bunkerweb/.github/workflows/container-build.yml

name: Build container (REUSABLE)

on:
  workflow_call:
    inputs:
      RELEASE:
        required: true
        type: string
      ARCH:
        required: true
        type: string
      IMAGE:
        required: true
        type: string
      DOCKERFILE:
        required: true
        type: string
      CACHE:
        required: false
        type: boolean
        default: true
      PUSH:
        required: false
        type: boolean
        default: true
      CACHE_SUFFIX:
        required: false
        type: string
        default: ""
    secrets:
      DOCKER_USERNAME:
        required: true
      DOCKER_TOKEN:
        required: true
      ARM_SSH_KEY:
        required: false
      ARM_SSH_IP:
        required: false
      ARM_SSH_CONFIG:
        required: false

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Prepare
      - name: Checkout source code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Replace VERSION
        if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
        run: chmod +x ./misc/update-version.sh && ./misc/update-version.sh ${{ inputs.RELEASE }}
      - name: Replace VERSION 1.5
        if: inputs.RELEASE == '1.5'
        run: chmod +x ./misc/update-version.sh && ./misc/update-version.sh dev
      - name: Setup SSH for ARM node
        if: inputs.CACHE_SUFFIX == 'arm'
        run: |
          mkdir -p ~/.ssh
          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
          chmod 600 ~/.ssh/id_rsa_arm
          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
          echo "ServerAliveInterval 60" >> ~/.ssh/config
          echo "ServerAliveCountMax 10" >> ~/.ssh/config          
        env:
          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
          SSH_IP: ${{ secrets.ARM_SSH_IP }}
          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
      - name: Setup Buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
        if: inputs.CACHE_SUFFIX != 'arm'
      - name: Setup Buildx (ARM)
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
        if: inputs.CACHE_SUFFIX == 'arm'
        with:
          endpoint: ssh://root@arm
          platforms: linux/arm64,linux/arm/v7,linux/arm/v6
      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to ghcr
        if: inputs.PUSH == true
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      # Compute metadata
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
        with:
          images: bunkerity/${{ inputs.IMAGE }}
      # Build cached image
      - name: Build image
        if: inputs.CACHE == true
        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
        with:
          context: .
          file: ${{ inputs.DOCKERFILE }}
          platforms: ${{ inputs.ARCH }}
          load: true
          tags: local/${{ inputs.IMAGE }}
          cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
          labels: ${{ steps.meta.outputs.labels }}
      # Build non-cached image
      - name: Build image
        if: inputs.CACHE != true
        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
        with:
          context: .
          file: ${{ inputs.DOCKERFILE }}
          platforms: ${{ inputs.ARCH }}
          load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
          tags: local/${{ inputs.IMAGE }}
          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
          labels: ${{ steps.meta.outputs.labels }}
      # Check OS vulnerabilities
      - name: Check OS vulnerabilities
        if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        with:
          vuln-type: os
          skip-dirs: /root/.cargo
          image-ref: local/${{ inputs.IMAGE }}
          format: table
          exit-code: 1
          ignore-unfixed: false
          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
          trivyignores: .trivyignore
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
      # Push image
      - name: Push image
        if: inputs.PUSH == true
        run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG
        env:
          IMAGE: "${{ inputs.IMAGE }}"
          TAG: "${{ inputs.RELEASE }}"