fcli/.github/workflows/docker.yml at develop · MikeTheSnowman/fcli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Build and publish Docker images
on:
  workflow_dispatch:
    inputs:
      releaseTag: # Accessible through ${{ inputs.releaseTag }}
        description: 'Required fcli release tag for which to build and release Docker images'
        required: true
        type: string
      doPublish:
        description: 'Boolean indicating whether images should be published to Docker Hub'
        required: true
        type: boolean

jobs:
  # For now, we only publish fcli-scratch image, but we do build the other images just for testing
  docker-linux:
    runs-on: ubuntu-latest
    env:
      DOCKER_SRC_LINUX: fcli-other/fcli-docker/linux
      DOCKER_SRC_GITLAB: fcli-other/fcli-docker/gitlab-installer-svc/linux
      DOCKER_TAG_GITLAB: gitlab-installer-svc-linux
    steps:
        - name: Check-out source code
          uses: actions/checkout@v4
          with:
            ref: ${{ inputs.releaseTag }}
            fetch-tags: true

        - name: Set up Docker
          uses: docker/setup-docker-action@v4
          with:
            daemon-config: |
              {
                  "debug": true,
                  "features": {
                    "containerd-snapshotter": true
                  }
              }

        - name: Build & test Linux images
          shell: bash
          run: |
            cd ${DOCKER_SRC_LINUX}
            curl -L https://github.com/fortify/fcli/releases/download/${{ inputs.releaseTag }}/fcli-linux.tgz | tar -zxv
            for i in scratch alpine ubi9
            do
              docker buildx build --target fcli-${i} -t fcli-${i} --attest type=provenance,mode=max --sbom=true .
              mkdir ${PWD}/${i}
              docker run --rm -u $(id -u):$(id -g) -v ${PWD}/${i}:/data fcli-${i} fcli tool sc-client install
              test -f ${PWD}/${i}/fortify/tools/bin/scancentral
            done
        - name: Build GitLab Installer Service image
          shell: bash
          run: |
            cd ${DOCKER_SRC_GITLAB}
            curl -L https://github.com/fortify/fcli/releases/download/${{ inputs.releaseTag }}/fcli-linux.tgz | tar -zxv
            docker buildx build -t fcli-${DOCKER_TAG_GITLAB} --attest type=provenance,mode=max --sbom=true .

        # For now, we only release scratch and GitLab Installer Service images
        - name: Tag images
          shell: bash
          run: |
           for v in $(git tag --points-at ${{ inputs.releaseTag }})
            do
              echo Tagging ${v}
              docker tag fcli-scratch fortifydocker/fcli:${v#v}
              docker tag fcli-${DOCKER_TAG_GITLAB} fortifydocker/fcli:${v#v}-${DOCKER_TAG_GITLAB}
            done

        - name: Docker Login
          uses: docker/login-action@v3
          with:
            username: ${{ secrets.DOCKER_USERNAME }}
            password: ${{ secrets.DOCKER_PASSWORD }}

        # TODO Should we sign the images as well?
        - name: Publish Linux Docker images
          if: ${{ inputs.doPublish }}
          shell: bash
          run: |
            docker push --all-tags fortifydocker/fcli

  # For now, we only publish Linux-based images, but we do build the Windows images just for testing
  docker-win:
    runs-on: windows-2022
    env:
      DOCKER_SRC: fcli-other/fcli-docker/windows
    steps:
        - name: Check-out source code
          uses: actions/checkout@v4
          with:
            ref: ${{ inputs.releaseTag }}
            fetch-tags: true

        - name: Build & test Windows images
          shell: bash
          run: |
            cd ${DOCKER_SRC}
            curl -L https://github.com/fortify/fcli/releases/download/${{ inputs.releaseTag }}/fcli-windows.zip -o fcli-windows.zip
            unzip fcli-windows.zip
            rm fcli-windows.zip

            for i in ltsc2022
            do
              docker build . --target fcli-${i} -t fcli-${i}
              # Following doesn't work yet, hence the echo statements instead of actually running these.
              # Likely, we need to pass Windows-style paths to volume mappings in docker run command
              mkdir ${PWD}/${i}
              echo docker run --rm -v ${PWD}/${i}:/data fcli-${i} fcli tool sc-client install
              echo test -f ${PWD}/${i}/fortify/tools/bin/scancentral
            done

        # For now, we only release scratch and GitLab Installer Service images
        - name: Tag images
          shell: bash
          run: |
            for v in $(git tag --points-at ${{ inputs.releaseTag }})
            do
              echo Tagging ${v}
              docker tag fcli-ltsc2022 fortifydocker/fcli:${v#v}-ltsc2022
            done
        #- name: Docker Login
        #  if: needs.build.outputs.do_release
        #  uses: docker/login-action@v3
        #  with:
        #    username: ${{ secrets.DOCKER_USERNAME }}
        #    password: ${{ secrets.DOCKER_PASSWORD }}
        # TODO Should we sign the images as well?
        #- name: Publish Linux Docker images
        #  if: needs.build.outputs.do_release
        #  shell: bash
        #  run: |
        #    docker push --all-tags fortifydocker/fcli