地方エンジニアの学習日記

興味ある技術の雑なメモだったりを書いてくブログ。たまに日記とガジェット紹介。

【GitHub Actions】Dockerを使うテンプレートyaml

ベース

name: Push Docker image to ECR

on: push

env:
  # BuildKitを有効化
  DOCKER_BUILDKIT: 1
  IMAGE_NAME: sample
  IMAGE_TAG: test

jobs:
  build:
    name: Build image
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@master

      - name: Login GitHub Registry
        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin
      - name: Build image
        run: docker build -t docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG} --file Dockerfile .
      - name: Push image to GitHub Registry
        run: docker push docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}

  trivy:
    name: Trivy Scan Vulnerability
    runs-on: ubuntu-18.04
    needs: build
    steps:
      - uses: actions/checkout@master

      - name: Login GitHub Registry
        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin

      - name: Pull image from GitHub Registry
        run: docker pull docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}

      - name: Install trivy
        run: |
          sudo apt-get install --no-install-recommends apt-transport-https gnupg
          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
          sudo apt-get update
          sudo apt-get install --no-install-recommends trivy

      - name: Vulnerability Scan with Trivy
        run: |
          trivy -q --severity HIGH,CRITICAL \
            --exit-code 1 docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}

  dockle:
    name: Dockle
    runs-on: ubuntu-18.04
    needs: build
    steps:
      - uses: actions/checkout@master

      - name: Login GitHub Registry
        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin
      - name: Pull image from GitHub Registry
        run: docker pull docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}

      - name: Install dockle
        run: |
          VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
          grep '"tag_name":' | \
          sed -E 's/.*"v([^"]+)".*/\1/' \
          )
          curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb
          sudo dpkg -i dockle.deb
          rm dockle.deb

      - name: Check image with dockle
        run: dockle docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}