The following is my yml file for Github Actions. I want to set the user of the docker to root for the following via the docker options (--user root) . How can I do this via Github Actions?
name: CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: run zap
uses: docker://sshniro/zap_action
with:
args: zap-baseline.py -t https://www.example.com
Thanks in Advance.
I don't think you can pass docker container arguments when using uses:, but you can set them with job containers.
Try this workflow:
name: ZAP
on: push
jobs:
build:
runs-on: ubuntu-latest
container:
image: owasp/zap2docker-stable
options: --user root
steps:
- uses: actions/checkout#v2
- name: run zap
run: zap-baseline.py -t https://www.example.com
You can find the documentation for the job.<job_id>.container syntax here.
Related
I am trying to build CI/CD pipelines using GitHub Actions but unfortunately, I am stuck with an error with the yaml file.
Here is my Yaml file is:
---
name: Build and push python code to gcp with github actions
on:
push:
branches:
- main
jobs:
build_push_grc:
name: Build and push to gcr
runs_on: unbuntu-latest
env:
IMAGE_NAME: learning_cicd
PROJECT_ID: personal-370316
steps:
- name: Checkoutstep
uses: actions/checkout#v2
- uses: google-github-actions/setup-gcloud#master
with:
service_account_key: ${{ secrets.SERVICE_ACCOUNT_KEY}}
project_id: ${{ env.PROJECT_ID }}
export_default_credentials: true
- name: Build Docker Image
run: docker build -t $IMAGE_NAME:latest .
- name: Configure Docker Client
run: |-
gcloud auth configure-docker --quiet
- name: Push Docker Image to Container Registry (GCR)
env:
GIT_TAG: v0.1.0
run: |-
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
Here is an error where I am stuck with:
GitHub Actions
/ .github/workflows/gcp.yaml
Invalid workflow file
You have an error in your yaml syntax on line 15
I tried all possible indentations available on the internet but had no luck. I tried Yamllinter but still could not find where the error comes from. Please point me to where I am going wrong.
Thanks.
The runs-on (not runs_on) should have two spaces indentation relative to the job identifier. Also, the OS should be ubuntu-latest.
Then, env should have the same indentation as runs-on or name, the same as steps.
Here is the correct WF:
---
name: Build and push python code to gcp with github actions
on:
push:
branches:
- main
jobs:
build_push_grc:
name: Build and push to gcr
runs-on: ubuntu-latest
env:
IMAGE_NAME: learning_cicd
PROJECT_ID: personal-370316
steps:
- name: Checkoutstep
uses: actions/checkout#v2
- uses: google-github-actions/setup-gcloud#master
with:
service_account_key: ${{ secrets.SERVICE_ACCOUNT_KEY}}
project_id: ${{ env.PROJECT_ID }}
export_default_credentials: true
- name: Build Docker Image
run: docker build -t $IMAGE_NAME:latest .
- name: Configure Docker Client
run: |-
gcloud auth configure-docker --quiet
- name: Push Docker Image to Container Registry (GCR)
env:
GIT_TAG: v0.1.0
run: |-
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
I would recommend debugging such issues in the GitHub file edit form (editing the yml file in the .github/workflows directory). It will highlight all the issues regarding the workflow syntax. Demo.
I want to run my workflow in a container from private Docker registry:
jobs:
build:
runs-on: ubuntu-latest
container:
image: my-registry.net/my-image:latest
steps:
- ...
Now my docker registry is internal and can be accessed via vpn. So I thought I'd have a workaround by running another job that pulls the image:
jobs:
tailscale:
runs-on: ubuntu-latest
steps:
- name: Connect to Tailscale
uses: tailscale/github-action#v1
with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
version: 1.18.2
- name: Login to Private Container Registry
uses: docker/login-action#v1
with:
registry: my-registry.net
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Pull Image
run: docker pull my-registry.net/my-image:latest
build:
needs: tailscale
runs-on: ubuntu-latest
container:
image: my-registry.net/my-image:latest
steps:
- ...
However, this solution doesn't work because GitHub doesn't use the same runner for different jobs, as discussed here. How do I go about this without using my own runners?
Create an action with your "connecting" code and reuses it because without using your own runner, you need to connect every time in your VPN to get access to your registry.
Below is my dockerfile. Is there a way to cache npm in GitHub action?
