Skip to content

feat(docker-build): features and fixes #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PierreJeanjacquot merged 5 commits into from
Jul 2, 2025
Merged

feat(docker-build): features and fixes #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
443e809
feat(docker-build): make image-tag and dockerfile optional
PierreJeanjacquot Jul 2, 2025
0613878
feat(docker-build): allow dry-runs by always running build (even if p…
PierreJeanjacquot Jul 2, 2025
d62cb42
docs(docker-build): fix bad workflow reference
PierreJeanjacquot Jul 1, 2025
a1f3c7c
fix(docker-build): fix sarif security-report
PierreJeanjacquot Jul 2, 2025
7337e11
docs(docker-build): fix documentation
PierreJeanjacquot Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 32 additions & 33 deletions .github/workflows/docker-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,42 +3,42 @@ name: Build, Test and Push Docker Image
on:
workflow_call:
inputs:
dockerfile:
description: 'Path to Dockerfile'
default: 'Dockerfile'
type: string
image-name:
description: 'Name of Docker Image'
description: "Name of Docker Image"
type: string
required: true
image-tag:
description: 'Tag of Docker Image'
description: "Tag of Docker Image"
default: "latest"
type: string
required: true
dockerfile:
description: "Path to Dockerfile"
default: "Dockerfile"
type: string
context:
description: "Path to Docker Build Context"
default: "."
type: string
registry:
description: "Docker Registry"
default: "docker.io"
type: string
push:
description: "Push Docker Image to Registry"
default: false
type: boolean
security-scan:
description: 'Enable Security Scan'
description: "Enable Trivy Security Scan"
default: true
type: boolean
security-report:
description: 'Enable Security Report'
default: 'sarif'
description: 'Security Report Mode (`"sarif"` | `"comment"`; ignored if `security-scan: false`)'
default: "sarif"
type: string
hadolint:
description: 'Enable Hadolint'
description: "Enable Hadolint"
default: true
type: boolean
push:
description: 'Push Docker Image to Registry'
default: false
type: boolean
context:
description: 'Path to Docker Build Context'
default: '.'
type: string
registry:
description: 'Docker Registry'
default: 'docker.io'
type: string
secrets:
username:
required: false
Expand Down Expand Up @@ -67,7 +67,6 @@ jobs:
password: ${{ secrets.password }}

- name: Build Docker Image
if: ${{ inputs.push }}
uses: docker/build-push-action@v6
with:
context: ${{ inputs.context }}
Expand All @@ -88,12 +87,12 @@ jobs:
uses: aquasecurity/trivy-action@0.29.0
with:
input: vuln-image.tar
format: 'table'
format: ${{ (inputs.security-report == 'sarif' && 'sarif') || 'table' }}
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
hide-progress: true
output: trivy.txt
output: ${{ (inputs.security-report == 'sarif' && 'trivy-results.sarif') || 'trivy.txt' }}

- name: Read Trivy report file
id: read_trivy
Expand All @@ -109,8 +108,8 @@ jobs:
uses: peter-evans/find-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: 'Trivy Security Scan Results'
comment-author: "github-actions[bot]"
body-includes: "Trivy Security Scan Results"

- name: Create or update Trivy comment
if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
Expand All @@ -134,7 +133,7 @@ jobs:
if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
sarif_file: "trivy-results.sarif"

- name: Run Hadolint Dockerfile linter
id: hadolint
Expand All @@ -159,8 +158,8 @@ jobs:
uses: peter-evans/find-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: 'Hadolint Dockerfile Lint Results'
comment-author: "github-actions[bot]"
body-includes: "Hadolint Dockerfile Lint Results"

- name: Create or update Hadolint comment
if: ${{ inputs.hadolint && steps.read_hadolint.outputs.report != '' }}
Expand Down
81 changes: 31 additions & 50 deletions docker-build/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,40 @@
# 🐳 Docker Build Workflow

## 🔍 Overview

This reusable GitHub Actions workflow automates the process of building and pushing Docker images to Docker Hub. It simplifies the Docker build process in your CI/CD pipeline by handling authentication, building, and tagging in a standardized way. Perfect for teams looking to streamline their containerization workflow with minimal configuration.

## ✨ Features

- 🔐 Securely authenticates with Docker Hub using best practices
- 🏗️ Builds optimized Docker images from a specified Dockerfile
- 🏷️ Intelligently tags and pushes images to Docker Hub
- 🔎 Scan for vulnerabilities
- 👍 Lint dockerfile
- 🛡️ Handles authentication securely using GitHub Secrets
- 🚀 Optimizes build performance with layer caching
- 📦 Supports multi-platform builds (AMD64, ARM64)

## ⚙️ Inputs

| Name | Description | Required | Default |
|------|-------------|----------|---------|
| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | Yes | - |
| `tag` | Tag to apply to the built image (e.g., 'myimage:latest', 'myorg/myimage:v1.2.3') | Yes | - |
| Name | Description | Required | Default |
| ----------------- | ---------------------------------------------------------------------------------- | -------- | -------------- |
| `image-name` | Name of Docker Image (e.g., 'myimage', 'myorg/myimage') | true | - |
| `image-tag` | Tag to apply to the built image (e.g., 'latest', 'v1.2.3') | No | `"latest"` |
| `dockerfile` | Path to the Dockerfile to build (e.g., './Dockerfile', './docker/Dockerfile') | No | `"Dockerfile"` |
| `context` | Path to Docker Build Context | No | `"."` |
| `registry` | Docker Registry | No | `"docker.io"` |
| `push` | Push Docker Image to Registry | No | `false` |
| `security-scan` | Enable Trivy Security Scan | No | `true` |
| `security-report` | Security Report Mode (`"sarif"` \| `"comment"`; ignored if `security-scan: false`) | No | `"sarif"` |
| `hadolint` | Enable Hadolint | No | `true` |

## 🔐 Secrets

| Name | Description | Required |
|------|-------------|----------|
| `dockerhub_username` | Username for Docker Hub authentication | Yes |
| `dockerhub_pat` | Personal Access Token for Docker Hub authentication (with appropriate permissions) | Yes |
| Name | Description | Required |
| ---------- | --------------------------------------------------------------------------------------------------- | -------- |
| `username` | Username for Docker Registry authentication | Yes |
| `password` | Password or Personal Access Token for Docker registry authentication (with appropriate permissions) | Yes |

## 💻 Example Usage

Expand All @@ -32,69 +43,39 @@ name: Build and Push Docker Image

on:
push:
branches: [ main ]
branches: [main]
# Also trigger on tag creation for release versioning
tags:
- 'v*.*.*'
- "v*.*.*"

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Fetch all history for proper versioning

- name: Build and Push Docker Image
uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1
- uses: actions/checkout@v4
with:
dockerfile: 'Dockerfile'
tag: 'my-image:latest'
secrets:
dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }}
```

## 🔍 Advanced Usage

### Multi-Platform Build Example
```yaml
name: Build Multi-Platform Docker Image

on:
release:
types: [published]

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
fetch-depth: 0 # Fetch all history for proper versioning

- name: Build and Push Docker Image
uses: iExecBlockchainComputing/github-actions-workflows/docker-build@docker-build-v1.1.1
uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main # ⚠️ use tagged version here
with:
dockerfile: 'Dockerfile'
tag: 'myorg/myapp:${{ github.event.release.tag_name }}'
secrets:
dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_pat: ${{ secrets.DOCKERHUB_PAT }}
image-name: "username/my-image"
dockerfile: "Dockerfile"
secrets:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PAT }}
```

## 📝 Notes

- 🔒 Ensure your Docker Hub credentials are stored securely as GitHub Secrets
- 🔄 The workflow will automatically handle the Docker build and push process
- 🏷️ You can specify any valid Docker tag format in the `tag` input
- 📅 Consider using dynamic tags based on git tags, commit SHAs, or dates
- 🧪 For testing purposes, you can use the `--dry-run` flag in your own implementation

## 🛠️ Troubleshooting

- If you encounter authentication issues, verify your Docker Hub credentials are correct and have appropriate permissions
- For build failures, check your Dockerfile syntax and ensure all referenced files exist
- Large images may take longer to push - consider optimizing your Dockerfile with multi-stage builds
Expand Down