forked from aergus/dockerfiles
-
Notifications
You must be signed in to change notification settings - Fork 10
146 lines (142 loc) · 5.04 KB
/
Copy pathdocker-build-push.yml
File metadata and controls
146 lines (142 loc) · 5.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
name: Docker
on:
push:
pull_request:
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions: {}
env:
DOCKER_BUILDKIT: 1
jobs:
docker-build-push:
if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
permissions:
# Required to create a release
contents: write
# Required to sign the Docker image
id-token: write
runs-on: ubuntu-latest
steps:
- name: Set IMAGE
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
- name: Free disk space
run: |
sudo rm -rf /usr/share/dotnet # not using .NET
sudo rm -rf /usr/local/lib/android # not building Android
sudo rm -rf /opt/ghc # not using Haskell
docker system prune -af --volumes
sudo apt-get clean
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- name: Set SOURCE_DATE_EPOCH
run: |
set -euo pipefail
IFS=$'\n\t'
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
- if: github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
id: meta
with:
images: ${{ github.repository_owner }}/${{ env.IMAGE }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=sha
- name: Test the Docker image
working-directory: ${{ env.IMAGE }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
docker compose -f docker-compose.test.yml run sut
- uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
if: github.ref == 'refs/heads/main'
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
id: build
with:
# zizmor: ignore[template-injection] no user input
context: ${{ env.IMAGE }}
platforms: linux/amd64,linux/arm64
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Sign the Docker image
if: github.ref == 'refs/heads/main'
working-directory: ${{ env.IMAGE }}
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
images=()
for tag in ${TAGS}; do
images+=("${tag}@${DIGEST}")
done
cosign sign --recursive --yes "${images[@]}"
- name: Set VERSION
if: github.ref == 'refs/heads/main'
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/\-[A-Za-z][A-Za-z0-9]*@.*$//; s/^.*://;')"
if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]\.[0-9]+$ ]] ; then
echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
elif [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+$ ]] ; then
echo "VERSION=${VERSION}.0" >> "${GITHUB_ENV}"
fi
- name: Check if release already exists
if: env.VERSION != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
id: check-release
with:
script: |
const { VERSION } = process.env
return github.rest.repos.getReleaseByTag({
owner: context.repo.owner,
repo: context.repo.repo,
tag: `v${VERSION}`,
}).then(function(result) {
core.debug(JSON.stringify(result))
core.info(`Release ${result.data.tag_name} found`)
return result.data.tag_name
}).catch(function(error) {
if (error.status === 404) {
core.info(`Release v${VERSION} not found`)
return
} else {
throw error
}
})
result-encoding: string
- name: Trigger Release
if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined'
env:
GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
gh release create --generate-notes "v${VERSION}" --title "${VERSION}"