action.yml

name: "Build And Push"
description: GitHub Action for build and push docker images - Sysdig way
outputs:
  names:
    description: "Image names"
    value: ${{ steps.build_image_names.outputs.names }}
  tags:
    description: "Git tag version calculated"
    value: ${{ steps.meta.outputs.tags }}
  labels:
    description: "Labels added to container image"
    value: ${{ steps.meta.outputs.labels }}

inputs:
  image_name:
    description: "name of the docker image. Example: redis-6"
    required: true

  image_description:
    description: "description of the docker image. Example: sysdig redis-6 image"
    required: true

  image_tag_string_suffix:
    description: "optional string that will be added after the semver in the tag like: xxx/myimg:0.0.1-string instead of xxx/myimg:0.0.1"
    default: ""
    required: false

  image_tag_string_prefix:
    description: "optional string that will be added before the semver in the tag like: xxx/myimg:string-0.0.1 instead of xxx/myimg:0.0.1"
    default: ""
    required: false

  alternate_platforms:
    description: "optional additional architectures -comma separated- (right now only linux/amd64 and linux/arm64 are supported), linux/amd64 is always set"
    required: false

  external_tag:
    description: "use this tag instead of having the action calculate it"
    required: false

  latest_tag:
    description: "generate `latest` tag for the image"
    required: false
    default: "false"

  context_path:
    description: "path to context directory (where the build starts)"
    required: true

  dockerfile:
    description: "path to docker file (defaults to {{context_path}}/Dockerfile)"
    required: false
    default: Dockerfile

  build_args:
    description: "build_args to pass"
    required: false
    default: ""

  provenance:
    description: "build single image without extra unknown/unknown platform tags"
    required: false
    default: "false"

  # Needed when run_scanner is true
  sysdig_secure_token:
    description: "API token for Sysdig Scanning auth"
    required: false

  # wether to create git tag and push the image
  dry_run:
    description: "whether to actually create git tag and push the image"
    required: false
    default: "false"

  push:
    description: "exec the push phase (respecting dry_run flag)"
    required: false
    default: "true"

  build:
    description: "exec the build phase (respecting dry_run flag)"
    required: false
    default: "true"

  # flags for pushing to GAR, artifactory or quay
  push_to_artifactory:
    description: "whether to push the image to artifactory"
    default: "false"
    required: false
  push_to_quay:
    description: "whether to push the image to quay"
    default: "false"
    required: false
  push_to_gar:
    description: "whether to push the image to gar"
    default: "true"
    required: false

  artifactory_prefix:
    description: "prefix for artifactory repository. Example: docker.internal.sysdig.com"
    default: "docker.internal.sysdig.com"
    required: false
  quay_prefix:
    description: "prefix for quay repository. Example: docker.internal.sysdig.com"
    default: "quay.io/sysdig"
    required: false
  gar_prefix:
    description: "prefix for gar repository. Example: docker.internal.sysdig.com"
    default: "us-docker.pkg.dev/sysdig-artifact-registry-dev/gar-docker/infra"
    required: false

  artifactory_username:
    description: "Artifactory Username Secret"
    default: ""
    required: false
  artifactory_password:
    description: "Artifactory Password Secret"
    default: ""
    required: false
  artifactory_url:
    description: "Artifactory URL"
    required: false
    default: "docker.internal.sysdig.com"
  quay_username:
    description: "Quay Username Secret"
    default: ""
    required: false
  quay_password:
    description: "Quay Password Secret"
    default: ""
    required: false
  gar_password:
    description: "GAR Password Secret"
    default: ""
    required: true
  github_token:
    description: "GITHUB Token used to tag the repo"
    required: true

  upload_artifact:
    description: "whether to upload the docker image as gh artifact"
    required: false
    default: "false"
  gh_artifact_name:
    description: "custom image name to upload the docker image as gh artifact"
    required: false
    default: "image"

  run_scanner:
    description: "Enables the sysdig security scanner"
    required: false
    default: "false"

  scan_type:
    description: "The type of scan to perform"
    required: false
    default: "both" # "legacy","new" or "both"

  # Sysdig Scanner legacy
  severity:
    description: "Severity level to fail the scan"
    required: false
    default: "high"

  # Sysdig Scanner legacy
  sysdig-skip-tls:
    description: "Skip TLS verification when calling secure endpoints."
    required: false
    default: "false"

  # Sysdig Scanner
  policy-list:
    description: "Comma separated list of policies to include"
    required: false
    default: ""

runs:
  using: "composite"
  steps:
    - uses: actions/setup-python@v5
      with:
        python-version: '3.11'

    # NOTE: the following workaround is needed to explicitly set up the context for buildx when running on DinD
    - name: Custom docker context for use with self_hosted runners
      shell: bash
      run: if ! (docker context ls | grep -q mycontext) ;then docker context create mycontext; fi

    - name: Creating list of platforms for Image build
      if: ${{ inputs.build == 'true' }}
      shell: bash
      id: platforms_list
      # This will trim whitespace and remove duplicates if specified, espcially if the user has specified linux/amd64
      run: |
        [[ -n "${{ inputs.alternate_platforms }}" ]] && platform_list_temp="linux/amd64,${{ inputs.alternate_platforms }}" || platform_list_temp="linux/amd64"
        final_platforms_list=$(echo $platform_list_temp | tr -d ' ' | tr ',' '\n' | sort | uniq | paste -sd ',' -)
        echo "image_platforms=${final_platforms_list}" >> $GITHUB_OUTPUT

    - name: Set up QEMU
      if: ${{ steps.platforms_list.outputs.image_platforms != 'linux/amd64' }}
      id: qemu
      uses: docker/setup-qemu-action@v3
      with:
        platforms: ${{ steps.platforms_list.outputs.image_platforms }}

    - name: Set up Docker Buildx
      id: buildx
      uses: docker/setup-buildx-action@v3
      with:
        endpoint: mycontext
        platforms: ${{ steps.platforms_list.outputs.image_platforms }}

# Login to registries
    - name: Login to Artifactory
      uses: docker/login-action@v3
      if: ${{inputs.artifactory_username != '' && inputs.artifactory_password != '' }}
      with:
        registry: ${{ inputs.artifactory_url }}
        username: ${{ inputs.artifactory_username }}
        password: ${{ inputs.artifactory_password }}

    - name: Login to Quay
      uses: docker/login-action@v3
      if: ${{inputs.quay_username != '' && inputs.quay_password != ''  }}
      with:
        registry: quay.io
        username: ${{ inputs.quay_username }}
        password: ${{ inputs.quay_password }}

    - name: Login to GAR
      uses: docker/login-action@v3
      if: ${{inputs.gar_password != '' }}
      with:
        registry: ${{ inputs.gar_prefix }}
        username: _json_key
        password: ${{ inputs.gar_password }}

    - name: "DEBUG"
      shell: bash
      run: |
        echo "DEBUG - dry_run: ${{ inputs.dry_run }}"
        echo "DEBUG - push: ${{ inputs.push }}"
        echo "DEBUG - expression: ${{ inputs.dry_run == 'true' || inputs.push == 'false' }}"

# Bump version and create git tag
    - name: Bump container version and create new github tag
      if: ${{ ! inputs.external_tag }}
      id: bump_version
      uses: mathieudutour/github-tag-action@v6.2
      with:
        github_token: ${{ inputs.github_token }}
        tag_prefix: container/${{ inputs.image_name }}-
        fetch_all_tags: true
        # we must create a git tag only when pushing
        dry_run: ${{ inputs.dry_run == 'true' || inputs.push == 'false' }}

    - name: Build images names
      id: build_image_names
      shell: bash
      env:
        PUSH_TO_ARTIFACTORY: ${{ inputs.push_to_artifactory }}
        PUSH_TO_QUAY: ${{ inputs.push_to_quay }}
        PUSH_TO_GAR: ${{ inputs.push_to_gar }}
      run: |
        json='[]'
        $PUSH_TO_ARTIFACTORY && json=$(echo $json | jq -cr ". += [\"${{inputs.artifactory_prefix}}/${{inputs.image_name}}\"]")
        $PUSH_TO_QUAY && json=$(echo $json | jq -cr ". += [\"${{inputs.quay_prefix}}/${{inputs.image_name}}\"]")
        $PUSH_TO_GAR && json=$(echo $json | jq -cr ". += [\"${{inputs.gar_prefix}}/${{inputs.image_name}}\"]")
        names=$(echo $json | jq -r '. | join(",")')
        echo "names=${names}" >> $GITHUB_OUTPUT

    # By default the img tag is the bumped version of the last tag
    # In some edge cases we need to prepend and/or append a string
    # See "image_tag_string_suffix" or "image_tag_string_prefix" in inputs section
    - name: Add optional suffix and-or prefix to docker image tag
      if: ${{ ! inputs.external_tag }}
      shell: bash
      id: image_tag
      run: |
        [[ -n "${{ inputs.image_tag_string_prefix }}" ]] && _prefix="${{ inputs.image_tag_string_prefix }}-" || _prefix=""
        [[ -n "${{ inputs.image_tag_string_suffix }}" ]] && _suffix="-${{ inputs.image_tag_string_suffix }}" || _suffix=""
        echo "ver=${_prefix}${{ steps.bump_version.outputs.new_version }}${_suffix}" >> $GITHUB_OUTPUT

    - name: Build container meta
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ steps.build_image_names.outputs.names }}
        flavor: |
          latest=${{ inputs.latest_tag }}
          prefix=
          suffix=
        labels: |
          org.opencontainers.image.title=${{ inputs.image_name }}
          org.opencontainers.image.description=${{ inputs.image_description }}
        tags: |
          type=raw,value=${{ inputs.external_tag || steps.image_tag.outputs.ver }}

    - name: Build container
      uses: docker/build-push-action@v5
      if: ${{ inputs.build == 'true' }}
      with:
        context: ${{ inputs.context_path }}
        file: ${{ inputs.context_path }}/${{ inputs.dockerfile }}
        build-args: ${{ inputs.build_args }}
        push: false
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        load: true
        provenance: ${{ inputs.provenance }}

    # Scan only one container name
    # This is needed because if you add/enable the push to quay.io, gar or artifactory (or all of them), there is a list of images with different registries.
    # Both are the same but we just need one to do the scanning. Usually artifactory is the first one of the list
    - name: Local container tag
      if: inputs.run_scanner == 'true' && inputs.build == 'true'
      shell: bash
      id: container
      run: |
        CONTAINER_TAG=$(echo -e '${{steps.meta.outputs.tags}}' | head -n 1)
        echo "container-tag=${CONTAINER_TAG}" >> $GITHUB_OUTPUT

    - name: Scan image
      if: inputs.run_scanner == 'true' && inputs.build == 'true'
      continue-on-error: true
      uses: draios/infra-action-sysdig-scan@v0.0.6
      with:
        image-tag: ${{ steps.container.outputs.container-tag }}
        sysdig-secure-token: ${{ inputs.sysdig_secure_token }}
        scan-type: ${{ inputs.scan_type }}
        sysdig-secure-url: "https://prodmon.app.sysdig.com"
        severity: ${{ inputs.severity }}
        sysdig-skip-tls: ${{ inputs.sysdig-skip-tls }}
        policy-list: ${{ inputs.policy-list }}

    - name: Push container
      uses: docker/build-push-action@v5
      if: ${{ inputs.push == 'true' && inputs.dry_run != 'true' }}
      with:
        context: ${{ inputs.context_path }}
        file: ${{ inputs.context_path }}/${{ inputs.dockerfile }}
        build-args: ${{ inputs.build_args }}
        push: ${{ inputs.dry_run != 'true' }}
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        platforms: ${{ steps.platforms_list.outputs.image_platforms }}
        provenance: ${{ inputs.provenance }}

    - name: Save image to file
      uses: docker/build-push-action@v5
      if: ${{ inputs.upload_artifact == 'true' && inputs.build == 'true' }}
      with:
        context: ${{ inputs.context_path }}
        file: ${{ inputs.context_path }}/${{ inputs.dockerfile }}
        build-args: ${{ inputs.build_args }}
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        outputs: type=docker,dest=/tmp/${{ inputs.gh_artifact_name }}.tar

    - name: Upload image as github artifact
      uses: actions/upload-artifact@v4
      if: ${{ inputs.upload_artifact == 'true' && inputs.build == 'true' }}
      with:
        name: ${{ inputs.gh_artifact_name }}
        path: /tmp/${{ inputs.gh_artifact_name }}.tar
        retention-days: 2