Build vault-agent container #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: vault-agent | |
| run-name: Build vault-agent container | |
| on: | |
| pull_request: | |
| paths: | |
| - pipelines/dockerfiles/vault-agent/** | |
| - '!pipelines/dockerfiles/vault-agent/Jenkinsfile' | |
| - '!pipelines/dockerfiles/vault-agent/config.yml' | |
| - '!pipelines/dockerfiles/vault-agent/Makefile' | |
| - .github/workflows/vault-agent.yml | |
| branches: [ master ] | |
| push: | |
| paths: | |
| - pipelines/dockerfiles/vault-agent/** | |
| - '!pipelines/dockerfiles/vault-agent/Jenkinsfile' | |
| - '!pipelines/dockerfiles/vault-agent/config.yml' | |
| - '!pipelines/dockerfiles/vault-agent/Makefile' | |
| - .github/workflows/vault-agent.yml | |
| branches: [ master ] | |
| workflow_dispatch: | |
| env: | |
| REPOSITORY: constantin07/vault-agent | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| security-events: write | |
| defaults: | |
| run: | |
| working-directory: pipelines/dockerfiles/vault-agent | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to Docker Hub | |
| uses: docker/[email protected] | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Get version | |
| run: | | |
| VAULT_VERSION=$(grep -E "^VAULT_VERSION" Makefile | awk '{print $3}') | |
| echo "VAULT_VERSION=$VAULT_VERSION" >> $GITHUB_ENV | |
| echo $VAULT_VERSION | |
| - name: Build image and export to docker | |
| uses: docker/[email protected] | |
| with: | |
| context: pipelines/dockerfiles/vault | |
| platforms: linux/amd64,linux/arm64 | |
| push: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: VAULT_VERSION=${{ env.VAULT_VERSION }} | |
| tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} | |
| provenance: true | |
| load: false | |
| - name: Load amd64 platform image | |
| run: | | |
| docker buildx build --load --platform 'linux/amd64' \ | |
| --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \ | |
| -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} . | |
| - name: Load arm64 platform image | |
| run: | | |
| docker buildx build --load --platform 'linux/arm64' \ | |
| --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \ | |
| -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}-arm64 . | |
| - name: Run trivy scan | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Test image | |
| run: docker run --rm -t --cap-add IPC_LOCK ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} vault --version | |
| - name: Push amd64 & arm64 platform images | |
| uses: docker/[email protected] | |
| with: | |
| context: pipelines/dockerfiles/vault | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| build-args: VAULT_VERSION=${{ env.VAULT_VERSION }} | |
| tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} |