[DO-1569] change-docker-repo-template (!3)

- Добавлена возможность использовать секреты HVault - Actions берутся из локального зеркала - доп. правки Co-authored-by: Yaroslav Bondarenko <yaroslav.bondarenko@avroid.tech> Reviewed-on: https://git.avroid.tech/Templates/template-docker-repository/pulls/3 Reviewed-by: Vasiliy Chipizhin <vasiliy.chipizhin@avroid.team> Reviewed-by: Aleksandr Vodyanov <aleksandr.vodyanov@avroid.team>
2025-02-11 16:17:00 +03:00
parent b1750866e2
commit e5ea3cae8b
2 changed files with 29 additions and 9 deletions
--- a/.gitea/workflows/build-and-push-image.yaml
+++ b/.gitea/workflows/build-and-push-image.yaml
@@ -10,22 +10,38 @@ env:

 jobs:
  build_and_push:
-    runs-on: docker
+    runs-on: act-runner-label
    name: Builds the image and publishes to docker hub
    container:
      image: harbor.avroid.tech/docker-hub-proxy/catthehacker/ubuntu:act-latest
    steps:
      - run: printenv

+      - name: Retrieve secrets from Hashicorp Vault
+        id: retrieve-secrets
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/vault-action.git@v3
+        with:
+          url: https://vault.avroid.tech
+          method: approle
+          roleId: ${{ secrets.HVAULT_GITEA_ACTIONS_ROLE_ID }}
+          secretId: ${{ secrets.HVAULT_GITEA_ACTIONS_SECRET_ID }}
+          # Ниже указываем {путь к секрету в HVault} {имя ключа секрета} | {имя переменной окружения куда засетим значение секрета}
+          # Доступ к секретам осуществляется через заранее созданный AppRole "gitea-actions-role" в HVault и подключенную
+          # к ней политику "gitea-actions". В политике описывается доступ к необходимым секретам. Политику можно посмотреть
+          # через UI Hashicorp Vault.
+          secrets: |
+            team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.login' | HARBOR_LOGIN ;
+            team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.token' | HARBOR_TOKEN ;
+
      - name: Login to Harbor Docker Registry
-        uses: docker/login-action@v3
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/login-action@v3
        with:
          registry: https://harbor.avroid.tech
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
+          username: ${{ env.HARBOR_LOGIN }}
+          password: ${{ env.HARBOR_TOKEN }}

      - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout@v4

      - name: "Build image"
        run: |
--- a/8
+++ b/8
@@ -8,7 +8,7 @@ DOCKER_REGISTRY = harbor.avroid.tech

 CI_FLAGS =

-ifeq ($(CI), false)
+ifeq ($(CI), true)
 	CI_FLAGS = --no-cache
 endif

@@ -23,9 +23,13 @@ build:
 	DOCKER_BUILDKIT=1 docker build $(CI_FLAGS) \
 					-f Dockerfile \
 					--platform linux/amd64 \
-					-t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) src/
+					--build-arg IMAGE_TAG=$(IMAGE_TAG) \
+					-t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) .

 push:
+ifeq ($(CI), false)
+	docker login https://$(DOCKER_REGISTRY)
+endif
 	docker push $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION)

 getTag: