astra/container-action
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #1 from Frozen-Tapestry/develop

Browse source 
Initial release with: strict mode for bash, rootless podman build
This commit is contained in:
Foat 2024-12-18 17:56:35 +03:00 committed by GitHub
commit cf79bbde67
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 89 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.github/workflows/verify.yml vendored
View file

@ -1,9 +1,12 @@
name: verify
name: Container Action Tests
on:
push:
branches:
- prime
- develop
pull_request_review:
types: [submitted]
permissions:
contents: read
@ -30,14 +33,12 @@ jobs:
login_registry: ghcr.io
login_username: ${{ github.actor }}
login_password: ${{ secrets.GITHUB_TOKEN }}
tags: |
ghcr.io/frozen-tapestry/podman-action-verify:latest
tags: ghcr.io/frozen-tapestry/podman-action-verify:latest
dockerfile: Dockerfile
build_args: |
MY_ENV_VAR=Test
MY_ENV_VAR2=Test2
security:
--security-opt seccomp=unconfined --security-opt apparmor=unconfined
build_args: MY_ENV_VAR=Test MY_ENV_VAR2=Test2
security: |
--security-opt=seccomp=unconfined
--security-opt=apparmor=unconfined
push: true
- name: Run Docker container and verify output
id: verify-output

48
README.md
View file

@ -1,24 +1,23 @@
# Podman (Login,Build,Push) GitHub Action
# Podman (Login, Build, Push) GitHub Action
This repository provides a GitHub Action to build and push container images using [Podman](https://podman.io/). It supports Podman login, building images from Dockerfiles, and pushing images to container registries.
This repository provides a GitHub Action to build and push container images using [Podman](https://podman.io/). The action supports Podman login, building images from Dockerfiles, and pushing images to container registries. It is designed to work seamlessly within GitHub workflows to automate CI/CD pipelines.
## Features
- Build container images with Podman.
- Push images to a container registry (e.g., `ghcr.io`, `quay.io`).
- Flexible support for build arguments, labels, tags, and security options.
- Designed to run in GitHub workflows for CI/CD automation.
- Supports Gitea Actions with a shared storage between runs.
- **Build and Push:** Build container images and optionally push them to a container registry.
- **Flexible Configuration:** Support for build arguments, labels, tags, and security options.
- **CI/CD Ready:** Designed for GitHub Actions workflows.
- **Shared Storage Support:** Compatible with shared storage on self-hosted runners for caching.
## Directory Structure
```plaintext
podman-action
container-action
├── LICENSE # License information (MIT)
├── README.md # This documentation
├── .github
│ └── workflows
│ └── verify.yml # Example GitHub workflow for verification
│ └── verify.yml # Example workflow for testing
├── scripts
│ └── run.sh # Core script to handle Podman operations
└── action.yml # GitHub Action definition
@ -28,7 +27,7 @@ podman-action
### Example Workflow
Add the following workflow file to `.github/workflows/build.yml`:
To use this action in a workflow, create a file `.github/workflows/build.yml` with the following content:
```yaml
name: Build and Push Container Image
@ -59,19 +58,18 @@ jobs:
### Inputs
| Input | Description | Required | Default |
|------------------|--------------------------------------------------------------------------------------------------|----------|------------------|
| `login_registry` | The container registry to push to (e.g., `ghcr.io`). | No | |
| `login_username` | Registry username. | No | |
| `login_password` | Registry password (use GitHub secrets). | No | |
| `tags` | Tags for the image (space-separated or newline-separated). | No | |
| `labels` | Additional metadata for the image (space-separated or newline-separated). | No | |
| `build_args` | Build arguments (space-separated or newline-separated). | No | |
| `extra_args` | Extra arguments for the `podman build` command (newline-separated). | No | |
| `dockerfile` | Path to the Dockerfile. If set, the build step is performed. | No | |
| `push` | Whether to push the image after building. | No | `false` |
| `shared_path` | Path to a shared folder for cache files on the host filesystem (useful for self-hosted runners). | No | `/tmp/shared` |
| `security` | Security options for the intermediate container (space-separated). | No | `--network=host` |
| Input | Description | Required | Default |
|------------------|---------------------------------------------------------------------------------------------------------|----------|------------------|
| `login_registry` | Container registry to push to (e.g., `quay.io`). If not set, the image is only built locally. | No | |
| `login_username` | Registry username. | No | |
| `login_password` | Registry password (GitHub secret recommended). | No | |
| `tags` | Tags for the image. Space-separated. e.g. `quay.io/podman/stable:latest quay.io/podman/stable:nightly`. | No | |
| `labels` | List of additional metadata for an image. Space-separated. | No | |
| `build_args` | Optional build arguments. Space-separated. e.g. `MY_ENV_VAR=Test MY_ENV_VAR2=Test2`. | No | |
| `extra_args` | Extra arguments to be passed to Podman. Space-separated. e.g. `-e=MY_ENV=Test -e=MY_ENV=Test2`. | No | |
| `dockerfile` | Path to the Dockerfile. If set, the build step is performed. | No | |
| `push` | Whether to push the image after building. | No | `false` |
| `security` | Security flags used for an intermediate container. Newline-separated. | No | `--network=host` |
## Development
@ -82,7 +80,7 @@ The `verify.yml` workflow tests the action by:
2. Building and pushing the container image.
3. Running the container to validate its output.
You can use this workflow as a template for testing your own usage.
You can use this workflow as a template for testing your own usage. It is located at `.github/workflows/verify.yml`.
### Core Script
@ -97,4 +95,4 @@ This project is licensed under the MIT License. See the [LICENSE](LICENSE) file
## Contributions
Contributions, issues, and feature requests are welcome! Feel free to open a pull request or issue in this repository.
Contributions, issues, and feature requests are welcome! Feel free to open a pull request or issue in this repository.

5
RELEASES.md Normal file
View file

@ -0,0 +1,5 @@
# Container Action releases
### v1.0.0
- Initial release

64
action.yml
View file

@ -16,19 +16,22 @@ inputs:
required: false
tags:
description: |
Tag of the image (space-separated or newline-separated).
e.g. quay.io/podman/stable:latest
Tags for the image. Space-separated. e.g.
quay.io/podman/stable:latest quay.io/podman/stable:nightly
required: false
labels:
description: List of additional metadata for an image (space-separated or newline-separated).
description: |
List of additional metadata for an image. Space-separated.
required: false
build_args:
description: Optional build arguments (space-separated or newline-separated).
description: |
Optional build arguments. Space-separated. e.g.
MY_ENV_VAR=Test MY_ENV_VAR2=Test2
required: false
extra_args:
description: |
Extra args to be passed to podman bud.
Separate arguments by newline.
Extra args to be passed to podman. Space-separated. e.g.
-e=MY_ENV=Test -e=MY_ENV=Test2
required: false
dockerfile:
description: Path to the Dockerfile. If set, build step is performed.
@ -37,49 +40,34 @@ inputs:
description: Whether to push the image after building.
default: 'false'
required: false
shared_path:
description: |
Path to container shared folder for different cache files on the host filesystem.
Useful for self-hosted runners.
default: '/tmp/shared'
required: false
security:
description: Security flags that are used for an intermediate container. Space separated.
description: Security flags that are used for an intermediate container. New line separated.
default: '--network=host'
required: false
runs:
using: composite
steps:
- name: Convert composite args
id: convert
shell: bash
run: |
echo tags=$(echo "${{ inputs.tags }}" | xargs echo -n | tr -s ' \n' '+') >> $GITHUB_OUTPUT
echo labels=$(echo "${{ inputs.labels }}" | xargs echo -n | tr -s ' \n' '+') >> $GITHUB_OUTPUT
echo build_args=$(echo "${{ inputs.build_args }}" | xargs echo -n | tr -s ' \n' '+') >> $GITHUB_OUTPUT
echo extra_args=$(echo "${{ inputs.extra_args }}" | xargs echo -n | tr -s ' \n' '+') >> $GITHUB_OUTPUT
- name: Run container steps
uses: frozen-tapestry/docker-run-action@v5
uses: frozen-tapestry/docker-run-action@v6
with:
image: quay.io/podman/stable:latest
mount_ws: true
options: |
${{ inputs.security }}
-v ${{ inputs.shared_path }}/auth:/etc/containers/auth
-v ${{ inputs.shared_path }}/storage:/var/lib/containers/storage
-v ${{ github.action_path }}/scripts:/scripts
-e REGISTRY_AUTH_FILE=/etc/containers/auth/auth.json
-e REGISTRY=${{ inputs.login_registry }}
-e USERNAME=${{ inputs.login_username }}
-e PASSWORD=${{ inputs.login_password }}
-e ACTION_TAGS=${{ steps.convert.outputs.tags }}
-e ACTION_LABELS=${{ steps.convert.outputs.labels }}
-e ACTION_BUILD_ARGS=${{ steps.convert.outputs.build_args }}
-e ACTION_EXTRA_ARGS=${{ steps.convert.outputs.extra_args }}
-e DOCKERFILE=${{ inputs.dockerfile }}
-e REVISION=${{ github.sha }}
-e SOURCE=${{ github.server_url }}/${{ github.repository }}
-e PUSH=${{ inputs.push }}
-v=${{ env.CACHE_SHARED_PATH }}/podman-auth:/home/podman/auth:rw
-v=${{ env.CACHE_SHARED_PATH }}/podman-storage:/home/podman/.local/share/containers/storage:rw
-v=${{ github.action_path }}/scripts:/scripts:ro
-e=REGISTRY_AUTH_FILE=/home/podman/auth/auth.json
-e=REGISTRY=${{ inputs.login_registry }}
-e=USERNAME=${{ inputs.login_username }}
-e=PASSWORD=${{ inputs.login_password }}
-e=ACTION_TAGS=${{ inputs.tags }}
-e=ACTION_LABELS=${{ inputs.labels }}
-e=ACTION_BUILD_ARGS=${{ inputs.build_args }}
-e=ACTION_EXTRA_ARGS=${{ inputs.extra_args }}
-e=DOCKERFILE=${{ inputs.dockerfile }}
-e=REVISION=${{ github.sha }}
-e=SOURCE=${{ github.server_url }}/${{ github.repository }}
-e=PUSH=${{ inputs.push }}
run: /bin/bash /scripts/run.sh

