In this tutorial, we’ll walk through setting up a GitHub Actions pipeline to automate the process of building and publishing a Docker image to Google Cloud Platform’s Container Registry (GCR). By leveraging GitHub Actions, we can streamline our development workflow, ensuring that our Docker images are built, tested, and deployed seamlessly.
Prerequisites
Before we begin, make sure you have the following:
- A GitHub repository containing your Docker project.
- Dockerfile located in a directory within your repository.
- A Google Cloud Platform (GCP) project with Container Registry enabled.
- A service account key JSON file for authenticating with GCP, securely stored as a GitHub secret.
Setting up the Pipeline
Step 1: Define GitHub Actions Workflow
Create a .github/workflows/docker-publish.yml file in your repository with the following content:
name: Docker Build and Publish
on:
push:
branches:
- '*'
env:
PROJECT_ID: <YOUR_PROJECT_ID>
REGISTRY_NAME: <YOUR_REGISTRY_NAME>
IMAGE_NAME: <YOUR_IMAGE_NAME>
REGION: <YOUR_REGION>
jobs:
build:
name: GCP Build & push docker image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Debug
run: |
echo "github.ref -> {{ github.ref }}"
- name: lint Action for GCP
uses: hadolint/[email protected]
with:
dockerfile: gcp/Dockerfile
ignore: DL3018,SC2046,DL4006
failure-threshold: warning
no-color : false
no-fail: true
- id: "auth"
uses: "google-github-actions/auth@v1"
with:
credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}"
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
- name: "Use gcloud CLI"
run: "gcloud info"
- name: "Docker auth"
run: |-
gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
- name: Build Docker image
run: docker build . --file "gcp/Dockerfile" --tag ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGESTRY_name }}/${{ env.IMAGE_NAME }}
- name: Push Docker image
run: docker push ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGESTRY_name }}/${{ env.IMAGE_NAME }}
- name: Run Trivy vulnerability scanner
id: docker-scan
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGESTRY_name }}/${{ env.IMAGE_NAME }}:latest'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
Replace <YOUR_PROJECT_ID>, <YOUR_REGISTRY_NAME>, <YOUR_IMAGE_NAME>, and <YOUR_REGION> with your actual GCP project ID, registry name, image name, and region, respectively.
Step 2: Configure Additional Steps
Within the build job, add steps for linting Dockerfile, authenticating with GCP, setting up Cloud SDK, building Docker image, pushing Docker image, and scanning for vulnerabilities. You can refer to the provided pipeline in the question for guidance on these steps.
Step 3: Customize Trivy Configuration (Optional)
If you’re using Trivy for vulnerability scanning, you can customize its configuration as per your requirements. Adjust parameters such as ignore-unfixed, vuln-type, and severity according to your security policies.
Step 4: Commit and Push
Commit the changes to your repository and push them to trigger the GitHub Actions pipeline.
Conclusion
By following this tutorial, you’ve successfully set up a GitHub Actions pipeline for automating the Docker image build and publish process to Google Cloud Platform’s Container Registry. This streamlined workflow ensures that your Docker images are built, tested, and deployed efficiently, enhancing your development workflow and ensuring the reliability and security of your containerized applications.
Feel free to customize the pipeline further to suit your specific requirements and integrate additional steps as needed. Happy automating!
This document provides a brief overview of setting up the Docker image build and publish pipeline with GitHub Actions. For a detailed explanation and the full pipeline code, please refer to the GitHub repository.