add github action to build image

front-matter · Jun 2, 2024 · 7c76f2d · 7c76f2d
1 parent 930ebe5
commit 7c76f2d
Show file tree

Hide file tree

Showing 6 changed files with 186 additions and 76 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,102 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - v*
+
+  workflow_dispatch:
+
+jobs:
+  debian:
+    name: Publish Debian Image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Run Trivy static code analysis
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          security-checks: 'vuln,secret,config'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy static code analysis results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'fs'
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t ghcr.io/${{ github.repository_owner }}/invenio-rdm-starter:${{ github.sha }} .
+
+      - name: Run Trivy image scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/${{ github.repository_owner }}/invenio-rdm-starter:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy image scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'image'
+
+      # https://github.com/docker/metadata-action
+      # Tags:
+      #   type=semver,pattern=...: on tag pushed, with a valid `semver`, the new image
+      #     will have tags `x`, `x.y`, `x.y.z`. Pre-release GIT tag will tag image
+      #     with only pre-release tag, e.g. `x.y.z-beta.67`, and not the others
+      # Flavor:
+      #    `latest` will tag the image with `latest`
+
+      - name: Extract GIT metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository_owner }}/invenio-rdm-starter
+          tags: |
+            # type=semver,pattern={{major}}
+            # type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            # type=semver,pattern={{version}}
+            type=schedule,pattern={{date 'YYYYMMDD'}}
+          flavor: |
+            latest=true
+
+      # needed to build multi-platform images
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish Image to GitHub Container Registry
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./Dockerfile
+          # support images for Intel and Apple Silicon processors
+          platforms: linux/amd64, linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/README.md b/README.md
@@ -11,10 +11,13 @@ docker exec -it invenio-rdm-starter-web-1  bash
 # create the database and run migrations
 invenio db create
 invenio alembic upgrade
+invenio index init
+
+# load vocabularies
+invenio rdm-records fixtures
 
 # (optional) load demo data
 invenio rdm-records demo
-invenio rdm-records fixtures
 
 # create a user using (your) email address, you will be prompted for a password
 invenio users create [email protected]  --active --confirm

diff --git a/app_data/vocabularies.yaml b/app_data/vocabularies.yaml
@@ -10,12 +10,12 @@ subjects:
 #names:
 #  pid-type: names
 #  data-file: vocabularies/names.yaml
-#licenses:
-#  pid-type: lic
-#  data-file: vocabularies/cc_licences.csv
-#languages:
-#  pid-type: lng
-#  data-file: vocabularies/languages.yaml
+licenses:
+ pid-type: lic
+ data-file: vocabularies/cc_licences.csv
+languages:
+ pid-type: lng
+ data-file: vocabularies/languages.yaml
 # TODO: Uncoment this if you want to have all affiliations with ROR identifiers.
 # affiliations:
 #   pid-type: aff

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -77,8 +77,6 @@ services:
       - POSTGRES_DB=${POSTGRES_DB:-inveniordm}
     ports:
       - 5432:5432
-    volumes:
-      - ./docker/postgres/docker-entrypoint-initdb.d/inveniordm.sql:/docker-entrypoint-initdb.d/inveniordm.sql
   search:
     image: opensearchproject/opensearch:2.12.0
     restart: "unless-stopped"
@@ -96,8 +94,6 @@ services:
         soft: 65536
         hard: 65536
     mem_limit: 2g
-    volumes:
-      - ./docker/opensearch:/usr/share/opensearch/data
     ports:
       - "9200:9200"
       - "9600:9600"