35
scripts/run.sh
View file

@ -1,10 +1,24 @@
#!/bin/bash
set -euo pipefail
IFS=$'\n\t '
IFS=$'\n\t'
REGISTRY=${REGISTRY:-}
USERNAME=${USERNAME:-}
PASSWORD=${PASSWORD:-}
DOCKERFILE=${DOCKERFILE:-}
PUSH=${PUSH:-}
PODMAN_USER="podman"
chown $PODMAN_USER:$PODMAN_USER /home/$PODMAN_USER/auth
chown $PODMAN_USER:$PODMAN_USER /home/$PODMAN_USER/.local/share/containers/storage
### LOGIN
if [[ -n "$REGISTRY" && -n "$USERNAME" && -n "$PASSWORD" ]]; then
podman login --storage-driver=overlay $REGISTRY -u $USERNAME -p $PASSWORD
sudo -u $PODMAN_USER podman login \
--storage-driver=overlay \
--authfile="$REGISTRY_AUTH_FILE" \
"$REGISTRY" -u "$USERNAME" -p "$PASSWORD"
fi
generate_args() {
@ -12,8 +26,8 @@ generate_args() {
local prefix="$2"
local output=""
if [ -n "$input_args" ]; then
output="$(echo "$input_args" | tr -s '+' ' ' | sed "s/[^ ]* */$prefix &/g")"
if [[ -n "$input_args" ]]; then
output="$(echo "$input_args" | tr -s ' ' '\n' | sed "s/[^ ]* */$prefix&/g")"
fi
echo "$output"
@ -27,17 +41,18 @@ if [[ -n "$DOCKERFILE" ]]; then
echo "Main labels: $CREATED $REVISION $SOURCE"
TAGS=$(generate_args "$ACTION_TAGS" "-t")
TAGS=$(generate_args "$ACTION_TAGS" "-t=")
echo "Tags: $TAGS"
LABELS=$(generate_args "$ACTION_LABELS" "--label")
LABELS=$(generate_args "$ACTION_LABELS" "--label=")
echo "Labels: $LABELS"
BUILD_ARGS=$(generate_args "$ACTION_BUILD_ARGS" "--build-arg")
BUILD_ARGS=$(generate_args "$ACTION_BUILD_ARGS" "--build-arg=")
echo "Build args: $BUILD_ARGS"
EXTRA_ARGS=$(generate_args "$ACTION_EXTRA_ARGS" "")
echo "Extra args: $EXTRA_ARGS"
podman build --platform="linux/amd64" \
sudo -u $PODMAN_USER podman build --platform="linux/amd64" \
--storage-driver=overlay \
--authfile="$REGISTRY_AUTH_FILE" \
--pull=true \
--label image.created="$CREATED" \
--label image.revision="$REVISION" \
@ -54,5 +69,7 @@ if [[ -n "$PUSH" && "$PUSH" == "true" ]]; then
TAGS=$(generate_args "$ACTION_TAGS" "")
echo "Tags: $TAGS"
podman push --storage-driver=overlay $TAGS
sudo -u $PODMAN_USER podman push \
--storage-driver=overlay \
--authfile="$REGISTRY_AUTH_FILE" $TAGS
fi