diff --git a/.github/workflows/container-build-push-3rd-gen.yml b/.github/workflows/container-build-push-3rd-gen.yml index cd7bcbd..e8f6307 100644 --- a/.github/workflows/container-build-push-3rd-gen.yml +++ b/.github/workflows/container-build-push-3rd-gen.yml @@ -35,14 +35,6 @@ on: description: "Image url/name without registry. Default is github.repository" default: "${{ github.repository }}" type: string - image-platforms: - description: "Image platforms to build for. Default is linux/amd64" - default: linux/amd64 - type: string - use-greenbonebot: - description: "Use the greenbonebot token as registry login. Default is false" - default: "false" - type: string notify: description: "Enable mattermost notify. Default is true" default: "true" @@ -67,10 +59,6 @@ on: required: false MATTERMOST_WEBHOOK_URL: required: false - DOCKERHUB_USERNAME: - required: false - DOCKERHUB_TOKEN: - required: false GREENBONE_REGISTRY: required: false GREENBONE_REGISTRY_USER: @@ -85,64 +73,16 @@ on: outputs: digest: description: "The container digest" - value: ${{ jobs.building-container.outputs.digest }} + value: ${{ jobs.build.outputs.digest }} jobs: - # We have to look, if our self hosted runner are be able to have this in hand. - # Otherwise we need to keep this for PR builds. - building-container-ghcr: - runs-on: "ubuntu-latest" - outputs: - digest: ${{ steps.build-and-push.outputs.digest }} - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Container build push 3rd gen - id: build-and-push - uses: greenbone/actions/container-build-push-generic@v3 - with: - build-context: ${{ inputs.build-context }} - build-docker-file: ${{ inputs.build-docker-file }} - build-args: ${{ inputs.build-args }} - build-secrets: ${{ contains(inputs.build-secret-greenbonebot, 'true') && format('GREENBONE_BOT_PACKAGES_READ_TOKEN={0}', secrets.GREENBONE_BOT_PACKAGES_READ_TOKEN) || inputs.build-secrets }} - cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} - cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} - # The tlog function does not currently support an ed25519 key. - cosign-tlog-upload: "false" - image-url: ${{ inputs.image-url }} - image-labels: ${{ inputs.image-labels }} - image-tags: | - # create container tag for git tags - type=ref,event=tag,value=latest - type=match,pattern=v(.*),group=1 - type=ref,event=pr - # use unstable for main branch - type=raw,value=unstable,enable={{is_default_branch}} - # use unstable-release for release branches - type=raw,value=unstable-release,enable=${{startsWith(github.ref, 'refs/heads/release/')}} - image-platforms: ${{ inputs.image-platforms }} - registry: ${{ vars.IMAGE_REGISTRY }} - registry-username: ${{ github.actor }} - registry-password: ${{ contains(inputs.use-greenbonebot, 'true') && secrets.GREENBONE_BOT_TOKEN || secrets.GITHUB_TOKEN }} - scout-user: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_USERNAME || '' }} - scout-password: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_TOKEN || '' }} - - building-container-greenbone: - # At the moment, we use this job only to build tagged releases and not for every PR build. - # Once we have enough capacity, we can change this and remove the GHCR build job. - if: (inputs.service) && (startsWith(github.ref, 'refs/tags/v')) - runs-on: self-hosted-generic + meta: + name: Meta Data + runs-on: ubuntu-latest outputs: - digest: ${{ steps.build-and-push.outputs.digest }} - image-url: ${{ steps.image-url.outputs.url }} - image-name: ${{ steps.image-url.outputs.name }} + url: ${{ steps.image-url.outputs.url }} + name: ${{ steps.image-url.outputs.name }} steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - # Since all image URLs are derived from the GitHub repository URL, we need to reformat them to obtain the correct product OCI URLs. - # We can remove this step after incorporate everything directly into the respective workflow calls within the service repositories. - name: Create image url id: image-url shell: bash @@ -189,89 +129,74 @@ jobs: echo "url=$url" >> $GITHUB_OUTPUT echo "name=$(basename ${{ inputs.image-url }})" >> $GITHUB_OUTPUT - - name: Container build push 3rd gen - id: build-and-push - uses: greenbone/actions/container-build-push-generic@v3 - with: - build-context: ${{ inputs.build-context }} - build-docker-file: ${{ inputs.build-docker-file }} - build-args: ${{ inputs.build-args }} - build-secrets: ${{ contains(inputs.build-secret-greenbonebot, 'true') && format('GREENBONE_BOT_PACKAGES_READ_TOKEN={0}', secrets.GREENBONE_BOT_PACKAGES_READ_TOKEN) || inputs.build-secrets }} - cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} - cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} - # The tlog function does not currently support an ed25519 key. - cosign-tlog-upload: "false" - image-url: ${{ steps.image-url.outputs.url }} - image-labels: ${{ inputs.image-labels }} - image-tags: | - # create container tag for git tags - type=ref,event=tag,value=latest - type=match,pattern=v(.*),group=1 - type=ref,event=pr - # use unstable for main branch - type=raw,value=unstable,enable={{is_default_branch}} - # use unstable-release for release branches - type=raw,value=unstable-release,enable=${{startsWith(github.ref, 'refs/heads/release/')}} - registry: ${{ vars.GREENBONE_REGISTRY }} - registry-username: ${{ secrets.GREENBONE_REGISTRY_USER }} - registry-password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} + build: + name: Container build push 3rd gen + needs: meta + uses: greenbone/workflows/.github/workflows/container-push.yml@main + with: + build-context: ${{ inputs.build-context }} + build-docker-file: ${{ inputs.build-docker-file }} + build-args: ${{ inputs.build-args }} + build-secrets: ${{ inputs.build-secrets }} + build-secrets-name: ${{ contains(inputs.build-secret-greenbonebot, 'true') && 'GREENBONE_BOT_PACKAGES_READ_TOKEN' }} + image-labels: ${{ inputs.image-labels }} + image-urls: | + ghcr.io/${{ inputs.image-url }} + ${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }} + secrets: inherit - push-sbom: + sbom: name: Scan image and push SBOM if: inputs.service && startsWith(github.ref, 'refs/tags/v') - needs: building-container-greenbone + needs: + - meta + - build uses: greenbone/workflows/.github/workflows/generate-and-push-sbom-with-trivy-3rd-gen.yml@main with: - image-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.building-container-greenbone.outputs.image-url }}:${{ github.ref_name }}" - image-registry-username-secret-name: "GREENBONE_REGISTRY_READ_USER" - image-registry-password-secret-name: "GREENBONE_REGISTRY_READ_TOKEN" - output-file-name: "${{ needs.building-container-greenbone.outputs.image-name }}.${{ github.ref_name }}.sbom.json" - artifact-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.building-container-greenbone.outputs.image-url }}-sbom:${{ github.ref_name }}" + image-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }}:${{ github.ref_name }}" + image-registry-username-secret-name: "GREENBONE_REGISTRY_USER" + image-registry-password-secret-name: "GREENBONE_REGISTRY_TOKEN" + output-file-name: "${{ needs.meta.outputs.name }}.${{ github.ref_name }}.sbom.json" + artifact-url: "${{ vars.GREENBONE_REGISTRY }}/${{ needs.meta.outputs.url }}-sbom:${{ github.ref_name }}" secrets: inherit harbor-replication: - if: inputs.service && startsWith(github.ref, 'refs/tags/v') + if: github.event_name != 'pull_request' needs: - - building-container-greenbone + - meta + - build runs-on: self-hosted-generic steps: - name: Trigger harbor replication - shell: bash - run: | - if ! [ '${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' ]; then - echo "Secret GREENBONE_REGISTRY_REPLICATION_TOKEN does not exist" - exit 0 - fi - curl --fail-with-body -X POST \ - https://${{ vars.GREENBONE_REGISTRY }}/api/v2.0/replication/executions \ - -u '${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}:${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' \ - -H "Content-Type: application/json" \ - -d '{"policy_id": 1}' + uses: greenbone/actions/trigger-harbor-replication@v3 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + user: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }} + token: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }} - building-product-compose: + automatix: if: inputs.service && startsWith(github.ref, 'refs/tags/v') needs: - - building-container-ghcr - - building-container-greenbone + - meta + - build - harbor-replication - runs-on: "ubuntu-latest" + runs-on: ubuntu-latest steps: - name: Trigger product compose upgrade uses: greenbone/actions/trigger-workflow@v3 with: token: ${{ secrets.GREENBONE_BOT_TOKEN }} - repository: "greenbone/automatix" - workflow: "push.yml" - inputs: '{"service": "${{ inputs.service }}", "image-url": "${{ needs.building-container-greenbone.outputs.image-url }}", "digest": "${{ needs.building-container-greenbone.outputs.digest }}", "version": "${{ github.ref_name }}"}' + repository: greenbone/automatix + workflow: push.yml + inputs: '{"service": "${{ inputs.service }}", "image-url": "${{ needs.meta.outputs.url }}", "digest": "${{ needs.build.outputs.digest }}", "version": "${{ github.ref_name }}"}' notify: needs: - - building-container-ghcr - - building-container-greenbone - - push-sbom + - meta + - build - harbor-replication - - building-product-compose - if: ${{ !cancelled() && startsWith(github.ref, 'refs/tags/v') && startsWith(inputs.notify, 'true') }} + - automatix + if: ${{ !cancelled() && inputs.service && startsWith(github.ref, 'refs/tags/v') && startsWith(inputs.notify, 'true') }} uses: greenbone/workflows/.github/workflows/notify-mattermost-3rd-gen.yml@main with: status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }} diff --git a/.github/workflows/container-push.yml b/.github/workflows/container-push.yml index 428753f..6a5d2b0 100644 --- a/.github/workflows/container-push.yml +++ b/.github/workflows/container-push.yml @@ -16,6 +16,13 @@ on: build-docker-file: description: "Path to the docker file. Default is ./Dockerfile" type: string + default: ./Dockerfile + build-secrets: + description: "Use these build-secrets for the docker build process. It is not possible to use github secrets in here!" + type: string + build-secrets-name: + description: "The name of the github secret to use as build secrets." + type: string image-labels: description: "Image labels." required: true @@ -29,67 +36,29 @@ on: type=ref,event=pr # use unstable for main branch type=raw,value=unstable,enable={{is_default_branch}} + # use unstable-release for release branches + type=raw,value=unstable-release,enable=${{startsWith(github.ref, 'refs/heads/release/')}} type: string image-flavor: description: "Image flavor." default: "latest=false" type: string - image-url: - description: "Image url/name without registry." - required: true - type: string - notify: - description: "Enable mattermost notify. Default is true" - default: "true" - type: string - notification-channel: - description: "The name of the channel where the notification happens." - type: string - default: "pd2ndgendeployment" - notification-webhook-secret-name: - description: "The name of the webhook secret. Default is MATTERMOST_WEBHOOK_URL" - type: string - default: "MATTERMOST_WEBHOOK_URL" - registry: - description: "Registry domain name." - required: true - type: string - registry-username: - description: "Registry username." - type: string - registry-username-secret-name: - description: "The name of the registry username secret. Default is GREENBONE_REGISTRY_USER" - type: string - default: "GREENBONE_REGISTRY_USER" - registry-password-secret-name: - description: "The name of the registry password secret. Default is GREENBONE_REGISTRY_TOKEN" - type: string - default: "GREENBONE_REGISTRY_TOKEN" - scout-user-secret-name: - description: "The name of the scout user secret. Default is DOCKERHUB_USERNAME" - type: string - default: "DOCKERHUB_USERNAME" - scout-password-secret-name: - description: "The name of the scout user secret. Default is DOCKERHUB_TOKEN" - type: string - default: "DOCKERHUB_TOKEN" - cosign-key-secret-name: - description: "The name of the cosign key secret. Default is COSIGN_KEY_OPENSIGHT" + image-urls: + description: "Ghcr.io and Greenbone registry image urls to push to." type: string - default: "COSIGN_KEY_OPENSIGHT" - cosign-key-passworp-secret-name: - description: "The name of the cosign key password secret. Default is COSIGN_KEY_PASSWORD_OPENSIGHT" - type: string - default: "COSIGN_KEY_PASSWORD_OPENSIGHT" secrets: COSIGN_KEY_OPENSIGHT: required: false COSIGN_KEY_PASSWORD_OPENSIGHT: required: false - DOCKERHUB_USERNAME: + GREENBONE_BOT: + required: false + GREENBONE_BOT_PACKAGES_READ_TOKEN: required: false - DOCKERHUB_TOKEN: + GREENBONE_BOT_PACKAGES_WRITE_TOKEN: + required: false + GREENBONE_BOT_TOKEN: required: false GREENBONE_REGISTRY: required: false @@ -97,29 +66,22 @@ on: required: false GREENBONE_REGISTRY_TOKEN: required: false - GREENBONE_BOT_TOKEN: - required: false GREENBONE_REGISTRY_REPLICATION_USER: required: false GREENBONE_REGISTRY_REPLICATION_TOKEN: required: false - MATTERMOST_WEBHOOK_URL: + GITHUB_TOKEN: required: false outputs: digest: description: "The container digest" - value: ${{ jobs.create-multi-arch-manifest.outputs.digest }} - -# INFO -# We cannot use a matrix here because job outputs from matrix jobs cannot be passed to other jobs. -# Due to cosign and the use of native runners, we cannot use the platform build mode from buildx anymore. -# This means we have to build our own multi-arch manifest. + value: ${{ jobs.manifest.outputs.digest }} jobs: build-amd64: name: Build amd64 container - runs-on: self-hosted-generic + runs-on: ubuntu-latest outputs: digest: ${{ steps.build-and-push.outputs.digest }} tags: ${{ steps.build-and-push.outputs.tags }} @@ -138,23 +100,20 @@ jobs: build-context: ${{ inputs.build-context }} build-docker-file: ${{ inputs.build-docker-file }} build-args: ${{ inputs.build-args }} - image-url: ${{ inputs.image-url }} + build-secrets: ${{ inputs.build-secrets || inputs.build-secrets-name && secrets[inputs.build-secrets-name] }} + image-url: ${{ github.repository }} image-labels: ${{ inputs.image-labels }} - image-tags: raw,value=${{ steps.checkout.outputs.ref }}-amd64 # temporary tag that will be overwritten with the manifest upload + image-tags: raw,value=${{ steps.checkout.outputs.ref }}-amd64 image-platforms: linux/amd64 image-flavor: latest=false - registry: ${{ inputs.registry }} - registry-username: ${{ inputs.registry-username || secrets[inputs.registry-username-secret-name] }} - registry-password: ${{ secrets[inputs.registry-password-secret-name] }} - scout-user: ${{ secrets[inputs.scout-user-secret-name] }} - scout-password: ${{ secrets[inputs.scout-password-secret-name] }} - scout-command: cves + registry: 'ghcr.io' + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} build-arm64: - # At the moment we don't have enough arm runners to provide a run for every PR! name: Build arm64 container if: github.event_name != 'pull_request' - runs-on: self-hosted-generic-arm64 + runs-on: self-hosted-generic-vm-arm64 outputs: digest: ${{ steps.build-and-push.outputs.digest }} tags: ${{ steps.build-and-push.outputs.tags }} @@ -173,16 +132,17 @@ jobs: build-context: ${{ inputs.build-context }} build-docker-file: ${{ inputs.build-docker-file }} build-args: ${{ inputs.build-args }} - image-url: ${{ inputs.image-url }} + build-secrets: ${{ inputs.build-secrets || inputs.build-secrets-name && secrets[inputs.build-secrets-name] }} + image-url: ${{ github.repository }} image-labels: ${{ inputs.image-labels }} - image-tags: raw,value=${{ steps.checkout.outputs.ref }}-arm64 # temporary tag that will be overwritten with the manifest upload + image-tags: raw,value=${{ steps.checkout.outputs.ref }}-arm64 image-platforms: linux/arm64 image-flavor: latest=false - registry: ${{ inputs.registry }} - registry-username: ${{ inputs.registry-username || secrets[inputs.registry-username-secret-name] }} - registry-password: ${{ secrets[inputs.registry-password-secret-name] }} + registry: 'ghcr.io' + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} - create-multi-arch-manifest: + manifest: name: Create container multi arch manifest if: github.event_name != 'pull_request' runs-on: self-hosted-generic @@ -196,16 +156,23 @@ jobs: id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: - images: ${{ inputs.registry }}/${{ inputs.image-url }} + images: ${{ inputs.image-urls }} flavor: ${{ inputs.image-flavor }} tags: ${{ inputs.image-tags }} + - name: Login to ${{ vars.GREENBONE_REGISTRY }} Container Registry + uses: docker/login-action@v4 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} + - name: Create multi arch manifest id: manifest uses: greenbone/actions/container-multi-arch-manifest@f0c8b8268b98d09237774489fefc2c0ab77703aa # v3.27.13 with: - cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} - cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} + cosign-key: ${{ secrets[inputs.cosign-key-secret-name] }} + cosign-key-password: ${{ secrets[inputs.cosign-key-password-secret-name] }} cosign-tlog-upload: "false" annotations: | ${{ needs.build-amd64.outputs.annotations }} @@ -215,18 +182,6 @@ jobs: ${{ needs.build-amd64.outputs.digest }} ${{ needs.build-arm64.outputs.digest }} url: ${{ inputs.image-url }} - registry: ${{ inputs.registry }} - registry-username: ${{ secrets[inputs.registry-username-secret-name] }} - registry-password: ${{ secrets[inputs.registry-password-secret-name] }} - - notify: - needs: - - build-amd64 - - build-arm64 - - create-multi-arch-manifest - if: ${{ !cancelled() && startsWith(inputs.notify, 'true') && github.event_name != 'pull_request' }} - uses: greenbone/workflows/.github/workflows/notify-mattermost-2nd-gen.yml@main - with: - status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }} - channel: ${{ inputs.notification-channel }} - secrets: inherit + registry: 'ghcr.io' + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }}