# This is a basic workflow to help you get started with Actionsname:Docker Build and Push Release# Controls when the action will run. Triggers the workflow on push or pull request# events but only for the master branchon:push:branches: [ main ]pull_request:branches: [ main ]types: [opened,synchronize,reopened]jobs:sonarcloud:name:SonarCloudruns-on:ubuntu-lateststeps: - uses:actions/checkout@v3with:fetch-depth:0# Shallow clones should be disabled for a better relevancy of analysis - name:SonarCloud static code Scanuses:SonarSource/sonarcloud-github-action@masterenv:GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}# Needed to get PR information, if anySONAR_TOKEN:${{ secrets.SONAR_TOKEN }}app-build:name:Tagged Docker release to Google Artifact Registryruns-on:ubuntu-latestneeds:sonarcloudpermissions:contents:'read'id-token:'write'steps: - id:checkoutname:Checkoutuses:'actions/checkout@v3' - name:Set up Docker Buildxuses:docker/setup-buildx-action@v2 - name:Get tag for the imageid:get-tagrun:echo ::set-output name=short_ref::${GITHUB_REF#refs/*/} - id:'auth'name:'Authenticate to Google Cloud'uses:'google-github-actions/auth@v1'with:token_format:access_token workload_identity_provider: 'projects/12344123412311/locations/global/workloadIdentityPools/my-pool/providers/provider'
service_account:'my-service-account@my-project-name.iam.gserviceaccount.com'access_token_lifetime:300s - name:Login to Artifact Registryuses:docker/login-action@v1with:registry:us-west2-docker.pkg.dev#us-west2-docker.pkg.dev/my-project-name/flaskusername:oauth2accesstokenpassword:${{ steps.auth.outputs.access_token }} - id:docker-push-taggedname:Tag Docker image and push to Google Artifact Registryuses:'docker/build-push-action@v2'with:context:.github/workflows/flask-appfile:.github/workflows/flask-app/Dockerfilepush:truetags:| us-west2-docker.pkg.dev/my-project-name.github/workflows/g-registry-build.yaml/flask-docker/application:${{ steps.get-tag.outputs.short_ref }}
To setup the Sonar Cloud code scanner put the sonar-project.properties file in the root of the repo :
image-builder/sonar-project.properties
sonar.projectKey=organization-name_image-builder
sonar.organization=organization-name
# This is the name and version displayed in the SonarCloud UI.
#sonar.projectName=image-builder
#sonar.projectVersion=1.0
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.
# Encoding of the source code. Default is the
default system encoding
#sonar.sourceEncoding=UTF-8
GCP Artifact Registry Setup (
Pre-setup:
It can be done from GCP console (embeded shell CLI)
#Configuring gcloud in GitHub Actions
This GitHub Action to configure authentication for the gcloud CLI tool.
Warning! Workload Identity Federation requires Cloud SDK (gcloud) version 363.0.0 or later.
If you want to admit all repos of an owner (user or organization), map on attribute.repository_owner:
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_owner/${OWNER}"For this to work, you need to make sure that attribute.repository_owner is mapped in your attribute mapping (see previous step).
#Authenticating to Container Registry and Artifact Registry This example demonstrates authenticating to Google Container Registry (GCR) or Google Artifact Registry (GAR). The most common way to authenticate to these services is via a gcloud docker proxy. However, you can authenticate to these registries directly using the auth action:
You must set token_format: access_token in your Action YAML. Here are a few examples:
jobs:job_id:steps: - uses:'actions/checkout@v3' - id:'auth'name:'Authenticate to Google Cloud'uses:'google-github-actions/auth@v1'with:token_format:'access_token'# Either user Workload Identity Federation or Service Account Keys. See# above more more examples# This example uses the docker login action - uses:'docker/login-action@v1'with:registry:'gcr.io'# or REGION-docker.pkg.devusername:'oauth2accesstoken'password:'${{ steps.auth.outputs.access_token }}'# This example runs "docker login" directly to Artifact Registry. - run:|- echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://REGION-docker.pkg.dev
# This example runs "docker login" directly to Container Registry. - run: |- echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://gcr.io
flask-app/Dockerfile
```dockerfileFROM python:3.8COPY . /appWORKDIR /appRUN pip install -r requirements.txtCMD [ "python", "app.py" ] # command to run on container start```