diff --git a/.github/workflows/helm-container-build-push-3rd-gen.yml b/.github/workflows/helm-container-build-push-3rd-gen.yml index ee33107..60142a3 100644 --- a/.github/workflows/helm-container-build-push-3rd-gen.yml +++ b/.github/workflows/helm-container-build-push-3rd-gen.yml @@ -93,6 +93,7 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Container build and push 3rd gen id: build-and-push uses: greenbone/actions/container-build-push-generic@v3 @@ -121,6 +122,83 @@ jobs: scout-user: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_USERNAME || '' }} scout-password: ${{ contains(inputs.scout, 'true') && secrets.DOCKERHUB_TOKEN || '' }} + building-container-greenbone-reg: + if: (inputs.helm-chart) && (startsWith(github.ref, 'refs/tags/v')) + runs-on: self-hosted-generic + outputs: + digest: ${{ steps.build-and-push.outputs.digest }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Unfortunately we have to format the URL here because in many repos multiple images are built with static URLs. + # Later we can also use this step to distribute the images into different OCI projects + - name: Create image url + id: image-url + shell: bash + run: | + if ${{ github.ref_name }} | grep -Eq "alpha|rc"; then + url="opensight-dev/$(basename ${{ inputs.image-url }})" + else + case "${{ inputs.image-url }}" in + *"asset-management"*) + url="opensight-asset/$(basename ${{ inputs.image-url }})" + ;; + *"vulnerability-intelligence"*) + url="opensight-lookout/$(basename ${{ inputs.image-url }})" + ;; + *"scan-management"*) + url="opensight-appliance/$(basename ${{ inputs.image-url }})" + ;; + *"opensight-postgres"*) + url="opensight/$(basename ${{ inputs.image-url }})" + ;; + *"opensight-keycloak"*) + url="opensight/$(basename ${{ inputs.image-url }})" + ;; + *"opensight-ingress"*) + url="opensight/$(basename ${{ inputs.image-url }})" + ;; + *"opensight-opensearch"*) + url="opensight/$(basename ${{ inputs.image-url }})" + ;; + *"opensight-notification-service"*) + url="opensight/$(basename ${{ inputs.image-url }})" + ;; + *) + echo "no supported service in ${{ inputs.image-url }}" + exit 1 + ;; + # Follow pattern for all 3rd gen products + esac + fi + echo "url=$url" >> $GITHUB_OUTPUT + + - name: Container build and push 3rd gen to additional url + id: build-and-push-additional + uses: greenbone/actions/container-build-push-generic@v3 + with: + build-context: ${{ inputs.build-context }} + build-docker-file: ${{ inputs.build-docker-file }} + build-args: ${{ inputs.build-args }} + build-secrets: ${{ contains(inputs.build-secret-greenbonebot, 'true') && format('GREENBONE_BOT_PACKAGES_READ_TOKEN={0}', secrets.GREENBONE_BOT_PACKAGES_READ_TOKEN) || inputs.build-secrets }} + cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} + cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} + # The tlog function does not currently support an ed25519 key. + cosign-tlog-upload: "false" + image-url: ${{ steps.image-url.outputs.url }} + image-labels: ${{ inputs.image-labels }} + image-tags: | + # create container tag for git tags + type=ref,event=tag,value=latest + type=match,pattern=v(.*),group=1 + type=ref,event=pr + # use unstable for main branch + type=raw,value=unstable,enable={{is_default_branch}} + registry: ${{ secrets.GREENBONE_REGISTRY }} + registry-username: ${{ secrets.GREENBONE_REGISTRY_USER }} + registry-password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} + building-service-chart: if: (inputs.helm-chart) && (startsWith(github.ref, 'refs/tags/v')) needs: