# This is a basic workflow to help you get started with Actions
name: Docker Build and Push Release
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
types: [opened, synchronize, reopened]
jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: SonarCloud static code Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
app-build:
name: Tagged Docker release to Google Artifact Registry
runs-on: ubuntu-latest
needs: sonarcloud
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: checkout
name: Checkout
uses: 'actions/checkout@v3'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Get tag for the image
id: get-tag
run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/}
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
token_format: access_token
workload_identity_provider: 'projects/12344123412311/locations/global/workloadIdentityPools/my-pool/providers/provider'
service_account: 'my-service-account@my-project-name.iam.gserviceaccount.com'
access_token_lifetime: 300s
- name: Login to Artifact Registry
uses: docker/login-action@v1
with:
registry: us-west2-docker.pkg.dev #us-west2-docker.pkg.dev/my-project-name/flask
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- id: docker-push-tagged
name: Tag Docker image and push to Google Artifact Registry
uses: 'docker/build-push-action@v2'
with:
context: .github/workflows/flask-app
file: .github/workflows/flask-app/Dockerfile
push: true
tags: |
us-west2-docker.pkg.dev/my-project-name.github/workflows/g-registry-build.yaml/flask-docker/application:${{ steps.get-tag.outputs.short_ref }}
To setup the Sonar Cloud code scanner put the sonar-project.properties file in the root of the repo :
image-builder/sonar-project.properties
sonar.projectKey=organization-name_image-builder
sonar.organization=organization-name
# This is the name and version displayed in the SonarCloud UI.
#sonar.projectName=image-builder
#sonar.projectVersion=1.0
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.
# Encoding of the source code. Default is the
default system encoding
#sonar.sourceEncoding=UTF-8
GCP Artifact Registry Setup (
Pre-setup:
It can be done from GCP console (embeded shell CLI)
#Configuring gcloud in GitHub Actions
This GitHub Action to configure authentication for the gcloud CLI tool.
Warning! Workload Identity Federation requires Cloud SDK (gcloud) version 363.0.0 or later.
If you want to admit all repos of an owner (user or organization), map on attribute.repository_owner:
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_owner/${OWNER}"
For this to work, you need to make sure that attribute.repository_owner is mapped in your attribute mapping (see previous step).
OUTPUT:
Updated IAM policy for serviceAccount [my-serviceaccount-name@my-project-name.iam.gserviceaccount.com].
bindings:
- members:
- principalSet://iam.googleapis.com/projects/12341234134134/locations/global/workloadIdentityPools/my-pool-iam/attribute.repository/repo-owner/organization/image-builder
- principalSet://iam.googleapis.com/projects/12341234134134/locations/global/workloadIdentityPools/my-pool-iam/attribute.repository/repo-owner/image-builder
role: roles/iam.workloadIdentityUser
etag: BwYCmO5NM20=
version: 1
#Authenticating to Container Registry and Artifact Registry This example demonstrates authenticating to Google Container Registry (GCR) or Google Artifact Registry (GAR). The most common way to authenticate to these services is via a gcloud docker proxy. However, you can authenticate to these registries directly using the auth action:
