21217be587
We use the Docker Hub Workflow to build and push our images to Docker Hub, but to check if we have vulnerabilities in our images as well. When we are just checking for vulnerabilities, we don't need to do all the builing steps. This commit optimizes the workflow by only doing the necessary steps when we are just checking for vulnerabilities, so during pull requests without label "preview" we skip the build steps, and we do not activate QEMU.
173 lines
5.7 KiB
YAML
173 lines
5.7 KiB
YAML
name: Docker Hub Workflow
|
|
run-name: Docker Hub Workflow
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- "main"
|
|
tags:
|
|
- "v*"
|
|
pull_request:
|
|
branches:
|
|
- "main"
|
|
|
|
env:
|
|
DOCKER_USER: 1001:127
|
|
SHOULD_PUSH: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build-and-push-backend:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
- name: Set up QEMU
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: lasuite/impress-backend
|
|
- name: Login to DockerHub
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_HUB_USER }}
|
|
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
|
|
- name: Run trivy scan
|
|
uses: numerique-gouv/action-trivy-cache@main
|
|
with:
|
|
docker-build-args: "--target backend-production -f Dockerfile"
|
|
docker-image-name: "docker.io/lasuite/impress-backend:${{ github.sha }}"
|
|
trivyignores: ./.github/.trivyignore
|
|
- name: Build and push
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
target: backend-production
|
|
platforms: linux/amd64,linux/arm64
|
|
build-args: DOCKER_USER=${{ env.DOCKER_USER }}
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Cleanup Docker after build
|
|
if: always()
|
|
run: |
|
|
docker system prune -af
|
|
docker volume prune -f
|
|
|
|
build-and-push-frontend:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
- name: Set up QEMU
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: lasuite/impress-frontend
|
|
- name: Login to DockerHub
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_HUB_USER }}
|
|
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
|
|
- name: Run trivy scan
|
|
uses: numerique-gouv/action-trivy-cache@main
|
|
with:
|
|
docker-build-args: "-f src/frontend/Dockerfile --target frontend-production"
|
|
docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}"
|
|
trivyignores: ./.github/.trivyignore
|
|
- name: Build and push
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./src/frontend/Dockerfile
|
|
target: frontend-production
|
|
platforms: linux/amd64,linux/arm64
|
|
build-args: |
|
|
DOCKER_USER=${{ env.DOCKER_USER }}
|
|
PUBLISH_AS_MIT=false
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Cleanup Docker after build
|
|
if: always()
|
|
run: |
|
|
docker system prune -af
|
|
docker volume prune -f
|
|
|
|
build-and-push-y-provider:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
- name: Set up QEMU
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: lasuite/impress-y-provider
|
|
- name: Login to DockerHub
|
|
if: env.SHOULD_PUSH == 'true'
|
|
run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin
|
|
- name: Run trivy scan
|
|
uses: numerique-gouv/action-trivy-cache@main
|
|
with:
|
|
docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider"
|
|
docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}"
|
|
trivyignores: ./.github/.trivyignore
|
|
- name: Build and push
|
|
if: env.SHOULD_PUSH == 'true'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./src/frontend/servers/y-provider/Dockerfile
|
|
target: y-provider
|
|
platforms: linux/amd64,linux/arm64
|
|
build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Cleanup Docker after build
|
|
if: always()
|
|
run: |
|
|
docker system prune -af
|
|
docker volume prune -f
|
|
|
|
notify-argocd:
|
|
needs:
|
|
- build-and-push-backend
|
|
- build-and-push-frontend
|
|
- build-and-push-y-provider
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview')
|
|
steps:
|
|
- uses: numerique-gouv/action-argocd-webhook-notification@main
|
|
id: notify
|
|
with:
|
|
deployment_repo_path: "${{ secrets.DEPLOYMENT_REPO_URL }}"
|
|
argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}"
|
|
argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"
|