fist commit

.github/workflows/build.yaml

@@ -0,0 +1,9 @@
+name: Build
+on: [push]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: Build the Docker image
+      run: docker build .

Dockerfile

@@ -0,0 +1,9 @@
+FROM mcr.microsoft.com/azure-cli as runtime
+LABEL "repository"="https://github.com/Azure/acr-build"
+LABEL "maintainer"="Alessandro Vozza"
+
+ADD entrypoint.sh /entrypoint.sh
+RUN ["chmod", "+x", "/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
+
+FROM runtime

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Lars
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,153 @@
+# Build images with Azure Container Registry
+
+This action can be used to build containers using an Azure Container Registry. 
+
+## Action capabilities
+
+Following the capabilities of this action:
+
+- **Custom Dockerfile path:** It is possible to specify a path for the `Dockerfile`
+
+- **Build context:** Allows to specify the build context for the image
+
+- **Default tag:** The action will default to use the first 8 characters of the commit SHA if no tag is specified
+
+- **Private repositories:**: It is possible to use private Github repositories by providing a `github_token`
+
+## Action inputs:
+
+<table>
+  <thead>
+    <tr>
+      <th>Action inputs</th>
+      <th>Description</th>
+      <th>Default</th>
+    </tr>
+  </thead>
+
+  <tr>
+    <td><code>dockerfile</code><br/></td>
+    <td>(Optional) Path to the Dockerfile relative to `folder`</td>
+    <td><code>./Dockerfile</code></td>
+  </tr>
+
+  <tr>
+    <td><code>folder</code><br/></td>
+    <td>(Optional) Build context for Docker agent</td>
+    <td><code>./</code></td>
+  </tr>
+
+  <tr>
+    <td><code>repository</code><br/></td>
+    <td>(Mandatory) The repository on the Azure Container Registry</td>
+    <td></td>
+  </tr>
+
+  <tr>
+    <td><code>image</code><br/></td>
+    <td>(Mandatory) Docker image name</td>
+    <td></td>
+  </tr>
+
+  <tr>
+    <td><code>tag</code><br/></td>
+    <td>(Optional) Docker image tag</td>
+    <td><code>GITHUB_SHA::8</code></td>
+  </tr>
+
+  <tr>
+    <td><code>git_access_token</code><br/></td>
+    <td>(Optional) The Github access token for private repositories</td>
+    <td><code>GITHUB_SHA::8</code></td>
+  </tr>
+
+  <tr>
+    <td><code>registry</code><br/></td>
+    <td>(Mandatory)The Azure Container Registry name</td>
+    <td></td>
+  </tr>
+
+  <tr>
+    <td><code>tenant</code><br/></td>
+    <td>(Mandatory)The ACR tenant</td>
+    <td></td>
+  </tr>
+
+  <tr>
+    <td><code>service_principal</code><br/></td>
+    <td>(Mandatory) The Service Principal credentials</td>
+    <td></td>
+  </tr>
+
+  <tr>
+    <td><code>service_principal_password</code><br/></td>
+    <td>(Mandatory) The Service Principal credentials </td>
+    <td></td>
+  </tr>  
+
+  <tr>
+    <td><code>build_args</code><br/></td>
+    <td>(Optional) Build arguments </td>
+    <td></td>
+  </tr>
+
+</table>
+
+## Example usage
+
+Create an SP with Contributor access to the Azure Container Registry
+
+```bash
+az ad sp create-for-rbac -n "acrtask0" --skip-assignment
+az role assignment create --assignee <spID> --scope <resourceID of the ACR> --role "Contributor"
+```
+
+In your repository, create the following secrets (or set them in clear in the workflow definition):
+
+- service_principal
+- service_principal_password
+- tenant
+- registry
+- repository
+- (optional, for accessing private repositories) git_access_token 
+
+In `.github/workflows` create a workflow file like the following:
+
+```yaml
+name: build_image
+on:
+  push:
+    paths:
+      - "src/docker/**"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ACR build
+        id: acr
+        uses: azure/acr-build@v1
+        with:
+          service_principal: ${{ secrets.service_principal }}
+          service_principal_password: ${{ secrets.service_principal_password }}
+          tenant: ${{ secrets.tenant }}
+          registry: ${{ secrets.registry }}
+          repository: ${{ secrets.repository }}
+          image: image
+          git_access_token: ${{ secrets.git_access_token }}
+          folder: src/docker
+          dockerfile: ../../dockerfiles/Dockerfile
+```
+
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [[email protected]](mailto:[email protected]) with any additional questions or comments.

SECURITY.md

@@ -0,0 +1,35 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.1 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [many more](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [definition](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them to the Microsoft Security Response Center at [[email protected]](mailto:[email protected]).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://technet.microsoft.com/en-us/security/dn606155).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->

action.yml

@@ -0,0 +1,46 @@
+name: "Azure Container Registry Build"
+author: "Alessandro Vozza"
+branding:
+  icon: "code"
+  color: "blue"
+description: "Use ACR to build a container image"
+inputs:
+  service_principal:
+    description: "Service Principal with Contributor role on the ACR"
+    required: true
+  service_principal_password:
+    description: "Service Principal password"
+    required: true
+  tenant:
+    description: "Azure Container Registry tenant"
+    required: true
+  registry:
+    description: "The name of the ACR, minus the .azurecr.io"
+    required: true
+  repository:
+    description: "Repository to use"
+    required: true
+  git_access_token:
+    description: 'Github access token for private repositories'
+    required: true
+  image:
+    description: "Docker image name"
+    required: false
+  tag:
+    description: "Docker image tag, default to the commit SHA"
+    required: false
+  branch:
+    description: "Branch to build from, defaults to master"
+    required: false
+  folder:
+    description: "The folder in the Github repo that holds the source"
+    required: true
+  dockerfile:
+    description: "The location of the Dockerfile; defaults to ./Dockerfile"
+    required: false
+  build_args:
+    description: "JSON specifying key=value pairs as as Docker build arguments"
+    required: false
+runs:
+  using: "docker"
+  image: "Dockerfile"

entrypoint.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+
+INPUT_DOCKERFILE=${INPUT_DOCKERFILE:-Dockerfile}
+INPUT_TAG=${INPUT_TAG:-${GITHUB_SHA::8}}
+INPUT_BRANCH=${INPUT_BRANCH:-master}
+IMAGE_PART=""
+if [ -n "$INPUT_BUILD_ARGS" ]; then
+        BUILD_ARGS=`echo -n ${INPUT_BUILD_ARGS:-''} |jq -j '.[] | keys[] as $k | values[] as $v |  "--build-arg \($k)=\"\($v)\" "'`
+fi
+
+if [ "$INPUT_IMAGE" != "" ]; then
+        IMAGE_PART="/${INPUT_IMAGE}"
+fi
+
+if [ -n "$INPUT_GIT_ACCESS_TOKEN" ]; then
+        GIT_ACCESS_TOKEN_FLAG="${INPUT_GIT_ACCESS_TOKEN}@"
+fi
+
+echo "Building Docker image ${INPUT_REPOSITORY}${IMAGE_PART}:${INPUT_TAG} from ${GITHUB_REPOSITORY} on ${INPUT_BRANCH} and using context ${INPUT_FOLDER} ; and pushing it to ${INPUT_REGISTRY} Azure Container Registry"
+
+echo "Logging into azure.."
+az login --service-principal -u ${INPUT_SERVICE_PRINCIPAL} -p ${INPUT_SERVICE_PRINCIPAL_PASSWORD} --tenant ${INPUT_TENANT}
+
+echo "Sending build job to ACR.."
+az acr build -r ${INPUT_REGISTRY} ${BUILD_ARGS} -f ${INPUT_DOCKERFILE} -t ${INPUT_REPOSITORY}${IMAGE_PART}:${INPUT_TAG} https://${GIT_ACCESS_TOKEN_FLAG}github.com/${GITHUB_REPOSITORY}.git#${INPUT_BRANCH}:${INPUT_FOLDER}