BuildContainerForProduction #541
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: BuildContainerForProduction | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: 00 4 * * * | |
| jobs: | |
| php7: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: GitHub Environment Variables Action | |
| uses: FranzDiebold/github-env-vars-action@v2 | |
| - name: Shallow clone code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Login to Container Registry ghcr.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| #php7 | |
| #tag with temp tag to make sure trivy scans the new version | |
| - name: Build the container image | |
| run: docker build . --tag php-docker-base:trivytemp --file Dockerfile.php7 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: php-docker-base:trivytemp | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Retag new image with latest tag so we can push the scanned version | |
| run: docker image tag php-docker-base:trivytemp ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest | |
| - name: Push with latest tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest | |
| - name: Retag new image with commit hash | |
| run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8) | |
| - name: Push with commit hash tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8) | |
| - name: Retag new image with php7 tag | |
| run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7 | |
| - name: Push with commit php7 tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7 | |
| #php7-review | |
| - name: Build the PHP7 review container image | |
| run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7-review --file Dockerfile.php7-review | |
| - name: Push with commit php7-review tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7-review | |
| php8: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: GitHub Environment Variables Action | |
| uses: FranzDiebold/github-env-vars-action@v2 | |
| - name: Shallow clone code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Login to Container Registry ghcr.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| #php8 | |
| - name: Build the container image | |
| run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 --file Dockerfile.php8 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Push with php8 tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 | |
| - name: Retag new image with commit hash | |
| run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8) | |
| - name: Push with commit hash tag and php8 tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8) | |
| #php8-review | |
| - name: Build the PHP8 review container image | |
| run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-review --file Dockerfile.php8-review | |
| - name: Push with commit php8-review tag | |
| run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-review | |
| cleanup: | |
| needs: [php7, php8] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: GitHub Environment Variables Action | |
| uses: FranzDiebold/github-env-vars-action@v2 | |
| - name: Login to Container Registry ghcr.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Delete old versions of the package, keeping a few of the newest | |
| uses: actions/delete-package-versions@v4 | |
| with: | |
| package-name: ${{ env.CI_REPOSITORY_NAME }} | |
| package-type: container | |
| min-versions-to-keep: 8 |