diff --git a/.github/actions/image-metadata/README.md b/.github/actions/image-metadata/README.md new file mode 100644 index 00000000..d1f9c98a --- /dev/null +++ b/.github/actions/image-metadata/README.md @@ -0,0 +1,57 @@ +# GitHub Action: Image metadata + +Author: **Digdir Platform Team** + +## Description + +This composite action generates Docker image metadata for workflows that need a +consistent image name and tag. + +It supports + +- Custom image tags via `image-tag` +- Package-version tags via `package-version` +- Explicit version strings via `version` +- Snapshot stripping when building from `main` or tag refs +- Auto-generated tags when no explicit tag is provided +- Container registry selection via `container-registry` or `registry-url` +- Automatic `image-name` fallback to the current repository name + +## Inputs + +| Input | Description | Required | Default | +| :---- | :---------- | :------- | :------ | +| `image-name` | Docker image name without registry. Defaults to repository name if unset. | false | `""` | +| `container-registry` | Container registry host (e.g. `creiddev.azurecr.io`, `ghcr.io`). | false | `""` | +| `registry-url` | Alternate registry URL if `container-registry` is not provided. | false | `""` | +| `image-tag` | Custom image tag. Overrides auto-generation. | false | `""` | +| `package-version` | Use package version as image tag when provided. | false | `""` | +| `version` | Use explicit version string as image tag when provided. | false | `""` | +| `version-pom-path` | Evaluate Maven `pom.xml` to derive the version when no explicit tag is provided. | false | `` | +| `strip-snapshot` | Strip `-SNAPSHOT` from version when building from `main` or tag refs. | false | `false` | +| `auto-generate-tag` | Generate a tag from the date and SHA when no explicit tag is provided. | false | `true` | + +## Outputs + +| Output | Description | +| :----- | :---------- | +| `image-name` | Fully qualified image name including registry. | +| `image-tag` | Image tag. | + +## Example usage + +```yaml +steps: + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@main + with: + image-name: my-app + container-registry: creiddev.azurecr.io +``` + +## How it works + +The action validates registry and image-name inputs, chooses the best available +tag source, and writes both values to outputs for later build, scan, and +publishing steps. diff --git a/.github/actions/image-metadata/action.yml b/.github/actions/image-metadata/action.yml new file mode 100644 index 00000000..b0102b06 --- /dev/null +++ b/.github/actions/image-metadata/action.yml @@ -0,0 +1,155 @@ +name: Image metadata +description: Composite action for generating container image metadata +author: Digdir Platform Team + +inputs: + image-name: + description: Container image name without registry. If unset, the repository name is used. + default: "" + required: false + container-registry: + description: Container registry host (e.g. creiddev.azurecr.io or ghcr.io). + default: "" + required: false + registry-url: + description: Alternate registry URL if container-registry is not provided. + default: "" + required: false + image-tag: + description: Custom image tag. If set, this is used instead of auto-generation. + default: "" + required: false + package-version: + description: Package version used as image tag when provided. + default: "" + required: false + version: + description: Version string used as image tag when provided. + default: "" + required: false + version-pom-path: + description: Maven pom.xml path used to derive image tag when version is not provided. + default: "" + required: false + strip-snapshot: + description: Strip '-SNAPSHOT' from version when building from main or tag refs. + default: "false" + required: false + auto-generate-tag: + description: Whether an image tag should be auto-generated when no explicit tag is provided. + default: "true" + required: false + +outputs: + image-name: + description: The fully qualified image name + value: ${{ steps.get-name.outputs.image-name }} + image-tag: + description: The image tag + value: ${{ steps.get-tag.outputs.image-tag }} + +runs: + using: composite + steps: + - name: Start image metadata summary + shell: bash + run: echo "### Image metadata" >> "$GITHUB_STEP_SUMMARY" + + - name: Write inputs to summary + uses: felleslosninger/github-workflows/.github/actions/json-to-summary@main + with: + json-payload: ${{ toJson(inputs) }} + + - name: Determine