diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e43b0f9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/LICENSE b/LICENSE index 2534680..cf50a66 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2021 TeracyHQ Incubator +Copyright (c) 2022 Teracy Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 2145680..80e93b4 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,50 @@ # .github -github actions repository to share reusable workflows + +github actions repository to share reusable actions and workflows + + +## Actions + +The composite github actions are organized with its versioning on its path +(-). + +### docker-multiple-login + +Login to multiple docker registries + +- Example usage: + +```yaml +- name: Login to Docker registries + if: github.event_name != 'pull_request' && env.DOCKER_BUILD_ENABLED == 'true' && env.DOCKER_PUSH_ENABLED == 'true' + uses: teracyhq-incubator/.github/actions/docker-multiple-login-develop@main + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} +``` + +- Options: + +See the docker-multiple-login-/action.yaml file. + +### docker-build-push-sign + +Build, push and sign the built docker images, requires `docker-multiple-login` action for pushing. + +- Example usage: + +```yaml +- name: Build, push and sign Docker image + uses: teracyhq-incubator/.github/actions/docker-build-push-sign-develop@main + with: + meta-images: docker.io// + build-enabled: ${{ env.DOCKER_BUILD_ENABLED }} + push-enabled: ${{ github.event_name != 'pull_request' && env.DOCKER_PUSH_ENABLED == 'true' }} + cosign-key-base64: ${{ secrets.COSIGN_KEY_BASE64 }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} +``` + +- Options: + +See the docker-build-push-sign-/action.yaml file. diff --git a/actions/docker-build-push-sign-develop/action.yml b/actions/docker-build-push-sign-develop/action.yml new file mode 100644 index 0000000..2235e1c --- /dev/null +++ b/actions/docker-build-push-sign-develop/action.yml @@ -0,0 +1,110 @@ +name: 'docker-login-build-push-sign' +description: 'Build, push and sign to multiple docker registries' +inputs: + meta-tags: + description: "specify the meta tags for docker-meta" + required: false + default: | + type=semver,pattern={{version}} + type=ref,suffix=-{{sha}},event=branch + type=ref,event=branch + meta-images: + description: "specify the list of images (/,) to be built, pushed, signed" + required: true + buildx-driver-opts: + description: "driver options for buildx" + default: "" + build-enabled: + description: "enable or disable the build" + required: false + default: "true" + build-context: + description: "the build context" + required: false + default: "." + build-file: + description: "the build file" + required: false + default: "Dockerfile" + build-args: + description: "the build arguments" + required: false + build-tags: + description: "the specified built tags" + required: false + build-platforms: + description: "the target platforms" + required: false + default: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7,linux/arm/v8" + build-load: + description: "export the docker image for local usage" + required: false + default: "false" + push-enabled: + description: "enable/disable the push" + required: false + default: "false" + cosign-release: + description: "the cosign release version to be used" + required: false + default: "v1.4.1" + cosign-key-base64: + description: "the base64 private cosign key" + required: false + cosign-password: + description: "the password to unlock the private cosign key" + required: false + +runs: + using: "composite" + steps: + - name: Docker meta + id: docker-meta + uses: docker/metadata-action@v3 + if: ${{ inputs.build-enabled == 'true' }} + with: + tags: ${{ inputs.meta-tags }} + images: ${{ inputs.meta-images }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + if: ${{ inputs.build-enabled == 'true' }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + if: ${{ inputs.build-enabled == 'true' }} + with: + driver-opts: ${{ inputs.buildx-driver-opts }} + + - name: Build and push + id: build-and-push + uses: docker/build-push-action@v2 + if: ${{ inputs.build-enabled == 'true' }} + with: + context: ${{ inputs.build-context }} + file: ${{ inputs.build-file }} + build-args: ${{ inputs.build-args }} + load: ${{ inputs.build-load }} + platforms: ${{ inputs.build-platforms }} + push: ${{ inputs.push-enabled == 'true' }} + tags: ${{ inputs.build-tags || steps.docker-meta.outputs.tags }} + labels: ${{ steps.docker-meta.outputs.labels }} + + - name: Install cosign + if: ${{ inputs.build-enabled == 'true' && inputs.push-enabled == 'true' && inputs.cosign-key-base64 != '' }} + uses: sigstore/cosign-installer@main + with: + cosign-release: ${{ inputs.cosign-release }} + + - name: Sign image with a key + if: ${{ inputs.build-enabled == 'true' && inputs.push-enabled == 'true' && inputs.cosign-key-base64 != '' }} + run: | + echo $COSIGN_KEY_BASE64 | base64 --decode > /tmp/cosign.key && \ + cosign sign --key /tmp/cosign.key ${TAGS} + # delete the key + rm -rf /tmp/cosign.key + shell: bash + env: + TAGS: ${{ steps.docker-meta.outputs.tags }} + COSIGN_KEY_BASE64: ${{ inputs.cosign-key-base64 }} + COSIGN_PASSWORD: ${{ inputs.cosign-password }} diff --git a/actions/docker-multiple-login-develop/action.yml b/actions/docker-multiple-login-develop/action.yml new file mode 100644 index 0000000..a23606f --- /dev/null +++ b/actions/docker-multiple-login-develop/action.yml @@ -0,0 +1,197 @@ +name: 'docker-multiple-login' +description: 'Login to multiple docker registries' +inputs: + # login to GitHub Container Registry: https://github.com/docker/login-action#github-container-registry + github-token: + description: 'Github token' + required: false + # login to Docker Hub: https://github.com/docker/login-action#docker-hub + dockerhub-username: + description: "Docker Hub username" + required: false + dockerhub-token: + description: "Docker Hub token/password" + required: false + # login to GitLab: https://github.com/docker/login-action#gitlab + gitlab-username: + description: "GitLab username" + required: false + gitlab-token: + description: "GitLab token/password" + required: false + # login to Azure Container Registry (ACR): https://github.com/docker/login-action#azure-container-registry-acr + azure-registry-name: + description: "Azure Contaienr Registry name" + required: false + azure-client-id: + description: "Azure client id" + required: false + azure-client-secret: + description: "Azure client secret" + required: false + # login to Google Container Registry (GCR): https://github.com/docker/login-action#google-container-registry-gcr + gcr-json-key-base64: + description: "JSON key (base64) for Google Container Registry" + required: false + # login to Google Artifact Registry (GAR): https://github.com/docker/login-action#google-artifact-registry-gar + gar-location: + description: "Google Artifact Registry location" + required: false + gar-json-key-base64: + description: "JSON key (base64) for Google Artifact Registry" + required: false + # login to AWS Elastic Container Registry (ECR): https://github.com/docker/login-action#aws-elastic-container-registry-ecr + ecr-is-public-registry: + description: "set to true to use the ECR public registry: public.ecr.aws" + required: false + default: "false" + erc-aws-account-number: + description: "to build registry: .dkr.ecr..amazonaws.com" + required: false + erc-region: + description: "to build registry: .dkr.ecr..amazonaws.com" + required: false + erc-aws-access-key-id: + description: "aws access key id" + required: false + erc-aws-secret-access-key: + description: "aws secret access key" + required: false + erc-aws-account-ids: + description: "if you need to log in to Amazon ECR registries associated with other accounts" + required: false + # login to OCI Oracle Cloud Infrastructure Registry (OCIR): https://github.com/docker/login-action#oci-oracle-cloud-infrastructure-registry-ocir + ocir-region: + description: "to build registry: .ocir.io" + required: false + ocir-username: + description: "OCIR username" + required: false + ocir-token: + description: "OCIR token/password" + required: false + # login to Quay.io: https://github.com/docker/login-action#quayio + quay-username: + description: "Quay username" + required: false + quay-token: + description: "Quay token/password" + required: false + # login to a customer registry: https://github.com/docker/login-action#customizing + customized-registry: + description: "the registry url" + required: false + customized-username: + description: "username" + required: false + customized-password: + description: "password/token" + required: false + +runs: + using: "composite" + steps: + + # https://github.com/docker/login-action#github-container-registry + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + if: ${{ inputs.github-token }} + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ inputs.github-token }} + + # https://github.com/docker/login-action#docker-hub + - name: Login to Docker Hub + uses: docker/login-action@v1 + if: ${{ inputs.dockerhub-username && inputs.dockerhub-token }} + with: + registry: docker.io + username: ${{ inputs.dockerhub-username }} + password: ${{ inputs.dockerhub-token }} + + # https://github.com/docker/login-action#gitlab + - name: Login to GitLab + uses: docker/login-action@v1 + if: ${{ inputs.gitlab-username && inputs.gitlab-token }} + with: + registry: registry.gitlab.com + username: ${{ inputs.gitlab-username }} + password: ${{ inputs.gitlab-token }} + + # https://github.com/docker/login-action#azure-container-registry-acr + - name: Login to Azure Container Registry (ACR) + uses: docker/login-action@v1 + if: ${{ inputs.azure-registry-name && inputs.azure-client-id && inputs.azure-client-secret }} + with: + registry: ${{ inputs.azure-registry-name }}.azurecr.io + username: ${{ inputs.azure-client-id }} + password: ${{ inputs.azure-client-secret }} + + # https://github.com/docker/login-action#google-container-registry-gcr + - name: Login to Google Container Registry (GCR) + uses: docker/login-action@v1 + if: ${{ inputs.gcr-json-key-base64 }} + with: + registry: gcr.io + username: _json_key_base64 + password: ${{ inputs.gcr-json-key-base64 }} + + # https://github.com/docker/login-action#google-artifact-registry-gar + - name: Login to Google Artifact Registry (GAR) + uses: docker/login-action@v1 + if: ${{ inputs.gar-location && inputs.gar-json-key-base64 }} + with: + registry: ${{ inputs.gar-location }}-docker.pkg.dev + username: _json_key_base64 + password: ${{ inputs.gar-json-key-base64 }} + + # https://github.com/docker/login-action#aws-elastic-container-registry-ecr + - name: Login to AWS Elastic Container Registry (ECR) + uses: docker/login-action@v1 + if: ${{ inputs.ecr-is-public-registry != 'true' && inputs.erc-aws-account-number && inputs.erc-region && inputs.erc-aws-access-key-id && inputs.erc-aws-secret-access-key }} + with: + registry: ${{ inputs.erc-aws-account-number }}.dkr.ecr.${{ inputs.erc-region }}.amazonaws.com + username: ${{ inputs.erc-aws-access-key-id }} + password: ${{ inputs.erc-aws-secret-access-key }} + # If you need to log in to Amazon ECR registries associated with other accounts + env: + AWS_ACCOUNT_IDS: ${{ inputs.erc-aws-account-ids }} + + # https://github.com/docker/login-action#aws-public-elastic-container-registry-ecr + - name: Login to AWS Public Elastic Container Registry (Public ECR) + uses: docker/login-action@v1 + if: ${{ inputs.ecr-is-public-registry == 'true' && inputs.erc-region && inputs.erc-aws-access-key-id && inputs.erc-aws-secret-access-key }} + with: + registry: public.ecr.aws + username: ${{ inputs.erc-aws-access-key-id }} + password: ${{ inputs.erc-aws-secret-access-key }} + env: + AWS_REGION: ${{ inputs.erc-region }} + + # https://github.com/docker/login-action#oci-oracle-cloud-infrastructure-registry-ocir + - name: Login to Oracle Cloud Infrastructure Registry (OCIR) + uses: docker/login-action@v1 + if: ${{ inputs.ocir-region && inputs.ocir-username && inputs.ocir-token }} + with: + registry: ${{ inputs.ocir-region }}.ocir.io + username: ${{ inputs.ocir-username }} + password: ${{ inputs.ocir-token }} + + # https://github.com/docker/login-action#quayio + - name: Login to Quay.io + uses: docker/login-action@v1 + if: ${{ inputs.quay-username && inputs.quay-token }} + with: + registry: quay.io + username: ${{ inputs.quay-username }} + password: ${{ inputs.quay-token }} + + # https://github.com/docker/login-action#customizing + - name: Login to ${{ inputs.customized-registry }} + uses: docker/login-action@v1 + if: ${{ inputs.customized-registry && inputs.customized-username && inputs.customized-password }} + with: + registry: ${{ inputs.customized-registry }} + username: ${{ inputs.customized-username }} + password: ${{ inputs.customized-password }}