FROM node
WORKDIR /app
ADD package*.json ./
RUN npm ci
ENV PATH /app/node_modules/.bin:$PATH
My GitHub actions:
name: NPM buid
on:
push:
branches:
- main
jobs:
build-npm-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- name: Build and Tag Node image
id: build-ui-image
run: |
export DOCKER_BUILDKIT=1
docker build -t ui -f ./ui/Dockerfile .
P.S I don't want to cache docker image. Above docker file is used just for example. objection is cache npm dependencies
This can be achieved with actions/setup-node#v3
steps:
- uses: actions/checkout#v3
- uses: actions/setup-node#v3
with:
node-version: current
cache: npm
- name: Build and Tag Node image
id: build-ui-image
run: |
export DOCKER_BUILDKIT=1
docker build -t ui -f ./ui/Dockerfile .
Did you check below action ?
actions/cache#v2
So your Actions yaml would look like below,
name: NPM buid
on:
push:
branches:
- main
jobs:
build-npm-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- uses: actions/setup-node#v2
with:
node-version: '14'
- name: Caching node modules
uses: actions/cache#v2
with:
path: "app/node_modules"
key: node-modules-${{ hashFiles('app/package.json') }}
- name: Build and Tag Node image
id: build-ui-image
run: |
export DOCKER_BUILDKIT=1
docker build -t ui -f ./ui/Dockerfile .
Caching npm dependencies will not make a difference if you're building a docker image. You can use actions/setup-node for caching JS or docker/build-push-action for Docker.
I am trying to build an action that is triggered on creating a new release on GitHub which works fine, but I would like to reference the tag in my action:
name: Build production container
on:
release:
types:
- created
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Build the Docker image
run: |
echo "${{ SECRET }}" | docker login -u ME --password-stdin docker.pkg.github.com
docker build app/ -t docker.pkg.github.com/REPO_PATH/image:$VERSION
docker push docker.pkg.github.com/REPO_PATH/image:$VERSION
shell: bash
env:
VERSION: 0.0.1
This is my working action, but I would like to automatically pull the tag into the VERSION environment variable. I read the documentation, especially here where the GitHub context is referenced, but I can't seem to find anything about it.
It took me a while to figure out that the action has a different context for each method documented here. So the parameter I was looking for is the and I've set my action up after this example:
name: Build production container
on:
release:
types:
- created
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Get Tag Name
id: tag_name
run: |
echo ::set-output name=SOURCE_TAG::${GITHUB_REF#refs/tags/}
- name: Build the Docker image
run: |
echo "${{ SECRET }}" | docker login -u ME --password-stdin docker.pkg.github.com
docker build app/ -t docker.pkg.github.com/REPO_PATH/image:$VERSION
docker push docker.pkg.github.com/REPO_PATH/image:$VERSION
shell: bash
env:
VERSION: ${{ steps.tag_name.outputs.SOURCE_TAG }}
This basically adds getting the source parameter as an extra step, this way I can use it in the environment variables of the next step.
The following is my actions file.
name: ZAP
on: push
jobs:
build:
runs-on: ubuntu-latest
container:
image: owasp/zap2docker-stable
options: --user root
volumes:
- /__w/actions-test-repo/actions-test-repo:/zap/wrk/
steps:
- uses: actions/checkout#v1
- name: view file
run: pwd
- name: run zap
if: always()
run: zap-baseline.py -t https://www.example.com -g gen.conf -r testreport.html
- name: view file
if: always()
run: pwd
I want to bind the directory /zap/wrk/ to a local directory. But when the container starts it does not mount this volume. I got the present working directory and mounted it to the docker container. Is this the correct way to do it?
Results link: https://github.com/sshniro/actions-test-repo/commit/08c0257d92b772a1d33c0b68cb8af99afdef9130/checks?check_suite_id=324032091
Similar issues have been identified in this forum as well.
https://github.community/t5/GitHub-Actions/Container-volumes-key-not-mounting-volume/td-p/34798
The workaround is to use the options parameter.
name: ZAP
on: push
jobs:
build:
runs-on: ubuntu-latest
container:
image: owasp/zap2docker-stable
options: -v /__w/actions-test-repo/actions-test-repo:/zap/wrk/:rw
steps:
- uses: actions/checkout#v2
- name: run zap
if: always()
run: zap-baseline.py -t https://www.example.com -g gen.conf -w testreport.md