Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish official Docker container #40

Open
wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

Publish official Docker container #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
42bdb2b
[WIP] Initial pass at Dockerfile for #22
aj-stein-gsa Sep 24, 2024
ba09d73
Complete Dockerfile for #22
aj-stein-gsa Oct 9, 2024
14797e6
Capitalize FROM ... AS defs for image spec for #22
aj-stein-gsa Oct 9, 2024
85c1973
Set up build in GHA of container for #22
aj-stein-gsa Oct 9, 2024
67a9276
[WIP] Override "home" repo in #22 for e2e testing
aj-stein-gsa Oct 9, 2024
27e22a6
[WIP] Debug path and file info for Docker COPY commands for #22
aj-stein-gsa Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,13 @@ on:
type: boolean
name: Build and Test
env:
HOME_REPO: aj-stein-gsa/oscal-cli
IMAGE_NAME: aj-stein-gsa/oscal-cli-extended
Comment on lines +28 to +29
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be updated before merging.

REGISTRY: ghcr.io
# Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
DOCKER_METADATA_PR_HEAD_SHA: true
# https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
INPUT_FAIL_ON_ERROR: ${{ github.event.inputs.linkcheck_fail_on_error || 'true' }}
INPUT_ISSUE_ON_ERROR: ${{ github.event.inputs.linkcheck_create_issue || 'false' }}
MAVEN_VERSION: 3.9.8
Expand Down Expand Up @@ -73,6 +80,71 @@ jobs:
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd
with:
upload: ${{ github.ref_name == 'develop' && 'always' || 'never' }}
- if: github.repository == env.HOME_REPO
name: Container image QEMU setup for cross-arch builds
id: image_setup_qemu
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- if: github.repository == env.HOME_REPO
name: Container image buildx setup for cross-arch builds
id: image_setup_buildx
with:
platforms: linux/amd64
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- if: github.repository == env.HOME_REPO
name: Container image login
id: image_login
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- if: github.repository == env.HOME_REPO
name: Container image metadata and tag generation
id: image_metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images:
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=,suffix=,format=long
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
# flavor: |
# latest=true
annotations: |
maintainers="Metaschema Community Admin <[email protected]>"
org.opencontainers.image.authors="Metaschema Community Admin <[email protected]>"
org.opencontainers.image.documentation="https://metaschema.dev"
org.opencontainers.image.source="https://github.com/metaschema-framework/oscal-cli"
org.opencontainers.image.vendor="Metaschema Community"
org.opencontainers.image.title="oscal-cli-extended"
org.opencontainers.image.description="Metaschema-powered CLI tool for processing OSCAL""
org.opencontainers.image.licenses="CC0-1.0"
- run: |
pwd
ls -lha
find '.'
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This action doesn't run on main.

Suggested change
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))

name: Container image registry push
id: image_registry_push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
build-args: |
USE_PREBUILT_ZIP=yes
push: true
tags: ${{ steps.image_metadata.outputs.tags }}
labels: ${{ steps.image_metadata.outputs.annotations }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image push attestations
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.image_registry_push.outputs.digest }}
push-to-registry: false
build-website:
name: Website
runs-on: ubuntu-20.04
Expand Down Expand Up @@ -146,3 +218,5 @@ jobs:
with:
script: |
core.setFailed('Link checker detected broken or invalid links, read attached report.')


54 changes: 54 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
ARG BUILDER_IMAGE=maven:3.9.9-eclipse-temurin-17-alpine
ARG RUNNER_IMAGE=eclipse-temurin:17-alpine
# Not set by default, so it will build in container locally. See the GitHub
# Actions build.yml where build-arg is provider to override and build inside
# the container.
ARG USE_PREBUILT_ZIP

FROM ${BUILDER_IMAGE} AS builder
ARG USE_PREBUILT_ZIP
ARG BUILDER_JDK_VENDOR=temurin
ARG BUILDER_JDK_MAJOR_VERSION=17
ARG BUILDER_JDK_HOME_PATH=/opt/java/openjdk
ADD . /usr/local/src
# You can't copy conditionally for a folder that doesn't exist.
# Make the build boostrap files regardless.
RUN mkdir -p "/root/.m2"
COPY <<M2TEMPLATE /root/.m2/toolchains.xml
<?xml version="1.0" encoding="UTF-8"?>
<toolchains>
<toolchain>
<type>jdk</type>
<provides>
<version>${BUILDER_JDK_MAJOR_VERSION}</version>
<vendor>${BUILDER_JDK_VENDOR}</vendor>
<id>${BUILDER_JDK_VENDOR}_${BUILDER_JDK_MAJOR_VERSION}</id>
</provides>
<configuration>
<jdkHome>${BUILDER_JDK_HOME_PATH}</jdkHome>
</configuration>
</toolchain>
</toolchains>
M2TEMPLATE
RUN if [[ -z "$USE_PREBUILT_ZIP" ]]; then \
apk add --no-cache git unzip && \
cd /usr/local/src && \
mvn -B -e -Prelease package && \
cp ./target/*.zip /tmp; \
else \
echo "Using prebuilt ZIP archive from outside container"; \
fi

# Conditional source to prevent failed check for pre-built zip when the variable
# USE_PREBUILT_ZIP is set. See the following:
# https://stackoverflow.com/a/43656644
# https://stackoverflow.com/a/46801962
COPY pom.xml ./target/*.zi[p] /tmp
WORKDIR /tmp
RUN unzip *.zip -d /opt/oscal-cli-extended

FROM ${RUNNER_IMAGE} AS runner
COPY --from=builder /opt/oscal-cli-extended /opt/oscal-cli-extended
WORKDIR /opt/oscal-cli-extended
RUN /opt/oscal-cli-extended/bin/oscal-cli --version
ENTRYPOINT [ "/opt/oscal-cli-extended/bin/oscal-cli" ]