chore: push verification images

coreruleset · Feb 1, 2025 · cfb8211 · cfb8211
1 parent 23f0766
commit cfb8211
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 11 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -62,7 +62,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: 'Build and push to Docker Hub: ${{ matrix.target }}'
+      - name: 'Build and push ${{ matrix.target }}'
         id: build-and-push
         uses: docker/[email protected]
         with:

diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - main
 env:
-  REPO: "owasp/modsecurity-crs"
+  REPO: "ghcr.io/coreruleset/modsecurity-crs"
   # sha256sum format: <hash><space><format (space for text)><file name>
   MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f  modsecurity.conf-recommended"
 
@@ -51,30 +51,43 @@ jobs:
         with:
           driver-opts: image=moby/buildkit:master
 
-      - name: Build images
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push verification images
         uses: docker/[email protected]
+        env:
+          # push only to GHCR
+          REPOS: "${REPO}"
         with:
           files: |
             ./docker-bake.hcl
           targets: ${{ matrix.target }}
+          # Build only linux/amd64 and tag the images as verification builds.
+          # This way we can pull images after verification and test them manually, if we need to.
           set: |
             *.platform=linux/amd64
+            ${{ matrix.target }}.tags=${{ github.env.REPO }}:${{ matrix.target }}-verification
           load: true
-          push: false
+          push: true
 
       - name: Run ${{ matrix.target }}
         run: |
           . .github/workflows/configure-rules-for-test.sh \
             src/opt/modsecurity/configure-rules.conf \
             README.md \
             "${{ matrix.target }}.env"
-          echo "Starting container ${{ matrix.target }}"
+          echo "Starting container ${{ matrix.target }}-verification"
           docker run \
             --pull "never" \
             -d \
             --name ${{ matrix.target }}-test \
             --env-file "${{ matrix.target }}.env" \
-            "${REPO}:${{ matrix.target }}"
+            "${REPO}:${{ matrix.target }}-verification"
           sleep 30
           docker logs ${{ matrix.target }}-test
 

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -49,10 +49,7 @@ variable "lua-modules-debian" {
 
 variable "REPOS" {
     # List of repositories to tag
-    default = [
-        "owasp/modsecurity-crs",
-        "ghcr.io/coreruleset/modsecurity-crs",
-    ]
+    default = "owasp/modsecurity-crs, ghcr.io/coreruleset/modsecurity-crs"
 }
 
 variable "nginx-dynamic-modules" {
@@ -80,7 +77,7 @@ function "patch" {
 
 function "tag" {
     params = [tag]
-    result = [for repo in REPOS : "${repo}:${tag}"]
+    result = [for repo in split(",", REPOS) : "${trimspace(repo)}:${tag}"]
 }
 
 function "vtag" {