From 24d81b9da221d71424581acee3e9284635e8260c Mon Sep 17 00:00:00 2001
From: 5B96790E3664F40075A67E6ADF737EDB15B4408DBC91A81228B31537B0CE3E26
 <33426478+iadgovuser29@users.noreply.github.com>
Date: Wed, 6 Mar 2024 20:51:13 -0500
Subject: [PATCH] create_aca_images workflow passes branch ref to dockerfiles
 (#729)

* Update ACA image workflow to pass ref to dockerfiles [no ci]

* Use GITHUB_REF_NAME instead [no ci]

* Change variable usage [no ci]

* Use build arg instead of env [no ci]
---
 .ci/docker/Dockerfile.aca-rocky         | 5 ++++-
 .ci/docker/Dockerfile.aca-windows       | 7 +++++--
 .github/workflows/create_aca_images.yml | 6 ++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.ci/docker/Dockerfile.aca-rocky b/.ci/docker/Dockerfile.aca-rocky
index 38d378f5..9adeb815 100644
--- a/.ci/docker/Dockerfile.aca-rocky
+++ b/.ci/docker/Dockerfile.aca-rocky
@@ -3,6 +3,9 @@ LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity
 LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
 LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority. Expose port 8443 to access the portal from outside the container.
 
+# REF can be specified as a docker run environment variable to select the HIRS branch to work with
+ARG REF=main
+
 SHELL ["/bin/bash", "-c"]
 
 # Rocky 9 has a different channel for some apps
@@ -50,7 +53,7 @@ RUN echo "#!/bin/bash" > /tmp/tpm_config && \
 EXPOSE 8443
 
 # Checkout HIRS
-RUN git clone -b main https://github.com/nsacyber/HIRS.git /repo
+RUN git clone -b ${REF} https://github.com/nsacyber/HIRS.git /repo
 
 # Defensive copy of the repo so it's easy to start fresh if needed
 RUN mkdir /hirs
diff --git a/.ci/docker/Dockerfile.aca-windows b/.ci/docker/Dockerfile.aca-windows
index cc61a4e5..e360c77e 100644
--- a/.ci/docker/Dockerfile.aca-windows
+++ b/.ci/docker/Dockerfile.aca-windows
@@ -9,6 +9,9 @@ LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
 LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority in a Windows-native image. Expose port 8443 to access the portal from outside the container.
 LABEL org.opencontainers.image.base.name mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}
 
+# REF can be specified as a docker run environment variable to select the HIRS branch to work with
+ARG REF=main
+
 SHELL ["pwsh", "-Command"]
 
 # Output Powershell Version
@@ -105,11 +108,11 @@ RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;
 # Echo PATH after update
 RUN echo $Env:PATH
 
-# Clone HIRS main
+# Clone HIRS main (or REF)
 WORKDIR C:/
 RUN git config --global --add core.autocrlf false
 RUN git config --global --add safe.directory '*'
-RUN git clone -b main https://github.com/nsacyber/hirs.git C:/repo
+RUN git clone -b ${REF} https://github.com/nsacyber/hirs.git C:/repo
 
 # Defensive copy of the repo so it's easy to start fresh if needed
 WORKDIR C:/repo
diff --git a/.github/workflows/create_aca_images.yml b/.github/workflows/create_aca_images.yml
index 04c817f4..1a9008b1 100644
--- a/.github/workflows/create_aca_images.yml
+++ b/.github/workflows/create_aca_images.yml
@@ -51,6 +51,7 @@ jobs:
         echo "PUBLIC_IMAGE_TAG=$PUBLIC_IMAGE_NAME:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
     - name: Print env
       run: |
+        echo GITHUB_REF_NAME=${{ github.ref_name }}
         echo DOCKERFILE_ROCKY=$DOCKERFILE_ROCKY
         echo DOCKERFILE_WINDOWS=$DOCKERFILE_WINDOWS
         echo IMAGE_NAME_ROCKY=$IMAGE_NAME_ROCKY
@@ -86,6 +87,7 @@ jobs:
       with:
         context: "{{defaultContext}}:.ci/docker"
         file: Dockerfile.${{env.DOCKERFILE_ROCKY}}
+        build-args: REF=${{ github.ref_name }}
         tags: ${{env.TAG}}
         push: true
         
@@ -108,7 +110,7 @@ jobs:
     - name: Build the docker image for ${{ github.repository }}
       run: |
         cd ./.ci/docker
-        docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
+        docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
     
     - name: Push the docker image
       run: |
@@ -133,7 +135,7 @@ jobs:
     - name: Build the docker image for ${{ github.repository }}
       run: |
         cd ./.ci/docker
-        docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
+        docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
         
     - name: Push the docker image
       run: |