image name + id: get-name + shell: bash + env: + CONTAINER_REGISTRY: ${{ inputs.container-registry }} + REGISTRY_URL: ${{ inputs.registry-url }} + IMAGE_NAME: ${{ inputs.image-name }} + REPOSITORY_NAME: ${{ github.event.repository.name }} + REPOSITORY_OWNER: ${{ github.repository_owner }} + run: | + set -euo pipefail + + registry="${CONTAINER_REGISTRY:-$REGISTRY_URL}" + + if [ -z "$registry" ]; then + echo "::error:: Missing container-registry or registry-url input." + { + echo "> [!WARNING]" + echo "> **Input validation failed:** You must provide either container-registry or registry-url." + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + image_name="${IMAGE_NAME:-$REPOSITORY_NAME}" + + if [ "$registry" = "ghcr.io" ]; then + image_name="$registry/$REPOSITORY_OWNER/$image_name" + else + image_name="$registry/$image_name" + fi + + echo "image-name=$image_name" >> "$GITHUB_OUTPUT" + echo "- Image name: \`$image_name\`" >> "$GITHUB_STEP_SUMMARY" + + - name: Determine image tag + id: get-tag + shell: bash + env: + IMAGE_TAG: ${{ inputs.image-tag }} + PACKAGE_VERSION: ${{ inputs.package-version }} + VERSION: ${{ inputs.version }} + VERSION_POM_PATH: ${{ inputs.version-pom-path }} + STRIP_SNAPSHOT: ${{ inputs.strip-snapshot }} + AUTO_GENERATE_TAG: ${{ inputs.auto-generate-tag }} + run: | + set -euo pipefail + + auto_tag="$(TZ=UTC date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" + tag_source="" + + if [ -n "$IMAGE_TAG" ]; then + image_tag="$IMAGE_TAG" + tag_source="custom image tag" + + elif [ -n "$PACKAGE_VERSION" ]; then + image_tag="$PACKAGE_VERSION" + tag_source="package version" + + elif [ -n "$VERSION" ]; then + image_tag="$VERSION" + tag_source="provided version" + + elif [ -n "$VERSION_POM_PATH" ]; then + set +e + pom_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout -f "$VERSION_POM_PATH" 2>/dev/null) + set -e + + if [ -n "$pom_version" ] && [ "$pom_version" != "null" ]; then + image_tag="$pom_version" + if [[ "$STRIP_SNAPSHOT" == "true" ]] && ([[ "$GITHUB_REF" == "refs/heads/main" ]] || [[ "$GITHUB_REF" == refs/tags/* ]]); then + image_tag="${image_tag/-SNAPSHOT/}" + fi + tag_source="Maven version" + else + image_tag="$auto_tag" + tag_source="fallback auto-generated tag" + fi + + elif [[ "$AUTO_GENERATE_TAG" == "true" ]]; then + image_tag="$auto_tag" + tag_source="auto-generated tag" + + else + echo "::error:: No image tag available. Provide image-tag, package-version, version, or allow auto-generate-tag." + { + echo "> [!WARNING]" + echo "> **Input validation failed:** No image tag was provided and auto-generate-tag is disabled." + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + echo "image-tag=$image_tag" >> "$GITHUB_OUTPUT" + echo "- Image tag: \`$image_tag\` (Source: $tag_source)" >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index ebf8b74e..a8c25962 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -163,7 +163,7 @@ jobs: run-spring-boot-build: needs: input-checks if: inputs.application-type == 'spring-boot' - uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@PF-2305-image-metadata-composite-action with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} @@ -191,7 +191,7 @@ jobs: run-quarkus-build: needs: input-checks if: inputs.application-type == 'quarkus' - uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@PF-2305-image-metadata-composite-action with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} @@ -216,7 +216,7 @@ jobs: run-docker-build: needs: input-checks if: inputs.application-type == 'docker' - uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@PF-2305-image-metadata-composite-action with: image-name: ${{ inputs.image-name }} image-signing: ${{ inputs.image-signing }} diff --git a/.github/workflows/ci-docker-build-publish-image.yml b/.github/workflows/ci-docker-build-publish-image.yml index c5e2de35..59b8739e 100644 --- a/.github/workflows/ci-docker-build-publish-image.yml +++ b/.github/workflows/ci-docker-build-publish-image.yml @@ -92,7 +92,7 @@ jobs: runs-on: ubuntu-latest outputs: - image-tag: ${{ steps.set-image-tag.outputs.image-tag }} + image-tag: ${{ steps.image-metadata.outputs.image-tag }} image-digest: ${{ steps.set-image-digest.outputs.image-digest }} permissions: @@ -100,19 +100,12 @@ jobs: contents: write steps: - - name: Set image tag - id: set-image-tag - run: | - image_tag=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8} - echo "image-tag=$image_tag" >> "$GITHUB_OUTPUT" - echo "- Image tag: $image_tag" >> "$GITHUB_STEP_SUMMARY" - - - name: Set image name - id: set-image-name - run: | - image_name=${{ inputs.container-registry }}/${{ inputs.image-name || github.event.repository.name }} - echo "image-name=$image_name" >> "$GITHUB_OUTPUT" - echo "- Image name: $image_name" >> "$GITHUB_STEP_SUMMARY" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + container-registry: ${{ inputs.container-registry }} - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -120,15 +113,15 @@ jobs: - name: Build image run: | if [ "${{ inputs.add-git-package-token }}" = "true" ]; then - docker build --tag ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} --file docker/Dockerfile --build-arg GIT_PACKAGE_TOKEN=${{ secrets.GITHUB_TOKEN }} . + docker build --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} --file docker/Dockerfile --build-arg GIT_PACKAGE_TOKEN=${{ secrets.GITHUB_TOKEN }} . else - docker build --tag ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} --file ${{ inputs.application-path }}/Dockerfile . + docker build --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} --file ${{ inputs.application-path }}/Dockerfile . fi - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} @@ -152,13 +145,13 @@ jobs: ACR_NAME: ${{ inputs.container-registry }} - name: "Push image" - run: docker push ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + run: docker push ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} - name: Set image digest id: set-image-digest run: | image_digest=$(docker inspect \ - --format='{{.RepoDigests}}' ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} \ + --format='{{.RepoDigests}}' ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ | cut -d '@' -f 2 \ | cut -d ']' -f 1) echo "image-digest=$image_digest" >> "$GITHUB_OUTPUT" @@ -168,9 +161,9 @@ jobs: uses: felleslosninger/github-workflows/.github/actions/trivy-sbom@main with: scan-type: image - artifact-id: ${{ steps.set-image-name.outputs.image-name }} - image-ref: "${{ steps.set-image-name.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" - version: ${{ steps.set-image-tag.outputs.image-tag }} + artifact-id: ${{ steps.image-metadata.outputs.image-name }} + image-ref: "${{ steps.image-metadata.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" + version: ${{ steps.image-metadata.outputs.image-tag }} # This is already done in Trivy vuln scan step skip-setup: true @@ -178,7 +171,7 @@ jobs: if: ${{ inputs.image-signing == true }} uses: felleslosninger/github-workflows/.github/actions/image-signing@main with: - image: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} notify-on-errors: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-docker-build-publish-integrasjonspunkt.yml b/.github/workflows/ci-docker-build-publish-integrasjonspunkt.yml index 0c120f5c..4b18ca52 100644 --- a/.github/workflows/ci-docker-build-publish-integrasjonspunkt.yml +++ b/.github/workflows/ci-docker-build-publish-integrasjonspunkt.yml @@ -133,17 +133,18 @@ jobs: run: | mvn -B clean package -DskipTests -pl integrasjonspunkt -am - - name: Set image name - id: set-image-name - run: | - image_name=${{ inputs.registry-url }}/${{ inputs.image-name || github.event.repository.name }} - echo "image-name=$image_name" >> "$GITHUB_OUTPUT" - echo "- Image name: $image_name" >> "$GITHUB_STEP_SUMMARY" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ inputs.registry-url }} + package-version: ${{ inputs.package-version }} - name: Build image run: | docker build \ - --tag ${{ steps.set-image-name.outputs.image-name }}:${{ inputs.package-version }} \ + --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --file ${{ inputs.application-path }}/docker/Dockerfile \ --build-arg GIT_PACKAGE_TOKEN=${{ secrets.GH_PACKAGES_READ_PAT }} \ --build-arg GIT_PACKAGE_USERNAME=${{ secrets.GH_PACKAGES_READ_USER }} \ @@ -152,7 +153,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ steps.set-image-name.outputs.image-name }}:${{ inputs.package-version }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} @@ -171,13 +172,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: "Push image" - run: docker push ${{ steps.set-image-name.outputs.image-name }}:${{ inputs.package-version }} + run: docker push ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} - name: Set image digest id: set-image-digest run: | image_digest=$(docker inspect \ - --format='{{.RepoDigests}}' ${{ steps.set-image-name.outputs.image-name }}:${{ inputs.package-version }} \ + --format='{{.RepoDigests}}' ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ | cut -d '@' -f 2 \ | cut -d ']' -f 1) echo "image-digest=$image_digest" >> "$GITHUB_OUTPUT" @@ -187,8 +188,8 @@ jobs: uses: felleslosninger/github-workflows/.github/actions/trivy-sbom@main with: scan-type: image - artifact-id: ${{ steps.set-image-name.outputs.image-name }} - image-ref: "${{ steps.set-image-name.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" + artifact-id: ${{ steps.image-metadata.outputs.image-name }} + image-ref: "${{ steps.image-metadata.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" version: ${{ inputs.package-version }} # This is already done in Trivy vuln scan step skip-setup: true @@ -197,7 +198,7 @@ jobs: if: ${{ inputs.image-signing == true }} uses: felleslosninger/github-workflows/.github/actions/image-signing@main with: - image: ${{ steps.set-image-name.outputs.image-name }}:${{ inputs.package-version }} + image: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} notify-on-errors: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-docker-build-scan-integrasjonspunkt.yml b/.github/workflows/ci-docker-build-scan-integrasjonspunkt.yml index 467a127f..eb6dfb13 100644 --- a/.github/workflows/ci-docker-build-scan-integrasjonspunkt.yml +++ b/.github/workflows/ci-docker-build-scan-integrasjonspunkt.yml @@ -100,7 +100,7 @@ jobs: TRIVY_OFFLINE_SCAN: ${{ inputs.container-scan-offline-mode }} outputs: - image-tag: ${{ steps.set-image-tag.outputs.image-tag }} + image-tag: ${{ steps.image-metadata.outputs.image-tag }} permissions: id-token: write @@ -117,39 +117,19 @@ jobs: distribution: "${{ inputs.java-distribution }}" java-version: ${{ inputs.java-version }} - - name: Set image tag from pom.xml - id: set-image-tag - run: | - # Extract version from pom.xml - VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout -f ${{ inputs.application-path }}/pom.xml) - - if [ -n "$VERSION" ] && [ "$VERSION" != "null" ]; then - # Use the version from pom.xml - image_tag="${VERSION}" - - # Remove -SNAPSHOT if present for production builds - if [[ "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" =~ ^refs/tags/ ]]; then - image_tag=${image_tag/-SNAPSHOT/} - fi - else - # Fallback to date-based tag if version not found - image_tag=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8} - fi - - echo "image-tag=$image_tag" >> "$GITHUB_OUTPUT" - echo "- Image tag: $image_tag" >> "$GITHUB_STEP_SUMMARY" - - - name: Set image name - id: set-image-name - run: | - image_name=${{ inputs.registry-url }}/${{ inputs.image-name || github.event.repository.name }} - echo "image-name=$image_name" >> "$GITHUB_OUTPUT" - echo "- Image name: $image_name" >> "$GITHUB_STEP_SUMMARY" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ inputs.registry-url }} + version-pom-path: ${{ inputs.application-path }}/pom.xml + strip-snapshot: true - name: Build image run: | docker build \ - --tag ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} \ + --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --file ${{ inputs.application-path }}/docker/Dockerfile \ --build-arg GIT_PACKAGE_TOKEN=${{ secrets.GH_PACKAGES_READ_PAT }} \ --build-arg GIT_PACKAGE_USERNAME=${{ secrets.GH_PACKAGES_READ_USER }} \ @@ -158,7 +138,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} diff --git a/.github/workflows/ci-pr-checks.yml b/.github/workflows/ci-pr-checks.yml index 9ff16c1a..dca04a3d 100644 --- a/.github/workflows/ci-pr-checks.yml +++ b/.github/workflows/ci-pr-checks.yml @@ -201,7 +201,7 @@ jobs: if: | inputs.enable-trivy-image-scan == true && inputs.application-type == 'spring-boot' - uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-container-scan.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-container-scan.yml@PF-2305-image-metadata-composite-action with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} @@ -222,7 +222,7 @@ jobs: if: | inputs.enable-trivy-image-scan == true && inputs.application-type == 'quarkus' - uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-container-scan.