From 6d178edf20eae8ce1d85d12c83a41dd4da086ad2 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 4 Dec 2024 11:42:52 +0100 Subject: [PATCH] update docker actions to latest stable --- ci/docker-image.yml | 13 ++++++----- ci/docker-publish.yml | 8 +++---- code-scanning/anchore-syft.yml | 7 +++++- code-scanning/anchore.yml | 8 ++++++- code-scanning/snyk-container.yml | 10 +++++++-- code-scanning/snyk-security.yml | 6 ++++- code-scanning/sysdig-scan.yml | 11 ++++++---- code-scanning/trivy.yml | 8 ++++--- deployments/alibabacloud.yml | 17 +++++++++----- deployments/aws.yml | 18 +++++---------- deployments/azure-container-webapp.yml | 7 +++--- deployments/azure-functions-app-container.yml | 11 +++++----- deployments/google-cloudrun-docker.yml | 10 +++++---- deployments/google.yml | 20 ++++++++--------- deployments/ibm.yml | 19 ++++++++-------- deployments/tencent.yml | 22 +++++++++---------- 16 files changed, 111 insertions(+), 84 deletions(-) diff --git a/ci/docker-image.yml b/ci/docker-image.yml index be757cca1e..1d4d4a9886 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -7,12 +7,15 @@ on: branches: [ $default-branch ] jobs: - build: - runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build Docker image + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: my-image-name:latest diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index f8e709f228..d9152a9303 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -49,13 +49,13 @@ jobs: # multi-platform images and export cache # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -65,7 +65,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -73,7 +73,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml index 99d4dd0b5e..483728a612 100644 --- a/code-scanning/anchore-syft.yml +++ b/code-scanning/anchore-syft.yml @@ -28,8 +28,13 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@v4 + - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: localbuild/testimage:latest + - name: Scan the image and upload dependency results uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a with: diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 8ada351499..7bef36f532 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -33,8 +33,13 @@ jobs: steps: - name: Check out the code uses: actions/checkout@v4 + - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: localbuild/testimage:latest + - name: Run the Anchore Grype scan action uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 id: scan @@ -42,6 +47,7 @@ jobs: image: "localbuild/testimage:latest" fail-build: true severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v3 with: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index c485691560..68829e76a0 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -34,8 +34,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Build a Docker image - run: docker build -t your/image-to-test . + + - name: Build Docker image + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: your/image-to-test + - name: Run Snyk to check Docker image for vulnerabilities # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning @@ -49,6 +54,7 @@ jobs: with: image: your/image-to-test args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index b2fe77c06b..eb67de771e 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -67,7 +67,11 @@ jobs: # Build the docker image for testing - name: Build a Docker image - run: docker build -t your/image-to-test . + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: your/image-to-test + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - name: Snyk Container monitor run: snyk container monitor your/image-to-test --file=Dockerfile diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 11fd8b75f4..6c212723a0 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -30,10 +30,13 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Build the Docker image - # Tag image to be built - # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below - run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + - name: Build Docker image + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: ${{ github.repository }}:latest - name: Sysdig Secure Inline Scan id: scan diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 7180f7267c..cf6c33488e 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -29,9 +29,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + - name: Build Docker image + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + tags: docker.io/my-organization/my-app:${{ github.sha }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 526169ef6c..46c5b76f8e 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -61,9 +61,11 @@ jobs: # 1.2 Build and push image to ACR - name: Build and push image to ACR - run: | - docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . - docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} # 1.3 Scan image in ACR - name: Scan image in ACR @@ -88,9 +90,12 @@ jobs: # 2.2 (Optional) Build and push image ACR EE - name: Build and push image to ACR EE - run: | - docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . - docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.ACR_EE_REGISTRY }}/${{ env.ACR_EE_NAMESPACE }}/${{ env.ACR_EE_IMAGE }}:${{ env.TAG }} + # 2.3 (Optional) Scan image in ACR EE - name: Scan image in ACR EE uses: aliyun/acr-scan@v1 diff --git a/deployments/aws.yml b/deployments/aws.yml index 3a1caa94ad..1b6c588c8f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -65,17 +65,11 @@ jobs: uses: aws-actions/amazon-ecr-login@v1 - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }} - name: Fill in the new image ID in the Amazon ECS task definition id: task-def @@ -83,7 +77,7 @@ jobs: with: task-definition: ${{ env.ECS_TASK_DEFINITION }} container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} + image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57d6386641..e90adeb5e7 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -45,10 +45,10 @@ jobs: - uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Log in to GitHub container registry - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -58,8 +58,9 @@ jobs: run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Build and push container image to registry - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: + context: . push: true tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} file: ./Dockerfile diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 8333878f54..06abe041eb 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -55,12 +55,11 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: 'Compose Customized Docker Image' - shell: bash - run: | - # If your function app project is not located in your repository's root - # Please change the path to your directory for docker build - docker build . -t ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} - docker push ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} - name: 'Run Azure Functions Container Action' uses: Azure/functions-container-action@v1 diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index 70af95e6bc..b459635281 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -73,10 +73,12 @@ jobs: registry: '${{ env.REGION }}-docker.pkg.dev' - name: 'Build and Push Container' - run: |- - DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" - docker build --tag "${DOCKER_TAG}" . - docker push "${DOCKER_TAG}" + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + - name: 'Deploy to Cloud Run' # END - Docker auth and build diff --git a/deployments/google.yml b/deployments/google.yml index 4be4dc47d2..7d4633e493 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -88,17 +88,15 @@ jobs: location: '${{ env.GKE_ZONE }}' # Build the Docker image - - name: 'Build and push Docker container' - run: |- - DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" - - docker build \ - --tag "${DOCKER_TAG}" \ - --build-arg GITHUB_SHA="${GITHUB_SHA}" \ - --build-arg GITHUB_REF="${GITHUB_REF}" \ - . - - docker push "${DOCKER_TAG}" + - name: Build and push Docker container + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ env.GITHUB_SHA }} + build-args: | + GITHUB_SHA=${{ env.GITHUB_SHA }} + GITHUB_REF=${{ env.GITHUB_REF }} # Set up kustomize - name: 'Set up Kustomize' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index eaec2750b8..36dad22e9c 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -51,16 +51,15 @@ jobs: ibmcloud cr login # Build the Docker image - - name: Build with Docker - run: | - docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" . - - # Push the image to IBM Container Registry - - name: Push the image to ICR - run: | - docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA + - name: Build and push with Docker + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.REGISTRY_HOSTNAME }}/${{ env.ICR_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ env.GITHUB_SHA }} + build-args: | + GITHUB_SHA=${{ env.GITHUB_SHA }} + GITHUB_REF=${{ env.GITHUB_REF }} # Deploy the Docker image to the IKS cluster - name: Deploy to IKS diff --git a/deployments/tencent.yml b/deployments/tencent.yml index bf75b561fc..3469176c96 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -39,19 +39,19 @@ jobs: - name: Checkout uses: actions/checkout@v4 - # Build - - name: Build Docker image - run: | - docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . - - name: Login TKE Registry - run: | - docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL} + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.TKE_IMAGE_URL }} + username: ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} + password: ${{ secrets.TKE_REGISTRY_PASSWORD }} - # Push the Docker image to TKE Registry - - name: Publish - run: | - docker push ${TKE_IMAGE_URL}:${GITHUB_SHA} + - name: Build and push Docker image + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + context: . + push: true + tags: ${{ env.TKE_IMAGE_URL }}:${{ env.GITHUB_SHA }} - name: Set up Kustomize run: |