Fully Templated Docker cached build job

Fully Templated Docker cached build job - most parameters are defaulted based on git variables - all of defaulted parameters can be overwritten using inputs - fixes to existing workflows due to naming convention miss-match between action pull_request and push Signed-off-by: Milosz Linkiewicz <[email protected]>
OpenVisualCloud · Nov 27, 2024 · d80ca98 · d80ca98
1 parent 4d08092
commit d80ca98
Show file tree

Hide file tree

Showing 13 changed files with 199 additions and 355 deletions.
diff --git a/.github/configs/super-linter/.golangci.yml b/.github/configs/super-linter/.golangci.yml
@@ -31,12 +31,7 @@ linters-settings:
     check-blank: true
   govet:
     enable:
-      # report about shadowed variables
-      - shadowing
+      - shadow
   gocyclo:
     # minimal code complexity to report, 30 by default
     min-complexity: 15
-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true
-
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -20,7 +20,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number ||  github.sha }}
   cancel-in-progress: true
 
 jobs:

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -21,7 +21,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -9,7 +9,7 @@ env:
   LINTER_RULES_PATH: .github/configs/super-linter
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:
@@ -46,7 +46,7 @@ jobs:
         fetch-depth: 0
         ref: ${{ inputs.branch }}
 
-    - name: 'super-linter: perform supe-linter scan workflow.'
+    - name: 'super-linter: perform super-linter scan workflow.'
       uses: super-linter/[email protected] # x-release-please-version
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/docker-cached-build.yml b/.github/workflows/docker-cached-build.yml
diff --git a/.github/workflows/github_pages_update.yml b/.github/workflows/github_pages_update.yml
@@ -12,7 +12,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -15,7 +15,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:
@@ -42,7 +42,7 @@ jobs:
       - name: "scorecard: Run analysis"
         uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
-          results_file: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          results_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
           results_format: sarif
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           publish_results: true
@@ -51,11 +51,11 @@ jobs:
       - name: "scorecard: Upload results artifact"
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
-          name: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}"
-          path: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          name: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}"
+          path: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
           retention-days: 5
 
       - name: "scorecard: Upload results to code-scanning"
         uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
-          sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
diff --git a/.github/workflows/template-docker-cached-build.yml b/.github/workflows/template-docker-cached-build.yml
@@ -0,0 +1,142 @@
+name: template-docker-cached-build
+
+on:
+  workflow_call:
+    inputs:
+      build_type:
+        required: false
+        type: string
+        default: 'Release'
+      docker_registry:
+        required: false
+        type: string
+        default: 'ghcr.io'
+      docker_registry_prefix:
+        required: false
+        type: string
+        default: 'openvisualcloud/media-communications-mesh'
+      docker_registry_login:
+        required: false
+        type: boolean
+        default: false
+      docker_registry_push:
+        required: false
+        type: boolean
+        default: false
+      docker_build_args:
+        required: false
+        type: string
+        default: ''
+      docker_build_platforms:
+        required: false
+        type: string
+        default: 'linux/amd64'
+      docker_image_tag:
+        required: false
+        type: string
+      docker_image_name:
+        required: true
+        type: string
+      docker_file_path:
+        required: false
+        type: string
+        default: './Dockerfile'
+    secrets:
+      docker_registry_login:
+        required: false
+      docker_registry_passkey:
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  scan-and-build-docker-image:
+    name: "${{ inputs.docker_image_name }}: Performing scan and build of Dockerfile."
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 60
+    env:
+      BUILD_TYPE: "${{ inputs.build_type }}"
+      CONCURRENCY_GROUP: "${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}"
+      DOCKER_REGISTRY: "${{ inputs.docker_registry }}"
+      DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_login }}"
+      DOCKER_BUILD_ARGS: "${{ inputs.docker_build_args }}"
+      DOCKER_PLATFORMS: "${{ inputs.docker_build_platforms }}"
+      DOCKER_IMAGE_PUSH: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_push }}"
+      DOCKER_IMAGE_BASE: "${{ inputs.docker_registry }}/${{ inputs.docker_registry_prefix }}"
+      DOCKER_IMAGE_TAG: "${{ inputs.docker_image_tag || github.sha }}"
+      DOCKER_IMAGE_NAME: "${{ inputs.docker_image_name }}"
+      DOCKER_FILE_PATH: "${{ inputs.docker_file_path }}"
+    steps:
+      - name: "${{ inputs.docker_image_name }}: Harden Runner"
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: "${{ inputs.docker_image_name }}: Set up Docker Buildx"
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        with:
+          buildkitd-flags: --debug
+
+      - name: "${{ inputs.docker_image_name }}: Checkout repository"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan sarif format"
+        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        with:
+          dockerfile: "${{ env.DOCKER_FILE_PATH }}"
+          config: .github/configs/hadolint.yaml
+          format: sarif
+          output-file:  "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif"
+          no-fail: true
+          failure-threshold: info
+
+      - name: "${{ inputs.docker_image_name }}: Scanner Hadolint upload results to Security tab"
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        with:
+          sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif"
+
+      - name: "${{ inputs.docker_image_name }}: Login to Docker Container Registry"
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }}
+        with:
+          registry: "${{ env.DOCKER_REGISTRY }}"
+          username: "${{ secrets.docker_registry_login   || env.GITHUB_ACTOR }}"
+          password: "${{ secrets.docker_registry_passkey || secrets.GITHUB_TOKEN }}"
+
+      - name: "${{ inputs.docker_image_name }}: Build and push image"
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          load: true
+          push: "${{ env.DOCKER_IMAGE_PUSH }}"
+          outputs: type=docker
+          platforms: "${{ env.DOCKER_PLATFORMS }}"
+          file: "${{ env.DOCKER_FILE_PATH }}"
+          tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
+          cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }}
+          cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }}
+          build-args: "${{ env.DOCKER_BUILD_ARGS }}"
+
+      - name: "${{ inputs.docker_image_name }}: Scanner Trivy run vulnerability scanner on image"
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
+          format: "sarif"
+          output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif"
+
+      - name: "${{ inputs.docker_image_name }}: Scanner Trivy upload results to Security tab"
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        with:
+          sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif"
+
+      - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan tty output"
+        if: always()
+        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        with:
+          dockerfile: "${{ env.DOCKER_FILE_PATH }}"
+          config: .github/configs/hadolint.yaml
+          format: tty
+          failure-threshold: warning
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -15,7 +15,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:
@@ -42,7 +42,7 @@ jobs:
           skip-dirs: deployment #helm charts not supported
           exit-code: '0'
           format: 'sarif'
-          output: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
 
       - name: "Trivy: Run vulnerability scanner for type=config (out=table)"
         if: always()
@@ -52,26 +52,26 @@ jobs:
           skip-dirs: deployment #helm charts not supported
           exit-code: '0'
           format: 'table'
-          output: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.txt"
+          output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt"
 
       - name: "Trivy: Upload scan results to GitHub Security tab"
         if: always()
         uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
-          sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
 
       - name: "Trivy: Upload scan results as artifacts (out=sarif)"
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3
         if: always()
         with:
-          name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || env.GITHUB_SHA }}"
-          path: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif"
+          name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || github.sha }}"
+          path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif"
           retention-days: 5
 
       - name: "Trivy: Upload scan results as artifacts (out=table)"
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3
         if: always()
         with:
-          name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || env.GITHUB_SHA }}"
-          path: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.txt"
+          name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || github.sha }}"
+          path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt"
           retention-days: 5
diff --git a/.github/workflows/ubuntu-build.yml b/.github/workflows/ubuntu-build.yml
@@ -21,7 +21,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:
@@ -91,7 +91,7 @@ jobs:
         ./configure-ffmpeg.sh && \
         ./build-ffmpeg.sh
 
-    - name: 'Scaner: Send to VirusTotal for analysis'
+    - name: 'Scanner: Send to VirusTotal for analysis'
       id: vt
       uses: cssnr/virustotal-action@331c320c79202fdaa7a30f16163390f8d09c3f45 # v1.2.0
       with:
@@ -107,5 +107,5 @@ jobs:
             _install/usr/local/lib/bpf/*
             _install/usr/local/sbin/*
 
-    - name: 'Scaner: Print scan results'
+    - name: 'Scanner: Print scan results'
       run: echo ${{ steps.vt.outputs.results }}
diff --git a/build.sh b/build.sh
@@ -24,12 +24,12 @@ cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
     -DBUILD_UNIT_TESTS="${BUILD_UNIT_TESTS}" \
     -B "${MCM_BUILD_DIR}" -S "${SCRIPT_DIR}"
 cmake --build "${MCM_BUILD_DIR}" -j
-
-as_root make -C "${MCM_BUILD_DIR}" install
+make -j "${NPROC}" -C "${MCM_BUILD_DIR}"
 
 if [[ $# -ne 0 ]]; then
     DESTDIR="${1:-$DESTDIR}" make -C "${MCM_BUILD_DIR}" install
 fi
+as_root make -C "${MCM_BUILD_DIR}" install
 
 as_root ln -s /usr/lib64/libbpf.so.1 /usr/lib/x86_64-linux-gnu/libbpf.so.1 2>/dev/null || true
 as_root ldconfig

diff --git a/media-proxy/build.sh b/media-proxy/build.sh
@@ -19,10 +19,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}"
 INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}"
 
 cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_MEDIA_PROXY_DIR}" -S "${SCRIPT_DIR}"
-
-as_root make -C "${MCM_MEDIA_PROXY_DIR}" install
+make -j "${NPROC}" -C "${MCM_MEDIA_PROXY_DIR}"
 
 if [[ $# -ne 0 ]]; then
     DESTDIR="${1:-$DESTDIR}" make -C "${MCM_MEDIA_PROXY_DIR}" install
 fi
+as_root make -C "${MCM_MEDIA_PROXY_DIR}" install
+
 ln -s "${MCM_MEDIA_PROXY_DIR}" "${SCRIPT_DIR}/build"
diff --git a/sdk/build.sh b/sdk/build.sh
@@ -20,10 +20,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}"
 INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}"
 
 cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_SDK_DIR}" -S "${SCRIPT_DIR}"
-
-as_root make -C "${MCM_SDK_DIR}" install
+make -j "${NPROC}" -C "${MCM_SDK_DIR}"
 
 if [[ $# -ne 0 ]]; then
     DESTDIR="${1:-$DESTDIR}" make -C "${MCM_SDK_DIR}" install
 fi
+as_root make -C "${MCM_SDK_DIR}" install
+
 ln -s "${MCM_SDK_DIR}" "${SCRIPT_DIR}/build"