Add image build actions

.github/actions/build.yaml

@@ -0,0 +1,75 @@
+name: 'Reusable: Build and push image'
+
+# This is a reusable build step, that is supposed to handle the generic task of building a docker
+# image and pushing it to a repo.
+# This action should be as generic as possible. Maybe extract it to a repo
+#
+# TODO: Could be made more customizable with: `jq`, `fromJSON`, `toJSON` and `join`
+
+on:
+  workflow_call:
+    inputs:
+      repository_url:
+        description: 'Url to push build image to'
+        type: string
+        required: true
+      images:
+        description: 'Images arguments for docker/metadata-action'
+        type: string
+        required: false
+      flavor:
+        description: 'Flavor argument for docker/metadata-action'
+        type: string
+        required: false
+      tags:
+        description: 'Tags argument for docker/metadata-action'
+        type: string
+        required: false
+        default: |
+          type=semver,pattern={{version}},priority=1000
+          type=schedule,priority=900
+          type=sha,format=long,priority=800
+    secrets:
+      REGISTRY_USERNAME:
+        description: 'Username for registry login'
+        required: true
+      REGISTRY_TOKEN:
+        description: 'Password for registry login'
+        required: true
+    outputs:
+      tags:
+        description: List of set tags
+        value: ${{ jobs.build.outputs.tags }}
+      labels:
+        description: 
+        value: ${{ jobs.build.outputs.labels }}
+      json: ${{ jobs.build.outputs.json }}
+
+jobs:
+  build:
+    environment: deploy
+    runs-on: 'ubuntu-latest'
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+      labels: ${{ steps.meta.outputs.labels }}
+      json: ${{ steps.meta.outputs.json }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ inputs.images }}
+          tags: ${{ inputs.tags }}
+          flavor: ${{ inputs.flavor }}
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.repository_url }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/actions/copy-images.yaml

@@ -0,0 +1,46 @@
+---
+name: Reusable Copy Images
+
+on: 
+  workflow_dispatch:
+    inputs:
+      sourceURI:
+        description: 'Source image and tag. Example: "https://quay.io/repository/puzzle/centos-apache-modsecurity?tab=tags&tag=crs-v3.3.2-waf2"'
+        required: true
+      targetImage:
+        description: 'Target image and tag. Example: "stbi-waf:crs-v3.3.2-waf2'
+        required: true
+  workflow_call:
+    inputs:
+      sourceURI:
+        description: 'Source image and tag. Example: "https://quay.io/repository/puzzle/centos-apache-modsecurity?tab=tags&tag=crs-v3.3.2-waf2"'
+        required: true
+      targetImage:
+        description: 'Target image and tag. Example: "stbi-waf:crs-v3.3.2-waf2'
+        required: true
+
+jobs:
+  push-image:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Login Quay
+        uses: docker/login-action@v1
+        with:
+          registry: 'quay.io'
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Login Puzzle Registry
+        uses: docker/login-action@v1
+        with:
+          registry: registry.puzzle.ch
+          username: ${{ secrets.PUZZLE_REGISTRY_USERNAME }}
+          password: ${{ secrets.PUZZLE_REGISTRY_TOKEN }}
+
+      - name: Push image
+        uses: akhilerm/[email protected]
+        with:
+          src: ${{ github.event.inputs.sourceURI }}
+          dst: registry.puzzle.ch/decidim/${{ github.event.inputs.targetImage }}
+...

.github/actions/lint.yaml

@@ -0,0 +1,54 @@
+name: 'Reusable: Code Style Review'
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    runs-on: 'ubuntu-latest'
+
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+
+      - name: 'Set up Ruby'
+        uses: actions/setup-ruby@v1
+        with:
+          ruby-version: '2.7'
+
+      - name: 'Set up Reviewdog'
+        env:
+          REVIEWDOG_INSTALLER: 'https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh'
+        run: |
+          mkdir -p $HOME/bin
+          curl -sfL ${REVIEWDOG_INSTALLER} | sh -s -- -b $HOME/bin
+
+      - name: 'Set up Rubocop'
+        run: 'gem install rubocop rubocop-minitest rubocop-performance rubocop-rails'
+
+      - name: 'Run Rubocop'
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          rubocop |
+          $HOME/bin/reviewdog \
+          -f=rubocop \
+          -name="Rubocop" \
+          -reporter=github-pr-review \
+          -level=error \
+          -diff="git diff $DIFF_BRANCH"
+
+      - name: 'Set up Haml-lint'
+        run: 'gem install haml-lint'
+
+      - name: 'Run Haml-lint'
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          haml-lint |
+          $HOME/bin/reviewdog \
+          -efm="%f:%l %m" \
+          -name="Haml-lint" \
+          -reporter=github-pr-review \
+          -level=error \
+          -diff="git diff $DIFF_BRANCH"

.github/actions/lint_test_build_update.yaml

@@ -0,0 +1,37 @@
+name: 'Lint, test and build image. Push image tag to configmanagement'
+
+on:
+  workflow_call:
+    inputs:
+      image_repo:
+        description: "Image repo to push image to"
+        type: string
+        required: true
+      configmanagement:
+        description: "Configmanagement to write image tag to"
+        type: string
+        required: true
+      kustomization_path:
+        description: "Path to kustomization file"
+        type: string
+        required: true
+
+jobs: 
+  lint:
+    uses: ./.github/actions/lint.yaml
+  test:
+    uses: ./.github/actions/tests.yaml
+  build:
+    needs: [lint, test]
+    uses: ./.github/actions/build.yaml
+    secrets: inherit
+    with:
+      repository_url: ${{ inputs.image_repo }}
+  update_tag:
+    needs: [build]
+    uses: ./.github/actions/update_image.yaml
+    secrets: inherit
+    with:
+      repository: ${{ inputs.configmanagement }}
+      file: ${{ inputs.kustomization_path }}
+      json: ${{ jobs.build.outputs.json }}

.github/actions/sbom.yaml

@@ -0,0 +1,56 @@
+name: 'Reusable: Send SBOM to a dependency tracker'
+
+# This is a reusable build step, that is supposed to handle the generic task of
+# sending a SBOM somewhere.
+# This action should be as generic as possible. Maybe extract it to a repo
+#
+# TODO: Could be made more customizable with: `jq`, `fromJSON`, `toJSON` and `join`
+
+on:
+  workflow_call:
+    inputs:
+      dependency_tracker_url:
+        description: 'Url to send SBOM to'
+        type: string
+        required: true
+      project:
+        description: 'Project name'
+        type: string
+        required: false
+      project_version:
+        description: 'Project version'
+        type: string
+        required: false
+
+    secrets:
+      DEPENDENCY_TRACKER_TOKEN:
+        description: 'Token for the dependency tracker'
+        required: true
+
+jobs:
+  sbom:
+    environment: deploy
+    runs-on: 'ubuntu-latest'
+    steps:
+      - uses: anchore/sbom-action@0
+        format: cyclonedx
+        output-file: sbom.xml
+      - name: 'Push SBOM to dependency tracker'
+        env:
+          URL: ${{ inputs.dependency_tracker_url }}
+          PROJECT: ${{ inputs.project }}
+          VERSION: ${{ inputs.project_version }}
+          TOKEN: ${{ secrets.DEPENDENCY_TRACKER_TOKEN }}
+        run: |
+          curl \
+            --silent \
+            --verbose \
+            --location \
+            --request POST \
+            --header "X-Api-Key: ${TOKEN}" \
+            --header "Content-Type: multipart/form-data" \
+            --form "autoCreate=true" \
+            --form "projectName=${PROJECT:-$GITHUB_REPOSITORY}" \
+            --form "projectVersion=${VERSION:-latest}" \
+            --form "[email protected]" \
+            "${URL}"

.github/actions/tests.yaml

@@ -0,0 +1,63 @@
+---
+name: 'Reusable: Rails Unit Tests'
+
+on:
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: 'ubuntu-latest'
+
+    strategy:
+      matrix:
+        ruby: ['2.7']  # TODO: Reenable 3.0 when it's compatible
+
+    services:
+      postgres:
+        image: 'postgres:11'
+        env:
+          POSTGRES_PASSWORD: 'postgres'
+        ports: ['5432:5432']
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 10s
+          --health-retries 10
+      memcached:
+        image: 'memcached'
+        ports: ['11211:11211']
+
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+
+      - name: 'Set up Ruby ${{ matrix.ruby }}'
+        uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Install required package
+        run: |
+          sudo apt-get install libpq-dev
+      - name: Cache gems
+        id: cache
+        uses: actions/cache@v2
+        with:
+          path: vendor/bundle
+          key: ruby-${{ matrix.ruby }}-gem-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ruby-${{ matrix.ruby }}-gem-
+
+      - name: 'Build and run tests'
+        env:
+          RAILS_TEST_DB_NAME: 'postgres'
+          RAILS_TEST_DB_USERNAME: 'postgres'
+          RAILS_TEST_DB_PASSWORD: 'postgres'
+          RAILS_ENV: 'test'
+        run: |
+          gem install bundler --version '~> 2'
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+          bundle exec rails db:create
+          bundle exec rails db:migrate
+          bundle exec rails test