From e5ea3cae8b19a8129c40d773574280fd55dea9e1 Mon Sep 17 00:00:00 2001 From: Yaroslav Bondarenko Date: Tue, 11 Feb 2025 16:17:00 +0300 Subject: [PATCH] [DO-1569] change-docker-repo-template (!3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Добавлена возможность использовать секреты HVault - Actions берутся из локального зеркала - доп. правки Co-authored-by: Yaroslav Bondarenko Reviewed-on: https://git.avroid.tech/Templates/template-docker-repository/pulls/3 Reviewed-by: Vasiliy Chipizhin Reviewed-by: Aleksandr Vodyanov --- .gitea/workflows/build-and-push-image.yaml | 30 +++++++++++++++++----- Makefile | 8 ++++-- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/build-and-push-image.yaml b/.gitea/workflows/build-and-push-image.yaml index 1017f63..70668eb 100644 --- a/.gitea/workflows/build-and-push-image.yaml +++ b/.gitea/workflows/build-and-push-image.yaml @@ -5,27 +5,43 @@ on: [push] env: CI: ON -# Allow workflow to be manually run from the Gitea UI + # Allow workflow to be manually run from the Gitea UI workflow_dispatch: jobs: build_and_push: - runs-on: docker + runs-on: act-runner-label name: Builds the image and publishes to docker hub container: image: harbor.avroid.tech/docker-hub-proxy/catthehacker/ubuntu:act-latest steps: - run: printenv + - name: Retrieve secrets from Hashicorp Vault + id: retrieve-secrets + uses: https://git-mirrors.avroid.tech/Mirrors-actions/vault-action.git@v3 + with: + url: https://vault.avroid.tech + method: approle + roleId: ${{ secrets.HVAULT_GITEA_ACTIONS_ROLE_ID }} + secretId: ${{ secrets.HVAULT_GITEA_ACTIONS_SECRET_ID }} + # Ниже указываем {путь к секрету в HVault} {имя ключа секрета} | {имя переменной окружения куда засетим значение секрета} + # Доступ к секретам осуществляется через заранее созданный AppRole "gitea-actions-role" в HVault и подключенную + # к ней политику "gitea-actions". В политике описывается доступ к необходимым секретам. Политику можно посмотреть + # через UI Hashicorp Vault. + secrets: | + team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.login' | HARBOR_LOGIN ; + team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.token' | HARBOR_TOKEN ; + - name: Login to Harbor Docker Registry - uses: docker/login-action@v3 + uses: https://git-mirrors.avroid.tech/Mirrors-actions/login-action@v3 with: registry: https://harbor.avroid.tech - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_TOKEN }} + username: ${{ env.HARBOR_LOGIN }} + password: ${{ env.HARBOR_TOKEN }} - name: Check out repository code - uses: actions/checkout@v3 + uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout@v4 - name: "Build image" run: | @@ -36,7 +52,7 @@ jobs: make push if: ${{ gitea.ref == 'refs/heads/master' }} - - name: "Clear image" + - name: "Clear image" run: | make clean diff --git a/Makefile b/Makefile index 1feeb2f..a67a050 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ DOCKER_REGISTRY = harbor.avroid.tech CI_FLAGS = -ifeq ($(CI), false) +ifeq ($(CI), true) CI_FLAGS = --no-cache endif @@ -23,9 +23,13 @@ build: DOCKER_BUILDKIT=1 docker build $(CI_FLAGS) \ -f Dockerfile \ --platform linux/amd64 \ - -t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) src/ + --build-arg IMAGE_TAG=$(IMAGE_TAG) \ + -t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) . push: +ifeq ($(CI), false) + docker login https://$(DOCKER_REGISTRY) +endif docker push $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) getTag: