name: Build base images (Generally from basin repo) on: workflow_call: inputs: image_tag: required: true type: string fail_on_scan: default: true type: boolean jobs: docker-build-and-push: runs-on: ubuntu-22.04 #ubuntu-latest steps: - id: get-id name: Get a unique tag for this build run: | echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; - name: Print image name run: | echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - uses: actions/checkout@v4 # ✅ 1) Auth to GCP (this is where your SA key is used) - name: Auth to GCP uses: google-github-actions/auth@v2 with: # using your existing secret that contains the SA JSON credentials_json: ${{ secrets.GCP_SA_KEY }} # ✅ 2) Install gcloud (no creds here) - name: Set up gcloud uses: google-github-actions/setup-gcloud@v2 with: project_id: ${{ vars.GCP_PROJECT_ID }} export_default_credentials: true - name: Configure Docker for GAR run: | gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - name: Build and push the Docker image run: | docker build \ --file context/Dockerfile \ --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ ./context; - name: Container details run: | IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; # - name: Scan Docker Image for vulnerabilities with Grype # uses: anchore/scan-action@v6 # with: # image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} # cache-db: true #Cache Grype DB in Github Actions # output-format: table # only-fixed: true # severity-cutoff: critical # fail-build: ${{ inputs.fail_on_scan }} - name: Push the container image run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}