diff --git a/.github/workflows/build-scan-push-tag.yml b/.github/workflows/build-scan-push-tag.yml new file mode 100644 index 0000000..6b81108 --- /dev/null +++ b/.github/workflows/build-scan-push-tag.yml @@ -0,0 +1,128 @@ +name: Reusable workflow for building and scanning images + +on: + workflow_call: + inputs: + push: + required: true + type: boolean + tag: + required: true + type: boolean + + +env: + DOCKER_BUILDKIT: 1 + REGISTRY_IMAGE: "${{ github.repository_owner }}/${{ github.event.repository.name }}" + GHCR_PREFIX: "ghcr.io" + DOCKER_HUB_PREFIX: "docker.io" + DOCKER_IMAGE_BASE_ORDER: "base srcds hlds" + +jobs: + build-scan-push-tag: + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + if: ${{ inputs.push }} + + - name: Build all images + if: ${{ inputs.push }} + run: | + for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do + docker-compose build ${docker_base_image_type} + done + + - name: Trivy CVE scan - base + if: ${{ inputs.push }} + uses: aquasecurity/trivy-action@0.8.0 + with: + image-ref: "${{ env.REGISTRY_IMAGE }}:base" + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + + - name: Dockle scan - base + if: ${{ inputs.push }} + uses: erzz/dockle-action@v1.3.1 + with: + image: "${{ env.REGISTRY_IMAGE }}:base" + exit-code: '1' + dockle-version: '0.4.5' + + - name: Trivy CVE scan - hlds + if: ${{ inputs.push }} + uses: aquasecurity/trivy-action@0.8.0 + with: + image-ref: "${{ env.REGISTRY_IMAGE }}:hlds" + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + + - name: Dockle scan - hlds + if: ${{ inputs.push }} + uses: erzz/dockle-action@v1.3.1 + with: + image: "${{ env.REGISTRY_IMAGE }}:hlds" + exit-code: '1' + dockle-version: '0.4.5' + + - name: Trivy CVE scan - srcds + if: ${{ inputs.push }} + uses: aquasecurity/trivy-action@0.8.0 + with: + image-ref: "${{ env.REGISTRY_IMAGE }}:srcds" + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + + - name: Dockle scan - srcds + if: ${{ inputs.push }} + uses: erzz/dockle-action@v1.3.1 + with: + image: "${{ env.REGISTRY_IMAGE }}:srcds" + exit-code: '1' + dockle-version: '0.4.5' + + - name: Log in to GHCR + if: ${{ inputs.push || inputs.tag }} + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Docker Hub + if: ${{ inputs.push || inputs.tag }} + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS }} + + - name: Push latest images to registries + if: ${{ inputs.push }} + run: | + docker_image_types=$(docker-compose config --services | paste -sd " " -) + + for docker_image_type in ${docker_image_types}; do + docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest + docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest + + docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest + docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest + done + + - name: Push tagged images to registries + if: ${{ inputs.tag }} + run: | + for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do + docker pull ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest + + docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} + docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} + + docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} + docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} + done diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 50de7f5..37808b9 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -5,66 +5,10 @@ on: branches-ignore: - main -env: - DOCKER_BUILDKIT: 1 - REGISTRY_IMAGE: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-build" - DOCKER_IMAGE_BASE_ORDER: "base srcds hlds" - jobs: - build: - permissions: - contents: read - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v3 - - - name: Build all images - run: | - for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do - docker-compose build ${docker_base_image_type} - done - - - name: Trivy CVE scan - base - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:base" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - base - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:base" - exit-code: '1' - dockle-version: '0.4.5' - - - name: Trivy CVE scan - hlds - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:hlds" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - hlds - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:hlds" - exit-code: '1' - dockle-version: '0.4.5' - - - name: Trivy CVE scan - srcds - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:srcds" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - srcds - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:srcds" - exit-code: '1' - dockle-version: '0.4.5' + build-scan: + uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main + with: + push: false + tag: false + secrets: inherit diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml index 3bd587a..d51cb6a 100644 --- a/.github/workflows/docker-latest.yml +++ b/.github/workflows/docker-latest.yml @@ -5,95 +5,10 @@ on: branches: - main -env: - DOCKER_BUILDKIT: 1 - REGISTRY_IMAGE: "${{ github.repository_owner }}/${{ github.event.repository.name }}" - GHCR_PREFIX: "ghcr.io" - DOCKER_HUB_PREFIX: "docker.io" - DOCKER_IMAGE_BASE_ORDER: "base srcds hlds" - DOCKER_RETAG_SH: ".github/scripts/docker_retag.sh" - jobs: - build: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v3 - - - name: Build all images - run: | - for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do - docker-compose build ${docker_base_image_type} - done - - - name: Trivy CVE scan - base - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:base" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - base - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:base" - exit-code: '1' - dockle-version: '0.4.5' - - - name: Trivy CVE scan - hlds - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:hlds" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - hlds - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:hlds" - exit-code: '1' - dockle-version: '0.4.5' - - - name: Trivy CVE scan - srcds - uses: aquasecurity/trivy-action@0.8.0 - with: - image-ref: "${{ env.REGISTRY_IMAGE }}:srcds" - format: 'table' - exit-code: '1' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: Dockle scan - srcds - uses: erzz/dockle-action@v1.3.1 - with: - image: "${{ env.REGISTRY_IMAGE }}:srcds" - exit-code: '1' - dockle-version: '0.4.5' - - - name: Log in to GHCR - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_ACCESS }} - - - name: Push latest images to registries - run: | - docker_image_types=$(docker-compose config --services | paste -sd " " -) - - for docker_image_type in ${docker_image_types}; do - docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest - docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest - - docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest - docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest - done + push: + uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main + with: + push: true + tag: false + secrets: inherit diff --git a/.github/workflows/docker-tag.yml b/.github/workflows/docker-tag.yml index 467c0d6..f4d82bf 100644 --- a/.github/workflows/docker-tag.yml +++ b/.github/workflows/docker-tag.yml @@ -5,45 +5,10 @@ on: tags: - '**' -env: - DOCKER_BUILDKIT: 1 - REGISTRY_IMAGE: "${{ github.repository_owner }}/${{ github.event.repository.name }}" - GHCR_PREFIX: "ghcr.io" - DOCKER_HUB_PREFIX: "docker.io" - DOCKER_IMAGE_BASE_ORDER: "base srcds hlds" - DOCKER_RETAG_SH: ".github/scripts/docker_retag.sh" - jobs: - retag: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v3 - - - name: Log in to GHCR - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_ACCESS }} - - - name: Push tagged images to registries - run: | - for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do - docker pull ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest - - docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} - docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} - - docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} - docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} - done + tag: + uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main + with: + push: false + tag: true + secrets: inherit