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-container-scan.yml@PF-2305-image-metadata-composite-action with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index 09a3d5af..8461efa5 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -95,10 +95,10 @@ on: outputs: image-version: description: "Docker image version" - value: ${{ jobs.build-publish-image.outputs.imagetag }} + value: ${{ jobs.build-publish-image.outputs.image-tag }} image-digest: description: "Docker image SHA256 digest" - value: ${{ jobs.build-publish-image.outputs.imagedigest }} + value: ${{ jobs.build-publish-image.outputs.image-digest }} jobs: inputs-to-summary: @@ -112,25 +112,25 @@ jobs: build-publish-image: runs-on: ubuntu-latest + outputs: + image-tag: ${{ steps.image-metadata.outputs.image-tag }} + image-digest: ${{ steps.set-image-digest.outputs.image-digest }} + env: REPOSITORY-NAME: ${{ github.event.repository.name }} DOCKLE_HOST: "unix:///var/run/docker.sock" - outputs: - imagetag: ${{ steps.output-image-tag.outputs.imagetag }} - imagedigest: ${{ steps.output-image-digest.outputs.imagedigest }} - permissions: id-token: write contents: write steps: - - name: Set imagetag as env variable - run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" - - - name: Set IMAGE-NAME env variable - run: | - echo "IMAGE-NAME=${{ inputs.container-registry }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_ENV" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + container-registry: ${{ inputs.container-registry }} - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -150,7 +150,7 @@ jobs: env: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} - run: mvn versions:set -B -DnewVersion="$IMAGETAG" + run: mvn versions:set -B -DnewVersion="${{ steps.image-metadata.outputs.image-tag }}" - name: Install pack run: | @@ -173,7 +173,7 @@ jobs: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} run: | - pack build ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} \ + pack build ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --path . \ --buildpack docker://paketobuildpacks/quarkus \ --buildpack docker://paketobuildpacks/java-native-image \ @@ -193,7 +193,7 @@ jobs: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} run: | - pack build ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} \ + pack build ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --path . \ --buildpack docker://paketobuildpacks/quarkus \ --buildpack docker://paketobuildpacks/java \ @@ -208,7 +208,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ env.IMAGE-NAME }}:${{ env.IMAGETAG }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} library-severity: ${{ inputs.trivy-library-severity }} @@ -230,23 +230,25 @@ jobs: ACR_NAME: ${{ inputs.container-registry }} - name: Push image - run: docker push ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} - - - run: echo "IMAGE_DIGEST=$(docker inspect --format='{{.RepoDigests}}' ${{env.IMAGE-NAME}}:${{env.IMAGETAG}}|cut -d '@' -f 2|cut -d ']' -f 1)" >> "$GITHUB_ENV" + run: docker push ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} - - id: output-image-tag - run: echo "imagetag=${{env.IMAGETAG}}" >> "$GITHUB_OUTPUT" - - - id: output-image-digest - run: echo "imagedigest=${{env.IMAGE_DIGEST}}" >> "$GITHUB_OUTPUT" + - name: Set image digest + id: set-image-digest + run: | + image_digest=$(docker inspect \ + --format='{{.RepoDigests}}' ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ + | cut -d '@' -f 2 \ + | cut -d ']' -f 1) + echo "image-digest=$image_digest" >> "$GITHUB_OUTPUT" + echo "- Image digest: $image_digest" >> "$GITHUB_STEP_SUMMARY" - name: Run Trivy SBOM generation uses: felleslosninger/github-workflows/.github/actions/trivy-sbom@main with: scan-type: image - artifact-id: ${{ env.IMAGE-NAME }} - image-ref: "${{ env.IMAGE-NAME }}@${{ env.IMAGE_DIGEST }}" - version: ${{ env.IMAGETAG }} + artifact-id: ${{ steps.image-metadata.outputs.image-name }} + image-ref: "${{ steps.image-metadata.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" + version: ${{ steps.image-metadata.outputs.image-tag }} # This is already done in Trivy vuln scan step skip-setup: true @@ -254,7 +256,7 @@ jobs: if: ${{ inputs.image-signing == true }} uses: felleslosninger/github-workflows/.github/actions/image-signing@main with: - image: ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} + image: "${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }}" notify-on-errors: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-quarkus-container-scan.yml b/.github/workflows/ci-quarkus-container-scan.yml index a70ecb5f..27c64878 100644 --- a/.github/workflows/ci-quarkus-container-scan.yml +++ b/.github/workflows/ci-quarkus-container-scan.yml @@ -19,7 +19,7 @@ on: type: string registry-url: description: Image/Container