name: Workflow to build and push docker image to registry on: workflow_call: inputs: APP_NAME: required: true type: string description: Application name which would be the name of Docker and Helm release REGISTRY: required: true type: string DOCKERFILE_PATH: type: string default: Dockerfile USER_FOR_IMAGE_STORE: type: string default: registry-bot VAULT_SECRETS_PATH: type: string default: "" description: "Path in Vault to fetch build-time secrets (e.g., cicd/data/gmt-client)" BUILD_ARG_NAMES: type: string default: "" description: "Comma-separated list of build arg names to fetch from Vault" secrets: VAULT_TOKEN: required: true jobs: build: runs-on: ubuntu-latest container: image: catthehacker/ubuntu:act-22.04 steps: - name: Import Secrets uses: hashicorp/vault-action@v2 with: url: https://vault.project-quest-dev.com token: ${{ secrets.VAULT_TOKEN }} secrets: | cicd/data/docker password | REGISTRY_PASSWORD ; cicd/data/docker username | REGISTRY_USERNAME ; cicd/data/submodule token | SUBMODULE_TOKEN ; cicd/data/submodule npm_token | NPM_TOKEN ; - name: Import Build Args from Vault if: ${{ inputs.VAULT_SECRETS_PATH != '' && inputs.BUILD_ARG_NAMES != '' }} uses: hashicorp/vault-action@v2 with: url: https://vault.project-quest-dev.com token: ${{ secrets.VAULT_TOKEN }} secrets: | ${{ inputs.VAULT_SECRETS_PATH }} * | BUILD_SECRETS_RAW ; - name: Checkout code uses: actions/checkout@v4 with: submodules: recursive fetch-depth: 0 token: ${{ env.SUBMODULE_TOKEN }} - name: Set up Docker BuildX uses: docker/setup-buildx-action@v2 with: driver-opts: network=host config-inline: | [registries.insecure] "${{ inputs.REGISTRY }}" = true - &get_version name: Extract version from tag or set commit SHA id: vars run: | if [ "${{ github.ref_type }}" = "tag" ]; then echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV else VERSION=$(echo "${{ github.sha }}" | cut -c1-7) echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Prepare Build Args if: ${{ inputs.BUILD_ARG_NAMES != '' }} run: | BUILD_ARGS_FLAGS="" # Разбираем comma-separated список имен аргументов IFS=',' read -ra ARG_NAMES <<< "${{ inputs.BUILD_ARG_NAMES }}" for arg_name in "${ARG_NAMES[@]}"; do # Убираем пробелы arg_name=$(echo "$arg_name" | xargs) # Получаем значение из импортированных секретов # В Vault Action каждый ключ экспортируется как отдельная env переменная arg_value=$(printenv "$arg_name" || echo "") if [ -n "$arg_value" ]; then BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $arg_name=$arg_value" echo "✓ Build arg added: $arg_name" else echo "⚠ Warning: $arg_name not found in Vault secrets" fi done echo "BUILD_ARGS_FLAGS=$BUILD_ARGS_FLAGS" >> $GITHUB_ENV echo "Build args flags: $BUILD_ARGS_FLAGS" - name: Login to Docker registry uses: docker/login-action@v2 with: registry: ${{ inputs.REGISTRY }} username: ${{ env.REGISTRY_USERNAME }} password: ${{ env.REGISTRY_PASSWORD }} - name: Build Docker image run: | docker build \ --build-arg SUBMODULE_TOKEN=${{ env.NPM_TOKEN }} \ $BUILD_ARGS_FLAGS \ -f ${{ inputs.DOCKERFILE_PATH }} \ -t ${{ inputs.REGISTRY }}/${{ inputs.USER_FOR_IMAGE_STORE }}/${{ inputs.APP_NAME }}:${{ env.VERSION }} \ . - name: Push Docker image run: | docker push ${{ inputs.REGISTRY }}/${{ inputs.USER_FOR_IMAGE_STORE }}/${{ inputs.APP_NAME }}:${{ env.VERSION }} - name: Logout from Docker registry run: docker logout ${{ inputs.REGISTRY }}