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT

- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-

- name: Scan image using Trivy
uses: aquasecurity/trivy-action@0.24.0
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
trivy-config: trivy.yaml

# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
uses: ./.github/workflows/container-build.yml
secrets: inherit
with:
build-version: dev
tags: "${{ github.head_ref }}"
129 changes: 129 additions & 0 deletions .github/workflows/container-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
name: Reusable Container Build

on:
workflow_call:
inputs:
build-version:
description: "Version of Logprep to build"
required: true
type: string
tags:
description: "Tags to apply to the image"
required: true
type: string

jobs:
containerbuild:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [ "3.10", "3.11", "3.12" ]

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Generate Image Tags
id: image-tag
run: |
python - <<EOF
import os
image = "ghcr.io/fkie-cad/logprep"
version = "${{ matrix.python-version }}"
tags = "${{ inputs.tags }}".split(",")
full_image = [f"{image}:py{version}-{tag.strip()}" for tag in tags]
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"tags={', '.join(full_image)}")
EOF
- name: Build image and export to Docker
uses: docker/build-push-action@v6
id: build
with:
context: .
load: true
build-args: |
LOGPREP_VERSION=${{ inputs.build-version }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: ${{ steps.image-tag.outputs.tags }}

- name: Extract image ID from sha256
id: imageid
run: |
python - <<EOF
import os
digest = "${{ steps.build.outputs.ImageID }}"
with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
file.write(f"imageid={digest.split(':')[1]}")
EOF
- name: Ensure logprep is available in image
run: |
docker run --rm ${{ steps.imageid.outputs.imageid }} --version
- name: Push image
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
build-args: |
LOGPREP_VERSION=${{ inputs.build-version }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: ${{ steps.image-tag.outputs.tags }}

- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
artifact-name: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
output-file: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json

- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.imageid.outputs.imageid }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT

- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-

- name: Scan image using Trivy
uses: aquasecurity/trivy-action@0.24.0
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
trivy-config: trivy.yaml

# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
34 changes: 6 additions & 28 deletions .github/workflows/publish-latest-dev-release-to-github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,31 +47,9 @@ jobs:
LICENSE
containerbuild:
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12"]

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build images
uses: docker/build-push-action@v3
with:
context: .
push: true # Will only build if this is not here
build-args: |
LOGPREP_VERSION=latest
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-main
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest
uses: ./.github/workflows/container-build.yml
needs: create-github-prerelease
secrets: inherit
with:
build-version: ${{ github.ref_name }}
tags: "main, latest"
83 changes: 5 additions & 78 deletions .github/workflows/publish-release-to-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,82 +60,9 @@ jobs:
uses: pypa/gh-action-pypi-publish@release/v1

containerbuild:
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12"]

runs-on: ubuntu-latest
uses: ./.github/workflows/container-build.yml
needs: publish-latest-release-to-pypi
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build images
uses: docker/build-push-action@v3
with:
context: .
push: true # Will only build if this is not here
build-args: |
LOGPREP_VERSION=${{ github.ref_name }}
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }}
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json

- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT

- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-

- name: Scan image using Trivy
uses: aquasecurity/trivy-action@0.24.0
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
trivy-config: trivy.yaml

# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
secrets: inherit
with:
build-version: ${{ github.ref_name }}
tags: "${{ github.ref_name }}, stable, latest"

0 comments on commit 1791db8

Please sign in to comment.