Registery URL - default: "my-local-registery" + default: "my-local-registry" required: false type: string java-version: @@ -89,12 +89,12 @@ jobs: DOCKLE_HOST: "unix:///var/run/docker.sock" #TRIVY_TIMEOUT: "15m" steps: - - name: Set imagetag as env variable - run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" - - - name: Set IMAGE-NAME env variable - run: | - echo "IMAGE-NAME=${{ inputs.registry-url }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_ENV" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ inputs.registry-url }} - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -130,7 +130,7 @@ jobs: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} run: | - pack build ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} \ + pack build ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --path . \ --buildpack docker://paketobuildpacks/quarkus \ --buildpack docker://paketobuildpacks/java-native-image \ @@ -150,7 +150,7 @@ jobs: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} run: | - pack build ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} \ + pack build ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ --path . \ --buildpack docker://paketobuildpacks/quarkus \ --buildpack docker://paketobuildpacks/java \ @@ -165,7 +165,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} + image-ref: "${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }}" application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index 4c9686bc..00ce8a75 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -123,8 +123,9 @@ jobs: build-publish-image: runs-on: ubuntu-latest + outputs: - image-tag: ${{ steps.set-image-tag.outputs.image-tag }} + image-tag: ${{ steps.image-metadata.outputs.image-tag }} image-digest: ${{ steps.set-image-digest.outputs.image-digest }} permissions: @@ -133,29 +134,13 @@ jobs: packages: write steps: - - name: Set image tag - id: set-image-tag - run: | - if [ -n "${{ inputs.image-tag }}" ]; then - image_tag="${{ inputs.image-tag }}" - echo "- Using custom image tag: $image_tag" >> "$GITHUB_STEP_SUMMARY" - else - image_tag=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8} - echo "- Using auto-generated tag: $image_tag" >> "$GITHUB_STEP_SUMMARY" - fi - echo "image-tag=$image_tag" >> "$GITHUB_OUTPUT" - echo "- Image tag: $image_tag" >> "$GITHUB_STEP_SUMMARY" - - - name: Set image name - id: set-image-name - run: | - if [[ "${{ inputs.container-registry }}" == "ghcr.io" ]]; then - image_name=${{ inputs.container-registry }}/${{ github.repository_owner }}/${{ inputs.image-name || github.event.repository.name }} - else - image_name=${{ inputs.container-registry }}/${{ inputs.image-name || github.event.repository.name }} - fi - echo "image-name=$image_name" >> "$GITHUB_OUTPUT" - echo "- Image name: $image_name" >> "$GITHUB_STEP_SUMMARY" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + container-registry: ${{ inputs.container-registry }} + image-tag: ${{ inputs.image-tag }} - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -177,7 +162,7 @@ jobs: MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} run: | if [ "${{ inputs.update-versions }}" == "true" ]; then - mvn versions:set -B -DnewVersion="${{ steps.set-image-tag.outputs.image-tag }}" + mvn versions:set -B -DnewVersion="${{ steps.image-metadata.outputs.image-tag }}" echo "- \`mvn versions\` was executed" >> "$GITHUB_STEP_SUMMARY" else echo "- \`mvn versions\` was not executed" >> "$GITHUB_STEP_SUMMARY" @@ -191,7 +176,7 @@ jobs: run: | mvn install -B spring-boot:build-image \ -pl ${{ inputs.module-name }} -am \ - -Dspring-boot.build-image.imageName=${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} \ + -Dspring-boot.build-image.imageName=${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} \ -Dspring-boot.build-image.createdDate=now @@ -203,14 +188,14 @@ jobs: run: | mvn -B spring-boot:build-image \ --file ${{ inputs.application-path }}pom.xml \ - -Dspring-boot.build-image.imageName=${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} \ + -Dspring-boot.build-image.imageName=${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} \ -Dspring-boot.build-image.createdDate=now - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} @@ -245,13 +230,13 @@ jobs: ACR_NAME: ${{ inputs.container-registry }} - name: Push image - run: docker push ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + run: docker push ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} - name: Set image digest id: set-image-digest run: | image_digest=$(docker inspect \ - --format='{{.RepoDigests}}' ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} \ + --format='{{.RepoDigests}}' ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ | cut -d '@' -f 2 \ | cut -d ']' -f 1) echo "image-digest=$image_digest" >> "$GITHUB_OUTPUT" @@ -261,9 +246,9 @@ jobs: uses: felleslosninger/github-workflows/.github/actions/trivy-sbom@main with: scan-type: image - artifact-id: ${{ steps.set-image-name.outputs.image-name }} - image-ref: "${{ steps.set-image-name.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" - version: ${{ steps.set-image-tag.outputs.image-tag }} + artifact-id: ${{ steps.image-metadata.outputs.image-name }} + image-ref: "${{ steps.image-metadata.outputs.image-name }}@${{ steps.set-image-digest.outputs.image-digest }}" + version: ${{ steps.image-metadata.outputs.image-tag }} # This is already done in Trivy vuln scan step skip-setup: true @@ -271,7 +256,7 @@ jobs: if: ${{ inputs.image-signing == true }} uses: felleslosninger/github-workflows/.github/actions/image-signing@main with: - image: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} notify-on-errors: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-spring-boot-container-scan.yml b/.github/workflows/ci-spring-boot-container-scan.yml index 1320e901..b553b172 100644 --- a/.github/workflows/ci-spring-boot-container-scan.yml +++ b/.github/workflows/ci-spring-boot-container-scan.yml @@ -19,7 +19,7 @@ on: type: string registry-url: description: Image/Container Registery URL - default: "my-local-registery" + default: "my-local-registry" required: false type: string java-version: @@ -92,14 +92,12 @@ jobs: DOCKLE_HOST: "unix:///var/run/docker.sock" TRIVY_OFFLINE_SCAN: ${{ inputs.container-scan-offline-mode }} steps: - - name: Set image tag - id: set-image-tag - run: echo "image-tag=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT" - - - name: Set image name - id: set-image-name - run: | - echo "image-name=${{ inputs.registry-url }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_OUTPUT" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ inputs.registry-url }} - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -120,19 +118,19 @@ jobs: env: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} - run: mvn install -DskipTests -B spring-boot:build-image -pl ${{ inputs.module-name }} -am -Dspring-boot.build-image.imageName=${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} + run: mvn install -DskipTests -B spring-boot:build-image -pl ${{ inputs.module-name }} -am -Dspring-boot.build-image.imageName=${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} - name: Build image with Maven (application-path, skips tests) if: inputs.module-name == '' env: MAVEN_USER: ${{ secrets.MAVEN_USER }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} - run: mvn -DskipTests -B spring-boot:build-image --file ${{ inputs.application-path }}pom.xml -Dspring-boot.build-image.imageName=${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} + run: mvn -DskipTests -B spring-boot:build-image --file ${{ inputs.application-path }}pom.xml -Dspring-boot.build-image.imageName=${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}:${{ inputs.image-pack-tag }} - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} diff --git a/.github/workflows/test-k6-build-docker.yml b/.github/workflows/test-k6-build-docker.yml index aeb99bbd..d72beb98 100644 --- a/.github/workflows/test-k6-build-docker.yml +++ b/.github/workflows/test-k6-build-docker.yml @@ -70,12 +70,12 @@ jobs: REGISTRY_URL: my-local-registry DOCKLE_HOST: "unix:///var/run/docker.sock" steps: - - name: Set imagetag as env variable - run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" - - - name: Set IMAGE-NAME env variable - run: | - echo "IMAGE-NAME=${{ env.REGISTRY_URL }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_ENV" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ env.REGISTRY_URL }} - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 @@ -86,12 +86,12 @@ jobs: cp -R ${{ inputs.k6-libs-folder }}/* docker/${{ inputs.k6-libs-folder }}/ - name: Build the tagged Docker image - run: docker build --tag ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} docker/ + run: docker build --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} docker/ - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{env.IMAGE-NAME}}:${{env.IMAGETAG}} + image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} diff --git a/.github/workflows/test-k6-build-publish-docker.yml b/.github/workflows/test-k6-build-publish-docker.yml index 545c33df..52a627c2 100644 --- a/.github/workflows/test-k6-build-publish-docker.yml +++ b/.github/workflows/test-k6-build-publish-docker.yml @@ -70,10 +70,10 @@ on: outputs: image-version: description: "Docker image version" - value: ${{ jobs.build-publish-image.outputs.imagetag }} + value: ${{ jobs.build-publish-image.outputs.image-tag }} image-digest: description: "Docker image SHA256 digest" - value: ${{ jobs.build-publish-image.outputs.imagedigest }} + value: ${{ jobs.build-publish-image.outputs.image-digest }} jobs: build-publish-image: @@ -82,29 +82,29 @@ jobs: REPOSITORY-NAME: ${{ github.event.repository.name }} DOCKLE_HOST: "unix:///var/run/docker.sock" outputs: - imagetag: ${{ steps.output-image-tag.outputs.imagetag }} - imagedigest: ${{ steps.output-image-digest.outputs.imagedigest }} + image-tag: ${{ steps.image-metadata.outputs.image-tag }} + image-digest: ${{ steps.set-image-digest.outputs.image-digest }} permissions: id-token: write contents: write steps: - - name: Set imagetag as env variable - run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" - - - name: Set IMAGE_NAME env variable - run: | - echo "IMAGE_NAME=${{ secrets.REGISTRY_URL }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_ENV" + - name: Set image metadata + id: image-metadata + uses: felleslosninger/github-workflows/.github/actions/image-metadata@PF-2305-image-metadata-composite-action + with: + image-name: ${{ inputs.image-name }} + registry-url: ${{ secrets.REGISTRY_URL }} - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 - - name: Find and replace image version for ${{ env.IMAGETAG }} in version endpoint + - name: Find and replace image version for ${{ steps.image-metadata.outputs.image-tag }} in version endpoint uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # pin@v3.0.5 id: update-version with: find: "DEV-SNAPSHOT" - replace: "${{ env.IMAGETAG }}" + replace: "${{ steps.image-metadata.outputs.image-tag }}" include: "docker/version" regex: false @@ -115,12 +115,12 @@ jobs: cp -R ${{ inputs.k6-libs-folder }}/* docker/${{ inputs.k6-libs-folder }}/ - name: Build the tagged Docker image - run: docker build --tag ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} docker/ + run: docker build --tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} docker/ - name: Run Trivy vulnerability scanner uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main with: - image-ref: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} + image-ref: "${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }}" application-path: ${{ inputs.application-path }} library-disable-scan: ${{ inputs.trivy-library-disable-scan }} library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }} @@ -145,22 +145,23 @@ jobs: - name: "Build the tagged Docker image" run: | - docker push ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} - docker image tag ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} ${{env.IMAGE_NAME}}:latest && docker push ${{env.IMAGE_NAME}}:latest + docker push ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} + docker image tag ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} ${{ steps.image-metadata.outputs.image-name }}:latest && docker push ${{ steps.image-metadata.outputs.image-name }}:latest - - name: "Set image digest" + - name: Set image digest + id: set-image-digest run: | - echo "IMAGE_DIGEST=$(docker inspect --format='{{.RepoDigests}}' ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}|cut -d '@' -f 2|cut -d ']' -f 1)" >> "$GITHUB_ENV" - - - id: output-image-tag - run: echo "imagetag=${{env.IMAGETAG}}" >> "$GITHUB_OUTPUT" + image_digest=$(docker inspect \ + --format='{{.RepoDigests}}' ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} \ + | cut -d '@' -f 2 \ + | cut -d ']' -f 1) + echo "image-digest=$image_digest" >> "$GITHUB_OUTPUT" + echo "- Image digest: $image_digest" >> "$GITHUB_STEP_SUMMARY" - - id: output-image-digest - run: echo "imagedigest=${{env.IMAGE_DIGEST}}" >> "$GITHUB_OUTPUT" - name: Image signing uses: felleslosninger/github-workflows/.github/actions/image-signing@main with: - image: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} + image: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }} notify-on-errors: runs-on: ubuntu-latest