From b039f2785981a4653e2d7fb68505d7339e7568b1 Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 16:38:32 +0300 Subject: [PATCH 1/6] Updated ci.yml, ecr-scheduled-security-scan.yml and ecr-scheduled-security-scan.yml workflows --- .github/workflows/ci.yml | 36 +++-- .../workflows/ecr-scheduled-security-scan.yml | 140 +++++------------- ...rivy-trufflehog-default-security-scan.yml} | 51 +++---- 3 files changed, 81 insertions(+), 146 deletions(-) rename .github/workflows/{tryvi-trufflehog-default-security-scan.yml => trivy-trufflehog-default-security-scan.yml} (54%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 960ce0ab..8126a2f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,7 +64,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -77,25 +77,31 @@ jobs: PREV_COMMIT_HASH=$(git rev-parse origin/master) IMAGE_TAG="${{ matrix.tags[0] }}" echo "Pulling image $IMAGE_TAG" - docker pull "$IMAGE_TAG" - - NEW_TAG="${IMAGE_TAG}-${PREV_COMMIT_HASH}" - echo "Re-tagging image to $NEW_TAG" - docker tag "$IMAGE_TAG" "$NEW_TAG" - - echo "Removing the pulled image $IMAGE_TAG" - docker rmi "$IMAGE_TAG" || true + + if ! docker pull "$IMAGE_TAG"; then + echo "Image $IMAGE_TAG does not exist. Setting PREV_COMMIT_HASH to empty string." + PREV_COMMIT_HASH="" + else + docker pull "$IMAGE_TAG" + + NEW_TAG="${IMAGE_TAG}-${PREV_COMMIT_HASH}" + echo "Re-tagging image to $NEW_TAG" + docker tag "$IMAGE_TAG" "$NEW_TAG" + + echo "Removing the pulled image $IMAGE_TAG" + docker rmi "$IMAGE_TAG" || true + fi fi echo "PREV_COMMIT_HASH=$PREV_COMMIT_HASH" >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -104,6 +110,10 @@ jobs: if: ${{ github.ref == 'refs/heads/master' }} run: | PREV_HASH=${{ env.PREV_COMMIT_HASH }} + if [ -z "$PREV_HASH" ]; then + echo "PREV_HASH is empty. Skipping retagging." + exit 0 + fi IMAGE_TAGS="${{ join(matrix.tags, ' ') }}" for IMAGE_TAG in $IMAGE_TAGS; do docker pull "$IMAGE_TAG" @@ -115,7 +125,7 @@ jobs: - name: Build and push id: docker_build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: push: ${{ github.ref == 'refs/heads/master' }} load: ${{ github.ref != 'refs/heads/master' }} diff --git a/.github/workflows/ecr-scheduled-security-scan.yml b/.github/workflows/ecr-scheduled-security-scan.yml index a9c2676f..3edf26b1 100644 --- a/.github/workflows/ecr-scheduled-security-scan.yml +++ b/.github/workflows/ecr-scheduled-security-scan.yml @@ -1,4 +1,4 @@ -name: ECR vulnerability detection +name: ECR PHP Vulnerability Scan on: schedule: @@ -9,121 +9,63 @@ on: jobs: vulnerability-detection: - runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: ## Alpine ### Alpine 3.18 - - image: "alpine/3.18/8.1/Dockerfile" - tags: "8.1-alpine3.18" + - context: "alpine/3.18/8.1" + dockerfile: "Dockerfile" + image: "spryker/php:8.1-alpine3.18" platforms: "linux/amd64" - - image: "alpine/3.18/8.2/Dockerfile" - tags: "8.2-alpine3.18" + - context: "alpine/3.18/8.2" + dockerfile: "Dockerfile" + image: "spryker/php:8.2-alpine3.18" platforms: "linux/amd64" - - image: "alpine/3.18/8.3/Dockerfile" - tags: "8.3-alpine3.18" + - context: "alpine/3.18/8.3" + dockerfile: "Dockerfile" + image: "spryker/php:8.3-alpine3.18" platforms: "linux/amd64" ### Alpine 3.19 - - image: "alpine/3.19/8.1/Dockerfile" - tags: "8.1-alpine3.19" + - context: "alpine/3.19/8.1" + dockerfile: "Dockerfile" + image: "spryker/php:8.1-alpine3.19" platforms: "linux/amd64" - - image: "alpine/3.19/8.2/Dockerfile" - tags: "8.2-alpine3.19" + - context: "alpine/3.19/8.2" + dockerfile: "Dockerfile" + image: "spryker/php:8.2-alpine3.19" platforms: "linux/amd64" - - image: "alpine/3.19/8.3/Dockerfile" - tags: "8.3-alpine3.19" + - context: "alpine/3.19/8.3" + dockerfile: "Dockerfile" + image: "spryker/php:8.3-alpine3.19" platforms: "linux/amd64" ### Alpine 3.20 - - image: "alpine/3.20/8.1/Dockerfile" - tags: "8.1-alpine3.20" + - context: "alpine/3.20/8.1" + dockerfile: "Dockerfile" + image: "spryker/php:8.1-alpine3.20" platforms: "linux/amd64" - - image: "alpine/3.20/8.2/Dockerfile" - tags: "8.2-alpine3.20" + - context: "alpine/3.20/8.2" + dockerfile: "Dockerfile" + image: "spryker/php:8.2-alpine3.20" platforms: "linux/amd64" - - image: "alpine/3.20/8.3/Dockerfile" - tags: "8.3-alpine3.20" + - context: "alpine/3.20/8.3" + dockerfile: "Dockerfile" + image: "spryker/php:8.3-alpine3.20" platforms: "linux/amd64" - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} - - - name: Login to AWS ECR - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build and push - id: docker-build - uses: docker/build-push-action@v2 - with: - push: true - file: ${{ matrix.image }} - tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ secrets.AWS_ECR_REPO }}:${{ matrix.tags }}-${{ github.sha }} - platforms: ${{ matrix.platforms }} - - - name: Scan Docker image - id: docker-scan - uses: alexjurkiewicz/ecr-scan-image@v2.0.0 - with: - repository: ${{ secrets.AWS_ECR_REPO }} - tag: ${{ join(matrix.tags) }}-${{ github.sha }} - - - name: Delete images after scan images - run: | - aws ecr batch-delete-image --repository-name ${{ secrets.AWS_ECR_REPO }} --image-id imageTag="${{ join(matrix.tags) }}-${{ github.sha }}" - - - run: | - echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities." - - - name: Set Date and Time - id: set-date - if: github.event.schedule == '0 9 * * *' - run: echo "::set-output name=current_datetime::$(date +'%Y-%m-%d %H:%M:%S')" - - - name: Set Color - id: set-color - if: github.event.schedule == '0 9 * * *' - run: | - if [[ "${{ true }}" ]]; then - COLOR="#008000" - else - COLOR="#ff0000" - fi - echo "::set-output name=color::$COLOR" - - - name: Send GitHub Action trigger data to Slack workflow - id: slack - if: github.event.schedule == '0 9 * * *' - uses: slackapi/slack-github-action@v1.24.0 - with: - payload: | - { - "text": "Scanned image tag *${{ matrix.tags }}*.", - "attachments": [ - { - "pretext": "ECR vulnerability scan outputs for ${{ steps.set-date.outputs.current_datetime }}", - "color": "${{ steps.set-color.outputs.color }}", - "fields": [ - { - "title": "Status", - "short": true, - "value": "*${{ steps.docker-scan.outputs.total }}* total vulnerabilities" - } - ] - } - ] - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - - - name: Fail the execution - if: ${{ steps.docker-scan.outputs.total > 0 }} - run: exit 1 + uses: spryker-projects/gha-reusable-workflows/.github/workflows/ecr-scheduled-security-scan.yml@main + with: + image: ${{ matrix.image }} + tag: ${{ matrix.tag }} + platforms: ${{ matrix.platforms }} + image_type: ${{ matrix.image_type }} + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_ECR_REPO: ${{ secrets.AWS_ECR_REPO }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/tryvi-trufflehog-default-security-scan.yml b/.github/workflows/trivy-trufflehog-default-security-scan.yml similarity index 54% rename from .github/workflows/tryvi-trufflehog-default-security-scan.yml rename to .github/workflows/trivy-trufflehog-default-security-scan.yml index fd2ca275..31730577 100644 --- a/.github/workflows/tryvi-trufflehog-default-security-scan.yml +++ b/.github/workflows/trivy-trufflehog-default-security-scan.yml @@ -11,7 +11,6 @@ concurrency: jobs: build-and-scan-images-for-vulnerabilities: - runs-on: ubuntu-latest strategy: fail-fast: false matrix: @@ -20,66 +19,50 @@ jobs: ### Alpine 3.18 - context: "alpine/3.18/8.1" dockerfile: "Dockerfile" - tags: "8.1-alpine3.18" + image: "spryker/php:8.1-alpine3.18" platforms: "linux/amd64" - context: "alpine/3.18/8.2" dockerfile: "Dockerfile" - tags: "8.2-alpine3.18" + image: "spryker/php:8.2-alpine3.18" platforms: "linux/amd64" - context: "alpine/3.18/8.3" dockerfile: "Dockerfile" - tags: "8.3-alpine3.18" + image: "spryker/php:8.3-alpine3.18" platforms: "linux/amd64" ### Alpine 3.19 - context: "alpine/3.19/8.1" dockerfile: "Dockerfile" - tags: "8.1-alpine3.19" + image: "spryker/php:8.1-alpine3.19" platforms: "linux/amd64" - context: "alpine/3.19/8.2" dockerfile: "Dockerfile" - tags: "8.2-alpine3.19" + image: "spryker/php:8.2-alpine3.19" platforms: "linux/amd64" - context: "alpine/3.19/8.3" dockerfile: "Dockerfile" - tags: "8.3-alpine3.19" + image: "spryker/php:8.3-alpine3.19" platforms: "linux/amd64" ### Alpine 3.20 - context: "alpine/3.20/8.1" dockerfile: "Dockerfile" - tags: "8.1-alpine3.20" + image: "spryker/php:8.1-alpine3.20" platforms: "linux/amd64" - context: "alpine/3.20/8.2" dockerfile: "Dockerfile" - tags: "8.2-alpine3.20" + image: "spryker/php:8.2-alpine3.20" platforms: "linux/amd64" - context: "alpine/3.20/8.3" dockerfile: "Dockerfile" - tags: "8.3-alpine3.20" + image: "spryker/php:8.3-alpine3.20" platforms: "linux/amd64" - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Build Docker image - run: | - docker build --platform ${{ matrix.platforms }} -t spryker/php:${{ matrix.tags }} -f ${{ matrix.context }}/${{ matrix.dockerfile }} . - - - name: Scan Docker image with Trufflehog - continue-on-error: false - run: | - docker run --rm trufflesecurity/trufflehog:latest docker --image spryker/php:${{ matrix.tags }} --only-verified - - - name: Scan Docker image with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: "spryker/php:${{ matrix.tags }}" - exit-code: '1' - severity: 'LOW,MEDIUM,HIGH,CRITICAL' - ignore-unfixed: true - - - name: Show scan result - run: | - echo "Trivy scan completed for spryker/php:${{ matrix.tags }}" + name: Build and Scan - ${{ matrix.image }} + uses: spryker-projects/gha-reusable-workflows/.github/workflows/trivy-trufflehog-default-security-scan.yml@main + with: + context: ${{ matrix.context }} + dockerfile: ${{ matrix.dockerfile }} + image: ${{ matrix.image }} + platforms: ${{ matrix.platforms }} + secrets: inherit From a6f264df0cc3133a79d2ad21ebe72b7cd44bd98e Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 19:35:52 +0300 Subject: [PATCH 2/6] Testing new repo --- .github/workflows/ecr-scheduled-security-scan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ecr-scheduled-security-scan.yml b/.github/workflows/ecr-scheduled-security-scan.yml index 3edf26b1..bfc7484f 100644 --- a/.github/workflows/ecr-scheduled-security-scan.yml +++ b/.github/workflows/ecr-scheduled-security-scan.yml @@ -1,11 +1,12 @@ name: ECR PHP Vulnerability Scan on: - schedule: - - cron: '0 9 * * *' + # schedule: + # - cron: '0 9 * * *' push: branches: - - master + # - master + - SC-22224 jobs: vulnerability-detection: From ce934a0e5109875a35227bfefa1c861661cf7659 Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 19:51:11 +0300 Subject: [PATCH 3/6] Testing new repo --- .../workflows/ecr-scheduled-security-scan.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ecr-scheduled-security-scan.yml b/.github/workflows/ecr-scheduled-security-scan.yml index bfc7484f..2569213d 100644 --- a/.github/workflows/ecr-scheduled-security-scan.yml +++ b/.github/workflows/ecr-scheduled-security-scan.yml @@ -16,46 +16,46 @@ jobs: include: ## Alpine ### Alpine 3.18 - - context: "alpine/3.18/8.1" - dockerfile: "Dockerfile" - image: "spryker/php:8.1-alpine3.18" + - image: "alpine/3.18/8.1/Dockerfile" + tag: "8.1-alpine3.18" platforms: "linux/amd64" - - context: "alpine/3.18/8.2" - dockerfile: "Dockerfile" - image: "spryker/php:8.2-alpine3.18" + image_type: "PHP" + - image: "alpine/3.18/8.2/Dockerfile" + tag: "8.2-alpine3.18" platforms: "linux/amd64" - - context: "alpine/3.18/8.3" - dockerfile: "Dockerfile" - image: "spryker/php:8.3-alpine3.18" + image_type: "PHP" + - image: "alpine/3.18/8.3/Dockerfile" + tag: "8.3-alpine3.18" platforms: "linux/amd64" + image_type: "PHP" ### Alpine 3.19 - - context: "alpine/3.19/8.1" - dockerfile: "Dockerfile" - image: "spryker/php:8.1-alpine3.19" + - image: "alpine/3.19/8.1/Dockerfile" + tag: "8.1-alpine3.19" platforms: "linux/amd64" - - context: "alpine/3.19/8.2" - dockerfile: "Dockerfile" - image: "spryker/php:8.2-alpine3.19" + image_type: "PHP" + - image: "alpine/3.19/8.2/Dockerfile" + tag: "8.2-alpine3.19" platforms: "linux/amd64" - - context: "alpine/3.19/8.3" - dockerfile: "Dockerfile" - image: "spryker/php:8.3-alpine3.19" + image_type: "PHP" + - image: "alpine/3.19/8.3/Dockerfile" + tag: "8.3-alpine3.19" platforms: "linux/amd64" + image_type: "PHP" ### Alpine 3.20 - - context: "alpine/3.20/8.1" - dockerfile: "Dockerfile" - image: "spryker/php:8.1-alpine3.20" + - image: "alpine/3.20/8.1/Dockerfile" + tag: "8.1-alpine3.20" platforms: "linux/amd64" - - context: "alpine/3.20/8.2" - dockerfile: "Dockerfile" - image: "spryker/php:8.2-alpine3.20" + image_type: "PHP" + - image: "alpine/3.20/8.2/Dockerfile" + tag: "8.2-alpine3.20" platforms: "linux/amd64" - - context: "alpine/3.20/8.3" - dockerfile: "Dockerfile" - image: "spryker/php:8.3-alpine3.20" + image_type: "PHP" + - image: "alpine/3.20/8.3/Dockerfile" + tag: "8.3-alpine3.20" platforms: "linux/amd64" + image_type: "PHP" uses: spryker-projects/gha-reusable-workflows/.github/workflows/ecr-scheduled-security-scan.yml@main with: From e5f48c8a51c2d764ba4cb45f8b53c3d6cf46098e Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 20:04:15 +0300 Subject: [PATCH 4/6] Testing new repo --- .github/workflows/ecr-scheduled-security-scan.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ecr-scheduled-security-scan.yml b/.github/workflows/ecr-scheduled-security-scan.yml index 2569213d..e9bb60c6 100644 --- a/.github/workflows/ecr-scheduled-security-scan.yml +++ b/.github/workflows/ecr-scheduled-security-scan.yml @@ -1,12 +1,11 @@ name: ECR PHP Vulnerability Scan on: - # schedule: - # - cron: '0 9 * * *' + schedule: + - cron: '0 9 * * *' push: branches: - # - master - - SC-22224 + - master jobs: vulnerability-detection: From 0f99f94bab281572b401e546d96f2b38572d6684 Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 22:12:45 +0300 Subject: [PATCH 5/6] Updated .github/workflows/ci.yml to reusable workflow --- .github/workflows/ci.yml | 202 ++++++++------------------------------- 1 file changed, 41 insertions(+), 161 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8126a2f5..8492ff40 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,14 +1,14 @@ -name: CI/CD +name: CI/CD PHP Build and Scan -on: push +on: + push: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: - build: - runs-on: ubuntu-latest + build-and-scan-images-for-vulnerabilities: strategy: fail-fast: false matrix: @@ -16,179 +16,59 @@ jobs: ## Alpine ### Alpine 3.18 - image: "alpine/3.18/8.1/Dockerfile" - tags: [ "spryker/php:8.1-alpine3.18" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.1-alpine3.18" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.18/8.2/Dockerfile" - tags: [ "spryker/php:8.2-alpine3.18" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.2-alpine3.18" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.18/8.3/Dockerfile" - tags: [ "spryker/php:8.3-alpine3.18" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.3-alpine3.18" + platforms: "linux/amd64,linux/arm64" ### Alpine 3.19 - image: "alpine/3.19/8.1/Dockerfile" - tags: [ "spryker/php:8.1-alpine3.19" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.1-alpine3.19" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.19/8.2/Dockerfile" - tags: [ "spryker/php:8.2-alpine3.19" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.2-alpine3.19" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.19/8.3/Dockerfile" - tags: [ "spryker/php:8.3-alpine3.19" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.3-alpine3.19" + platforms: "linux/amd64,linux/arm64" ### Alpine 3.20 - image: "alpine/3.20/8.1/Dockerfile" - tags: [ "spryker/php:8.1", "spryker/php:8.1-alpine3.20" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.1-alpine3.20" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.20/8.2/Dockerfile" - tags: [ "spryker/php:latest", "spryker/php:8.2", "spryker/php:8.2-alpine3.20" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.2-alpine3.20" + platforms: "linux/amd64,linux/arm64" - image: "alpine/3.20/8.3/Dockerfile" - tags: [ "spryker/php:8.3", "spryker/php:8.3-alpine3.20" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "test/php:8.3-alpine3.20" + platforms: "linux/amd64,linux/arm64" ## Debian ### Debian bullseye - image: "debian/bullseye/8.0/Dockerfile" - tags: [ "spryker/php:8.0-debian" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "spryker/php:8.0-debian" + platforms: "linux/amd64,linux/arm64" - image: "debian/bullseye/8.1/Dockerfile" - tags: [ "spryker/php:8.1-debian" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "spryker/php:8.1-debian" + platforms: "linux/amd64,linux/arm64" - image: "debian/bullseye/8.2/Dockerfile" - tags: [ "spryker/php:8.2-debian" ] - platforms: [ "linux/amd64", "linux/arm64" ] + tag: "spryker/php:8.2-debian" + platforms: "linux/amd64,linux/arm64" - image: "debian/bullseye/8.3/Dockerfile" - tags: [ "spryker/php:8.3-debian" ] - platforms: [ "linux/amd64", "linux/arm64" ] - - steps: - - name: Check out repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get the previous commit hash - id: previous_commit - run: | - if [ "${{ github.ref }}" == "refs/heads/master" ]; then - PREV_COMMIT_HASH=$(git rev-parse HEAD^1) - else - PREV_COMMIT_HASH=$(git rev-parse origin/master) - IMAGE_TAG="${{ matrix.tags[0] }}" - echo "Pulling image $IMAGE_TAG" - - if ! docker pull "$IMAGE_TAG"; then - echo "Image $IMAGE_TAG does not exist. Setting PREV_COMMIT_HASH to empty string." - PREV_COMMIT_HASH="" - else - docker pull "$IMAGE_TAG" - - NEW_TAG="${IMAGE_TAG}-${PREV_COMMIT_HASH}" - echo "Re-tagging image to $NEW_TAG" - docker tag "$IMAGE_TAG" "$NEW_TAG" - - echo "Removing the pulled image $IMAGE_TAG" - docker rmi "$IMAGE_TAG" || true - fi - fi - echo "PREV_COMMIT_HASH=$PREV_COMMIT_HASH" >> $GITHUB_ENV - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Re-tag images with previous commit hash - if: ${{ github.ref == 'refs/heads/master' }} - run: | - PREV_HASH=${{ env.PREV_COMMIT_HASH }} - if [ -z "$PREV_HASH" ]; then - echo "PREV_HASH is empty. Skipping retagging." - exit 0 - fi - IMAGE_TAGS="${{ join(matrix.tags, ' ') }}" - for IMAGE_TAG in $IMAGE_TAGS; do - docker pull "$IMAGE_TAG" - NEW_TAG="${IMAGE_TAG}-${PREV_HASH}" - docker tag "$IMAGE_TAG" "$NEW_TAG" - echo "Re-tagged image: $NEW_TAG" - docker push $NEW_TAG - done - - - name: Build and push - id: docker_build - uses: docker/build-push-action@v6 - with: - push: ${{ github.ref == 'refs/heads/master' }} - load: ${{ github.ref != 'refs/heads/master' }} - file: ${{ matrix.image }} - tags: ${{ join(matrix.tags) }} - platforms: ${{ github.ref == 'refs/heads/master' && join(matrix.platforms) || 'linux/amd64' }} - - - name: Pull image for master branch - if: github.ref == 'refs/heads/master' - run: | - echo "Pulling image for master branch" - docker pull ${{ matrix.tags[0] }} - - - name: Current image report - id: manifest - run: | - CURRENT_TAG=${{ matrix.tags[0] }} - bash .github/compare-images.sh $CURRENT_TAG > current-image-report.txt || true - cat current-image-report.txt - - - name: Previous image report - run: | - PREVIOUS_TAG="${{ matrix.tags[0] }}-${{ env.PREV_COMMIT_HASH }}" - bash .github/compare-images.sh $PREVIOUS_TAG > previous-image-report.txt || true - cat previous-image-report.txt - - - name: Run the diff and format output - id: diff - run: bash .github/format-output.sh - - - name: Fetch Job ID - id: fetch_job_id - if: ${{ github.ref == 'refs/heads/master' && env.DIFF_OUTPUT != '' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - JOBS_JSON=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \ - "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs") - echo "$JOBS_JSON" > jobs-response.json - cat jobs-response.json - JOB_ID=$(echo "$JOBS_JSON" | jq -r '.jobs[0].id') - echo "Extracted Job ID: $JOB_ID" - echo "::set-output name=job_id::$JOB_ID" - - - name: Send Slack Notification - if: ${{ github.ref == 'refs/heads/master' && env.DIFF_OUTPUT != '' }} - uses: slackapi/slack-github-action@v1.24.0 - with: - payload: | - { - "attachments": [ - { - "color": "good", - "fields": [ - { - "title": "New version of ${{ matrix.tags[0] }} has been published", - "value": "You can check the:\n- *Manifest*: \n- *Diff*: \n\nThis version was built out of .", - "short": false - } - ] - } - ] - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CE_RELEASE_WEBHOOK }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + tag: "spryker/php:8.3-debian" + platforms: "linux/amd64,linux/arm64" + + name: Build and Scan - ${{ matrix.tag }} + uses: spryker-projects/gha-reusable-workflows/.github/workflows/ci.yml@main + with: + image: ${{ matrix.image }} + tag: ${{ matrix.tag }} + platforms: ${{ matrix.platforms }} + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CE_RELEASE_WEBHOOK }} From dcdfd64a185760cba4f7d7c6aa36ce842f9cc4d9 Mon Sep 17 00:00:00 2001 From: DenysSirchenko Date: Mon, 14 Apr 2025 22:14:36 +0300 Subject: [PATCH 6/6] Updated .github/workflows/ci.yml to reusable workflow --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8492ff40..1af3c26b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,35 +16,35 @@ jobs: ## Alpine ### Alpine 3.18 - image: "alpine/3.18/8.1/Dockerfile" - tag: "test/php:8.1-alpine3.18" + tag: "spryker/php:8.1-alpine3.18" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.18/8.2/Dockerfile" - tag: "test/php:8.2-alpine3.18" + tag: "spryker/php:8.2-alpine3.18" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.18/8.3/Dockerfile" - tag: "test/php:8.3-alpine3.18" + tag: "spryker/php:8.3-alpine3.18" platforms: "linux/amd64,linux/arm64" ### Alpine 3.19 - image: "alpine/3.19/8.1/Dockerfile" - tag: "test/php:8.1-alpine3.19" + tag: "spryker/php:8.1-alpine3.19" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.19/8.2/Dockerfile" - tag: "test/php:8.2-alpine3.19" + tag: "spryker/php:8.2-alpine3.19" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.19/8.3/Dockerfile" - tag: "test/php:8.3-alpine3.19" + tag: "spryker/php:8.3-alpine3.19" platforms: "linux/amd64,linux/arm64" ### Alpine 3.20 - image: "alpine/3.20/8.1/Dockerfile" - tag: "test/php:8.1-alpine3.20" + tag: "spryker/php:8.1-alpine3.20" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.20/8.2/Dockerfile" - tag: "test/php:8.2-alpine3.20" + tag: "spryker/php:8.2-alpine3.20" platforms: "linux/amd64,linux/arm64" - image: "alpine/3.20/8.3/Dockerfile" - tag: "test/php:8.3-alpine3.20" + tag: "spryker/php:8.3-alpine3.20" platforms: "linux/amd64,linux/arm64" ## Debian