Merge pull request teracyhq-incubator#2 from hoatle/features/teracyhq…

…-incubator#1-docker-login-build-push-sign-actions

@ teracyhq-incubator#1 | add docker-multiple-login and docker-build-push-sign github actions

.gitignore

@@ -0,0 +1 @@
+.DS_Store

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 TeracyHQ Incubator
+Copyright (c) 2022 Teracy
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,2 +1,50 @@
 # .github
-github actions repository to share reusable workflows
+
+github actions repository to share reusable actions and workflows
+
+
+## Actions
+
+The composite github actions are organized with its versioning on its path
+(<action-name>-<action-version>).
+
+### docker-multiple-login
+
+Login to multiple docker registries
+
+- Example usage:
+
+```yaml
+- name: Login to Docker registries
+  if: github.event_name != 'pull_request' && env.DOCKER_BUILD_ENABLED == 'true' && env.DOCKER_PUSH_ENABLED == 'true'
+  uses: teracyhq-incubator/.github/actions/docker-multiple-login-develop@main
+  with:
+    github-token: ${{ secrets.GITHUB_TOKEN }}
+    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+```
+
+- Options:
+
+See the docker-multiple-login-<version>/action.yaml file. 
+
+### docker-build-push-sign
+
+Build, push and sign the built docker images, requires `docker-multiple-login` action for pushing.
+
+- Example usage:
+
+```yaml
+- name: Build, push and sign Docker image
+  uses: teracyhq-incubator/.github/actions/docker-build-push-sign-develop@main
+  with:
+    meta-images: docker.io/<user>/<repo>
+    build-enabled: ${{ env.DOCKER_BUILD_ENABLED }}
+    push-enabled: ${{ github.event_name != 'pull_request' && env.DOCKER_PUSH_ENABLED == 'true' }}
+    cosign-key-base64: ${{ secrets.COSIGN_KEY_BASE64 }}
+    cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+```
+
+- Options:
+
+See the docker-build-push-sign-<version>/action.yaml file.

actions/docker-build-push-sign-develop/action.yml

@@ -0,0 +1,110 @@
+name: 'docker-login-build-push-sign'
+description: 'Build, push and sign to multiple docker registries'
+inputs:
+  meta-tags:
+    description: "specify the meta tags for docker-meta"
+    required: false
+    default: |
+      type=semver,pattern={{version}}
+      type=ref,suffix=-{{sha}},event=branch
+      type=ref,event=branch
+  meta-images:
+    description: "specify the list of images (<registry>/<name>,) to be built, pushed, signed"
+    required: true
+  buildx-driver-opts:
+    description: "driver options for buildx"
+    default: ""
+  build-enabled:
+    description: "enable or disable the build"
+    required: false
+    default: "true"
+  build-context:
+    description: "the build context"
+    required: false
+    default: "."
+  build-file:
+    description: "the build file"
+    required: false
+    default: "Dockerfile"
+  build-args:
+    description: "the build arguments"
+    required: false
+  build-tags:
+    description: "the specified built tags"
+    required: false
+  build-platforms:
+    description: "the target platforms"
+    required: false
+    default: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7,linux/arm/v8"
+  build-load:
+    description: "export the docker image for local usage"
+    required: false
+    default: "false"
+  push-enabled:
+    description: "enable/disable the push"
+    required: false
+    default: "false"
+  cosign-release:
+    description: "the cosign release version to be used"
+    required: false
+    default: "v1.4.1"
+  cosign-key-base64:
+    description: "the base64 private cosign key"
+    required: false
+  cosign-password:
+    description: "the password to unlock the private cosign key"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Docker meta
+      id: docker-meta
+      uses: docker/metadata-action@v3
+      if: ${{ inputs.build-enabled == 'true' }}
+      with:
+        tags: ${{ inputs.meta-tags }}
+        images: ${{ inputs.meta-images }}
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v1
+      if: ${{ inputs.build-enabled == 'true' }}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+      if: ${{ inputs.build-enabled == 'true' }}
+      with:
+        driver-opts: ${{ inputs.buildx-driver-opts }}
+
+    - name: Build and push
+      id: build-and-push
+      uses: docker/build-push-action@v2
+      if: ${{ inputs.build-enabled == 'true' }}
+      with:
+        context: ${{ inputs.build-context }}
+        file: ${{ inputs.build-file }}
+        build-args: ${{ inputs.build-args }}
+        load: ${{ inputs.build-load }}
+        platforms: ${{ inputs.build-platforms }}
+        push: ${{ inputs.push-enabled == 'true' }}
+        tags: ${{ inputs.build-tags || steps.docker-meta.outputs.tags }}
+        labels: ${{ steps.docker-meta.outputs.labels }}
+
+    - name: Install cosign
+      if: ${{ inputs.build-enabled == 'true' && inputs.push-enabled == 'true' && inputs.cosign-key-base64 != '' }}
+      uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: ${{ inputs.cosign-release }}
+
+    - name: Sign image with a key
+      if: ${{ inputs.build-enabled == 'true' && inputs.push-enabled == 'true' && inputs.cosign-key-base64 != ''  }}
+      run: |
+        echo $COSIGN_KEY_BASE64 | base64 --decode > /tmp/cosign.key && \
+        cosign sign --key /tmp/cosign.key ${TAGS}
+        # delete the key
+        rm -rf /tmp/cosign.key
+      shell: bash
+      env:
+        TAGS: ${{ steps.docker-meta.outputs.tags }}
+        COSIGN_KEY_BASE64: ${{ inputs.cosign-key-base64 }}
+        COSIGN_PASSWORD: ${{ inputs.cosign-password }}

