Skip to content

build(deps): bump debian from 4e401d9 to 28de087 in /latex (#606) #2149

build(deps): bump debian from 4e401d9 to 28de087 in /latex (#606)

build(deps): bump debian from 4e401d9 to 28de087 in /latex (#606) #2149

---
name: Docker
on:
push:
pull_request:
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions: {}
env:
DOCKER_BUILDKIT: 1
jobs:
docker-test:
# Builds and tests the (potentially untrusted) PR code. Runs for every
# non-tag event with only read access and no secrets, so executing the
# Dockerfile's RUN steps cannot reach the registry or signing credentials.
if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
permissions:
# Required to clone repo
contents: read
runs-on: ubuntu-latest
steps:
- name: Set IMAGE
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
id: meta
with:
images: ${{ github.repository_owner }}/${{ env.IMAGE }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=sha
- name: Test the Docker image
working-directory: ${{ env.IMAGE }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
docker compose -f docker-compose.test.yml run sut
- name: Build the Docker image
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
# zizmor: ignore[template-injection] no user input
context: ${{ env.IMAGE }}
platforms: linux/amd64,linux/arm64
pull: true
push: false
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
docker-build-push:
# Publishes and signs the image and triggers the release. Only runs on the
# trusted main branch, which is the only place the write, id-token and
# registry credentials are exposed.
needs: docker-test
if: github.ref == 'refs/heads/main'
permissions:
# Required to create a release
contents: write
# Required to sign the Docker image
id-token: write
runs-on: ubuntu-latest
steps:
- name: Set IMAGE
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- name: Set SOURCE_DATE_EPOCH
run: |
set -euo pipefail
IFS=$'\n\t'
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
id: meta
with:
images: ${{ github.repository_owner }}/${{ env.IMAGE }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=sha
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
id: build
with:
# zizmor: ignore[template-injection] no user input
context: ${{ env.IMAGE }}
platforms: linux/amd64,linux/arm64
pull: true
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Sign the Docker image
working-directory: ${{ env.IMAGE }}
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
images=()
for tag in ${TAGS}; do
images+=("${tag}@${DIGEST}")
done
cosign sign --recursive --yes "${images[@]}"
- name: Set VERSION
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then
echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
fi
- name: Check if release already exists
if: env.VERSION != ''
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
id: check-release
with:
script: |
const { VERSION } = process.env
return github.rest.repos.getReleaseByTag({
owner: context.repo.owner,
repo: context.repo.repo,
tag: `v${VERSION}`,
}).then(function(result) {
core.debug(JSON.stringify(result))
core.info(`Release ${result.data.tag_name} found`)
return result.data.tag_name
}).catch(function(error) {
if (error.status === 404) {
core.info(`Release v${VERSION} not found`)
return
} else {
throw error
}
})
result-encoding: string
- name: Trigger Release
if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined'
env:
GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
gh release create --generate-notes "v${VERSION}" --title "${VERSION}"