My Workflow
Docker is currently one of the main tools in the DevOps domain. You may be dealing with multiple Docker Images every day. Certainly.
In the past, I used to create and publish Docker Images manually on my own PC, Now with Github Actions, my affairs are very fast and easy and I leave everything to Github.
For example look at my repository (Memcached-Admin). It's a Dockerized PHP web application to manage Memcached server(s). I should pass these steps to use this project :
- Build Image
- Check and scan security vulnerabilities
- Push to Dockerhub
- Push to Other Docker registries
Doing these things normally will waste my time, also after planning the necessary things to build the image, it's necessary to ensure their security and the absence of security bugs. Here we have one of the best tools ... Trivy 💪. A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
Thanks to Github Action, now we can have all things together.
I wrote simple workflows to handle the whole process.
hatamiarash7 / Memcached-Admin
Memcached admin for docker
Memcached Admin
This program allows to see in real-time (top-like) or from the start of the server, stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command, as well as server stats (network, items, server version) with google charts and server internal configuration
You can go further to see each server slabs, occupation, memory wasted and items (key & value).
Another part can execute commands to any memcached server : get, set, delete, flush_all, as well as execute any commands (like stats) with telnet
Statistics
- Stats for each or all memcached servers, items, evicted, reclaimed ...
- Stats for every command : set, get, delete, incr, decr, cas ...
- Slabs stats (Memory, pages, memory wasted, items)
- Items stats (View items in slabs, then data for each key)
- Network stats (Traffic, bandwidth)
Commands
- Execute commands : get, set, delete, flush_all on servers to administrate or debug it
- Get…
Submission Category:
Maintainer Must-Haves
Yaml File or Link to Code
name: Docker Image CI
on:
push:
branches: [master]
pull_request:
branches: [master]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build the Docker image
run: docker build -t memcached-admin:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "memcached-admin:${{ github.sha }}"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-results.sarif"
This workflow has 4 simple step:
- Checkout my code
- Build Docker image
- Scan using Trivy
- Upload results to GitHub Code scanning
I can see results in Security tab of my project:
Now i can push my image to Dockerhub using another workflow:
name: Publish Dockerhub
on:
schedule:
- cron: "0 2 * * *"
push:
branches: [master]
pull_request:
branches: [master]
env:
REGISTRY: docker.io
IMAGE_NAME: hatamiarash7/memcached-admin
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Another amazing feature about Github Action is that I can schedule to run my workflow. For example push image at 02:00 every day:
...
on:
schedule:
- cron: "0 2 * * *"
...
Now everything will be done automatically and I just need to push the changes to the repository 😍
Additional Resources / Info
I used this action: aquasecurity/trivy-action
Top comments (1)
Like!