actions/docker-multiple-login-develop/action.yml

@@ -0,0 +1,197 @@
+name: 'docker-multiple-login'
+description: 'Login to multiple docker registries'
+inputs:
+  # login to GitHub Container Registry: https://github.com/docker/login-action#github-container-registry
+  github-token:
+    description: 'Github token'
+    required: false
+  # login to Docker Hub: https://github.com/docker/login-action#docker-hub
+  dockerhub-username:
+    description: "Docker Hub username"
+    required: false
+  dockerhub-token:
+    description: "Docker Hub token/password"
+    required: false
+  # login to GitLab: https://github.com/docker/login-action#gitlab
+  gitlab-username:
+    description: "GitLab username"
+    required: false
+  gitlab-token:
+    description: "GitLab token/password"
+    required: false
+  # login to Azure Container Registry (ACR): https://github.com/docker/login-action#azure-container-registry-acr
+  azure-registry-name:
+    description: "Azure Contaienr Registry name"
+    required: false
+  azure-client-id:
+    description: "Azure client id"
+    required: false
+  azure-client-secret:
+    description: "Azure client secret"
+    required: false
+  # login to Google Container Registry (GCR): https://github.com/docker/login-action#google-container-registry-gcr
+  gcr-json-key-base64:
+    description: "JSON key (base64) for Google Container Registry"
+    required: false
+  # login to Google Artifact Registry (GAR): https://github.com/docker/login-action#google-artifact-registry-gar
+  gar-location:
+    description: "Google Artifact Registry location"
+    required: false
+  gar-json-key-base64:
+    description: "JSON key (base64) for Google Artifact Registry"
+    required: false
+  # login to AWS Elastic Container Registry (ECR): https://github.com/docker/login-action#aws-elastic-container-registry-ecr
+  ecr-is-public-registry:
+    description: "set to true to use the ECR public registry: public.ecr.aws"
+    required: false
+    default: "false"
+  erc-aws-account-number:
+    description: "to build registry: <erc-aws-account-number>.dkr.ecr.<erc-region>.amazonaws.com"
+    required: false
+  erc-region:
+    description: "to build registry: <erc-aws-account-number>.dkr.ecr.<erc-region>.amazonaws.com"
+    required: false
+  erc-aws-access-key-id:
+    description: "aws access key id"
+    required: false
+  erc-aws-secret-access-key:
+    description: "aws secret access key"
+    required: false
+  erc-aws-account-ids:
+    description: "if you need to log in to Amazon ECR registries associated with other accounts"
+    required: false
+  # login to OCI Oracle Cloud Infrastructure Registry (OCIR): https://github.com/docker/login-action#oci-oracle-cloud-infrastructure-registry-ocir
+  ocir-region:
+    description: "to build registry: <ocir-region>.ocir.io"
+    required: false
+  ocir-username:
+    description: "OCIR username"
+    required: false
+  ocir-token:
+    description: "OCIR token/password"
+    required: false
+  # login to Quay.io: https://github.com/docker/login-action#quayio
+  quay-username:
+    description: "Quay username"
+    required: false
+  quay-token:
+    description: "Quay token/password"
+    required: false
+  # login to a customer registry: https://github.com/docker/login-action#customizing
+  customized-registry:
+    description: "the registry url"
+    required: false
+  customized-username:
+    description: "username"
+    required: false
+  customized-password:
+    description: "password/token"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+
+    # https://github.com/docker/login-action#github-container-registry
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v1
+      if: ${{ inputs.github-token }}
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.github-token }}
+
+    # https://github.com/docker/login-action#docker-hub
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
+      if: ${{ inputs.dockerhub-username && inputs.dockerhub-token }}
+      with:
+        registry: docker.io
