Build, test and push #802
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, test and push | |
| permissions: | |
| contents: read | |
| packages: write | |
| on: | |
| workflow_dispatch: | |
| # ========================================== | |
| # Build the preview image every day at 03:00 | |
| # to download updates such as the latest LTS | |
| # version of Node.js | |
| # ========================================== | |
| schedule: | |
| - cron: "0 3 * * *" | |
| release: | |
| types: | |
| - published | |
| push: | |
| branches: | |
| - main | |
| - feature/** | |
| - fix/** | |
| paths: | |
| - .github/** | |
| - docker/** | |
| concurrency: | |
| group: ${{ github.ref }}-publish | |
| cancel-in-progress: true | |
| jobs: | |
| python: | |
| name: Python | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| env: | |
| IMAGE_NAME: tna-python | |
| DOCKERFILE_PATH: docker/tna-python | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Wiz | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-install-cli@main | |
| - name: Add Wiz CLI to .dockerignore | |
| run: | | |
| echo "" >> .dockerignore | |
| echo "wizcli" >> .dockerignore | |
| - name: Lint Dockerfile | |
| uses: nationalarchives/ds-docker-actions/.github/actions/lint@main | |
| with: | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| # DL3059 (https://github.com/hadolint/hadolint/wiki/DL3059) - This is only a suggestion | |
| ignore-linting-rules: DL3059 | |
| - name: Shellcheck | |
| run: find ${{ env.DOCKERFILE_PATH }}/bin -type f -exec shellcheck -x --exclude=SC1091 {} \; | |
| - name: Test Docker image build | |
| id: build | |
| uses: ./.github/actions/test-build | |
| with: | |
| image-name: ${{ env.IMAGE_NAME }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }} | |
| - name: Show image ID and tag | |
| run: | | |
| echo "Image ID: ${{ env.IMAGE_NAME }}" | |
| echo "Tag: ${STEPS_BUILD_OUTPUTS_TAG}" | |
| docker image ls ${{ env.IMAGE_NAME }}:${STEPS_BUILD_OUTPUTS_TAG} | |
| env: | |
| STEPS_BUILD_OUTPUTS_TAG: ${{ steps.build.outputs.tag }} | |
| - name: Scan Dockerfile | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-scan-dockerfile@main | |
| with: | |
| image-id: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} | |
| - name: Test Flask | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/flask-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: app | |
| environment-overrides: | | |
| APPLICATION_PROTOCOL=http | |
| - name: Test Django | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/django-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: app | |
| environment-overrides: | | |
| APPLICATION_PROTOCOL=http | |
| - name: Test FastAPI | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/fastapi-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: app | |
| environment-overrides: | | |
| APPLICATION_PROTOCOL=http | |
| - name: Build and push multi-platform Docker images | |
| uses: ./.github/actions/push | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| major-version: ${{ steps.build.outputs.major-version }} | |
| minor-version: ${{ steps.build.outputs.minor-version }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull Docker image | |
| run: docker pull ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${STEPS_BUILD_OUTPUTS_TAG} | |
| env: | |
| STEPS_BUILD_OUTPUTS_TAG: ${{ steps.build.outputs.tag }} | |
| - name: Scan container | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-scan-container@main | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} | |
| - name: Tag container | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-tag-container@main | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} | |
| python-dev: | |
| name: Python Dev | |
| needs: python | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| env: | |
| IMAGE_NAME: tna-python-dev | |
| DOCKERFILE_PATH: docker/tna-python-dev | |
| BASE_IMAGE: ghcr.io/${{ github.repository_owner }}/tna-python | |
| # DISABLE_WIZ: true | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Wiz | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-install-cli@main | |
| - name: Add Wiz CLI to .dockerignore | |
| run: | | |
| echo "" >> .dockerignore | |
| echo "wizcli" >> .dockerignore | |
| - name: Lint Dockerfile | |
| uses: nationalarchives/ds-docker-actions/.github/actions/lint@main | |
| with: | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| # DL3002 (https://github.com/hadolint/hadolint/wiki/DL3002) - Root user is already defined in the base image | |
| ignore-linting-rules: DL3002 | |
| - name: Shellcheck | |
| run: find ${{ env.DOCKERFILE_PATH }}/bin -type f -exec shellcheck -x --exclude=SC1091 {} \; | |
| - name: Test Docker image build | |
| id: build | |
| uses: ./.github/actions/test-build | |
| with: | |
| image-name: ${{ env.IMAGE_NAME }} | |
| base-image: ${{ env.BASE_IMAGE }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }} | |
| - name: Show image ID and tag | |
| run: | | |
| echo "Image ID: ${{ env.IMAGE_NAME }}" | |
| echo "Tag: ${STEPS_BUILD_OUTPUTS_TAG}" | |
| env: | |
| STEPS_BUILD_OUTPUTS_TAG: ${{ steps.build.outputs.tag }} | |
| - name: Scan Dockerfile | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-scan-dockerfile@main | |
| with: | |
| image-id: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} | |
| - name: Test Flask | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/flask-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: root | |
| - name: Test Django | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/django-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: root | |
| - name: Test FastAPI | |
| uses: ./.github/actions/test-container | |
| with: | |
| application-repository: nationalarchives/fastapi-application-template | |
| image: ${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| expected-user: root | |
| - name: Build and push multi-platform Docker images | |
| uses: ./.github/actions/push | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| major-version: ${{ steps.build.outputs.major-version }} | |
| minor-version: ${{ steps.build.outputs.minor-version }} | |
| base-image: ${{ env.BASE_IMAGE }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull Docker image | |
| run: docker pull ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${STEPS_BUILD_OUTPUTS_TAG} | |
| env: | |
| STEPS_BUILD_OUTPUTS_TAG: ${{ steps.build.outputs.tag }} | |
| - name: Scan container | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-scan-container@main | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| dockerfile-path: ${{ env.DOCKERFILE_PATH }}/Dockerfile | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} | |
| - name: Tag container | |
| uses: nationalarchives/ds-docker-actions/.github/actions/wiz-tag-container@main | |
| with: | |
| image-id: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
| image-tag: ${{ steps.build.outputs.tag }} | |
| wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }} | |
| wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| wiz-project-id: ${{ secrets.WIZ_PROJECT_DIGITALSERVICES }} |