build(deps): bump debian from 4e401d9 to 28de087 in /latex (#606)
#2149
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Docker | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: "0 0 * * 0" | |
| workflow_dispatch: | |
| permissions: {} | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| docker-test: | |
| # Builds and tests the (potentially untrusted) PR code. Runs for every | |
| # non-tag event with only read access and no secrets, so executing the | |
| # Dockerfile's RUN steps cannot reach the registry or signing credentials. | |
| if: ${{ ! startsWith(github.ref, 'refs/tags/') }} | |
| permissions: | |
| # Required to clone repo | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set IMAGE | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}" | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| id: meta | |
| with: | |
| images: ${{ github.repository_owner }}/${{ env.IMAGE }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha | |
| - name: Test the Docker image | |
| working-directory: ${{ env.IMAGE }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| docker compose -f docker-compose.test.yml run sut | |
| - name: Build the Docker image | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| # zizmor: ignore[template-injection] no user input | |
| context: ${{ env.IMAGE }} | |
| platforms: linux/amd64,linux/arm64 | |
| pull: true | |
| push: false | |
| sbom: true | |
| provenance: mode=max | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| docker-build-push: | |
| # Publishes and signs the image and triggers the release. Only runs on the | |
| # trusted main branch, which is the only place the write, id-token and | |
| # registry credentials are exposed. | |
| needs: docker-test | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| # Required to create a release | |
| contents: write | |
| # Required to sign the Docker image | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set IMAGE | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}" | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Set SOURCE_DATE_EPOCH | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}" | |
| - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| id: meta | |
| with: | |
| images: ${{ github.repository_owner }}/${{ env.IMAGE }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha | |
| - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| id: build | |
| with: | |
| # zizmor: ignore[template-injection] no user input | |
| context: ${{ env.IMAGE }} | |
| platforms: linux/amd64,linux/arm64 | |
| pull: true | |
| push: true | |
| sbom: true | |
| provenance: mode=max | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign the Docker image | |
| working-directory: ${{ env.IMAGE }} | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| images=() | |
| for tag in ${TAGS}; do | |
| images+=("${tag}@${DIGEST}") | |
| done | |
| cosign sign --recursive --yes "${images[@]}" | |
| - name: Set VERSION | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')" | |
| if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then | |
| echo "VERSION=${VERSION}" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Check if release already exists | |
| if: env.VERSION != '' | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| id: check-release | |
| with: | |
| script: | | |
| const { VERSION } = process.env | |
| return github.rest.repos.getReleaseByTag({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| tag: `v${VERSION}`, | |
| }).then(function(result) { | |
| core.debug(JSON.stringify(result)) | |
| core.info(`Release ${result.data.tag_name} found`) | |
| return result.data.tag_name | |
| }).catch(function(error) { | |
| if (error.status === 404) { | |
| core.info(`Release v${VERSION} not found`) | |
| return | |
| } else { | |
| throw error | |
| } | |
| }) | |
| result-encoding: string | |
| - name: Trigger Release | |
| if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined' | |
| env: | |
| GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| gh release create --generate-notes "v${VERSION}" --title "${VERSION}" |