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-token }}
+
+    # https://github.com/docker/login-action#gitlab
+    - name: Login to GitLab
+      uses: docker/login-action@v1
+      if: ${{ inputs.gitlab-username && inputs.gitlab-token }}
+      with:
+        registry: registry.gitlab.com
+        username: ${{ inputs.gitlab-username }}
+        password: ${{ inputs.gitlab-token }}
+
+    # https://github.com/docker/login-action#azure-container-registry-acr
+    - name: Login to Azure Container Registry (ACR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.azure-registry-name && inputs.azure-client-id && inputs.azure-client-secret }}
+      with:
+        registry: ${{ inputs.azure-registry-name }}.azurecr.io
+        username: ${{ inputs.azure-client-id  }}
+        password: ${{ inputs.azure-client-secret }}
+
+    # https://github.com/docker/login-action#google-container-registry-gcr
+    - name: Login to Google Container Registry (GCR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.gcr-json-key-base64 }}
+      with:
+        registry: gcr.io
+        username: _json_key_base64
+        password: ${{ inputs.gcr-json-key-base64 }}
+
+    # https://github.com/docker/login-action#google-artifact-registry-gar
+    - name: Login to Google Artifact Registry (GAR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.gar-location && inputs.gar-json-key-base64 }}
+      with:
+        registry: ${{ inputs.gar-location }}-docker.pkg.dev
+        username: _json_key_base64
+        password: ${{ inputs.gar-json-key-base64 }}
+
+    # https://github.com/docker/login-action#aws-elastic-container-registry-ecr
+    - name: Login to AWS Elastic Container Registry (ECR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.ecr-is-public-registry != 'true' && inputs.erc-aws-account-number && inputs.erc-region &&  inputs.erc-aws-access-key-id && inputs.erc-aws-secret-access-key }}
+      with:
+        registry: ${{ inputs.erc-aws-account-number }}.dkr.ecr.${{ inputs.erc-region }}.amazonaws.com
+        username: ${{ inputs.erc-aws-access-key-id }}
+        password: ${{ inputs.erc-aws-secret-access-key }}
+      # If you need to log in to Amazon ECR registries associated with other accounts
+      env:
+        AWS_ACCOUNT_IDS: ${{ inputs.erc-aws-account-ids }}
+
+    # https://github.com/docker/login-action#aws-public-elastic-container-registry-ecr
+    - name: Login to AWS Public Elastic Container Registry (Public ECR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.ecr-is-public-registry == 'true' && inputs.erc-region && inputs.erc-aws-access-key-id && inputs.erc-aws-secret-access-key }}
+      with:
+        registry: public.ecr.aws
+        username: ${{ inputs.erc-aws-access-key-id }}
+        password: ${{ inputs.erc-aws-secret-access-key }}
+      env:
+        AWS_REGION: ${{ inputs.erc-region }}
+
+    # https://github.com/docker/login-action#oci-oracle-cloud-infrastructure-registry-ocir
+    - name: Login to Oracle Cloud Infrastructure Registry (OCIR)
+      uses: docker/login-action@v1
+      if: ${{ inputs.ocir-region && inputs.ocir-username && inputs.ocir-token }}
+      with:
+        registry: ${{ inputs.ocir-region }}.ocir.io
+        username: ${{ inputs.ocir-username }}
+        password: ${{ inputs.ocir-token }}
+
+    # https://github.com/docker/login-action#quayio
+    - name: Login to Quay.io
+      uses: docker/login-action@v1
+      if: ${{ inputs.quay-username && inputs.quay-token }}
+      with:
+        registry: quay.io
+        username: ${{ inputs.quay-username }}
+        password: ${{ inputs.quay-token }}
+
+    # https://github.com/docker/login-action#customizing
+    - name: Login to ${{ inputs.customized-registry }}
+      uses: docker/login-action@v1
+      if: ${{ inputs.customized-registry && inputs.customized-username && inputs.customized-password }}
+      with:
+        registry: ${{ inputs.customized-registry }}
+        username: ${{ inputs.customized-username }}
+        password: ${{ inputs.customized-password }}