1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
name: Container
on:
workflow_call:
inputs:
is_latest_tag:
required: true
type: string
is_version_tag:
required: true
type: string
secrets:
dockerhub_user:
required: true
dockerhub_token:
required: true
cosign_key_opensight:
required: true
cosign_password_opensight:
required: true
greenbone_bot_token:
required: true
greenbone_registry:
required: true
greenbone_registry_user:
required: true
greenbone_registry_token:
required: true
greenbone_registry_read_user:
required: true
greenbone_registry_read_token:
required: true
greenbone_registry_replication_user:
required: false
greenbone_registry_replication_token:
required: false
mattermost_webhook_url:
required: true
# Grants rights to push to the Github container registry.
permissions:
contents: read
packages: write
id-token: write
pull-requests: write
jobs:
debian_stable_arm64:
name: ghcr:debian:stable:arm64
runs-on: self-hosted-generic-arm64
steps:
- name: Checkout repository
uses: actions/checkout@v6
- uses: ./.github/actions/copy-docker-binaries
with:
arch: arm64
- name: Container build and push 3rd gen
id: build-and-push
uses: greenbone/actions/container-build-push-generic@v3
with:
image-platforms: linux/arm64
build-docker-file: .docker/prod.Dockerfile
build-args: |
REPOSITORY=${{ github.repository }}
cosign-key: ${{ secrets.cosign_key_opensight }}
cosign-key-password: ${{ secrets.cosign_password_opensight }}
# The tlog function does not currently support an ed25519 key.
cosign-tlog-upload: "false"
image-labels: |
org.opencontainers.image.vendor=Greenbone
org.opencontainers.image.base.name=greenbone/gvm-libs
image-tags: |
# when IS_LATEST_TAG is set create a stable and a latest tag
type=raw,value=latest,enable=${{ inputs.is_latest_tag }}
type=raw,value=stable,enable=${{ inputs.is_latest_tag }}
# if tag version is set than create a version tags
type=semver,pattern={{version}},enable=${{ inputs.is_version_tag }}
type=semver,pattern={{major}}.{{minor}},enable=${{ inputs.is_version_tag }}
type=semver,pattern={{major}},enable=${{ inputs.is_version_tag }}
# if on main or a branch TODO calculate upfront
type=raw,value=edge,enable=${{ github.ref_name == 'main' }}
type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
# use pr-$PR_ID for pull requests (will not be uploaded)
type=ref,event=pr
registry: ${{ vars.IMAGE_REGISTRY }}
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
debian_stable:
name: ghcr:debian:stable
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- uses: ./.github/actions/copy-docker-binaries
with:
arch: amd64
- name: Container build and push 3rd gen
id: build-and-push
uses: greenbone/actions/container-build-push-generic@v3
with:
build-docker-file: .docker/prod.Dockerfile
build-args: |
REPOSITORY=${{ github.repository }}
cosign-key: ${{ secrets.cosign_key_opensight }}
cosign-key-password: ${{ secrets.cosign_password_opensight }}
# The tlog function does not currently support an ed25519 key.
cosign-tlog-upload: "false"
image-labels: |
org.opencontainers.image.vendor=Greenbone
org.opencontainers.image.base.name=greenbone/gvm-libs
image-tags: |
# when IS_LATEST_TAG is set create a stable and a latest tag
type=raw,value=latest,enable=${{ inputs.is_latest_tag }}
type=raw,value=stable,enable=${{ inputs.is_latest_tag }}
# if tag version is set than create a version tags
type=semver,pattern={{version}},enable=${{ inputs.is_version_tag }}
type=semver,pattern={{major}}.{{minor}},enable=${{ inputs.is_version_tag }}
type=semver,pattern={{major}},enable=${{ inputs.is_version_tag }}
# if on main or a branch TODO calculate upfront
type=raw,value=edge,enable=${{ github.ref_name == 'main' }}
type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
# use pr-$PR_ID for pull requests (will not be uploaded)
type=ref,event=pr
registry: ${{ vars.IMAGE_REGISTRY }}
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
scout-user: ${{ secrets.dockerhub_user }}
scout-password: ${{ secrets.dockerhub_token }}
#not able to speed that up via prebuild binaries
greenbone_reg_debian_stable:
name: greenbone-reg:debian:stable
uses: greenbone/workflows/.github/workflows/container-build-push-2nd-gen.yml@main
with:
image-url: community/openvas-scanner
image-labels: |
org.opencontainers.image.vendor=Greenbone
org.opencontainers.image.base.name=greenbone/gvm-libs
service: openvas-scanner
secrets:
COSIGN_KEY_OPENSIGHT: ${{ secrets.cosign_key_opensight }}
COSIGN_KEY_PASSWORD_OPENSIGHT: ${{ secrets.cosign_password_opensight }}
DOCKERHUB_USERNAME: ${{ secrets.dockerhub_user }}
DOCKERHUB_TOKEN: ${{ secrets.dockerhub_token }}
GREENBONE_BOT_TOKEN: ${{ secrets.greenbone_bot_token }}
GREENBONE_REGISTRY: ${{ secrets.greenbone_registry }}
GREENBONE_REGISTRY_USER: ${{ secrets.greenbone_registry_user }}
GREENBONE_REGISTRY_TOKEN: ${{ secrets.greenbone_registry_token }}
GREENBONE_REGISTRY_READ_USER: ${{ secrets.greenbone_registry_read_user }}
GREENBONE_REGISTRY_READ_TOKEN: ${{ secrets.greenbone_registry_read_token }}
GREENBONE_REGISTRY_REPLICATION_USER: ${{ secrets.greenbone_registry_replication_user }}
GREENBONE_REGISTRY_REPLICATION_TOKEN: ${{ secrets.greenbone_registry_replication_token }}
MATTERMOST_WEBHOOK_URL: ${{ secrets.mattermost_webhook_url }}
|
