Skip to content

Build vault-agent container #46

Build vault-agent container

Build vault-agent container #46

Workflow file for this run

---
name: vault-agent
run-name: Build vault-agent container
on:
pull_request:
paths:
- pipelines/dockerfiles/vault-agent/**
- '!pipelines/dockerfiles/vault-agent/Jenkinsfile'
- '!pipelines/dockerfiles/vault-agent/config.yml'
- '!pipelines/dockerfiles/vault-agent/Makefile'
- .github/workflows/vault-agent.yml
branches: [ master ]
push:
paths:
- pipelines/dockerfiles/vault-agent/**
- '!pipelines/dockerfiles/vault-agent/Jenkinsfile'
- '!pipelines/dockerfiles/vault-agent/config.yml'
- '!pipelines/dockerfiles/vault-agent/Makefile'
- .github/workflows/vault-agent.yml
branches: [ master ]
workflow_dispatch:
env:
REPOSITORY: constantin07/vault-agent
jobs:
build:
runs-on: ubuntu-22.04
permissions:
security-events: write
defaults:
run:
working-directory: pipelines/dockerfiles/vault-agent
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
driver-opts: image=moby/buildkit:master
- name: Login to Docker Hub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Get version
run: |
VAULT_VERSION=$(grep -E "^VAULT_VERSION" Makefile | awk '{print $3}')
echo "VAULT_VERSION=$VAULT_VERSION" >> $GITHUB_ENV
echo $VAULT_VERSION
- name: Build image and export to docker
uses: docker/[email protected]
with:
context: pipelines/dockerfiles/vault
platforms: linux/amd64,linux/arm64
push: false
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: VAULT_VERSION=${{ env.VAULT_VERSION }}
tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}
provenance: true
load: false
- name: Load amd64 platform image
run: |
docker buildx build --load --platform 'linux/amd64' \
--build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \
-t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} .
- name: Load arm64 platform image
run: |
docker buildx build --load --platform 'linux/arm64' \
--build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \
-t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}-arm64 .
- name: Run trivy scan
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
- name: Test image
run: docker run --rm -t --cap-add IPC_LOCK ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} vault --version
- name: Push amd64 & arm64 platform images
uses: docker/[email protected]
with:
context: pipelines/dockerfiles/vault
platforms: linux/amd64,linux/arm64
push: true
build-args: VAULT_VERSION=${{ env.VAULT_VERSION }}
tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}