-
Notifications
You must be signed in to change notification settings - Fork 3
183 lines (178 loc) · 6.34 KB
/
Copy pathdocker-build-push.yml
File metadata and controls
183 lines (178 loc) · 6.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
---
name: Docker
on:
push:
pull_request:
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions: {}
env:
DOCKER_BUILDKIT: 1
jobs:
docker-test:
# Builds and tests the (potentially untrusted) PR code. Runs for every
# non-tag event with only read access and no secrets, so executing the
# Dockerfile's RUN steps cannot reach the registry or signing credentials.
if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
permissions:
# Required to clone repo
contents: read
runs-on: ubuntu-latest
steps:
- name: Set IMAGE
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
id: meta
with:
images: ${{ github.repository_owner }}/${{ env.IMAGE }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=sha
- name: Test the Docker image
working-directory: ${{ env.IMAGE }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
docker compose -f docker-compose.test.yml run sut
- name: Build the Docker image
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
# zizmor: ignore[template-injection] no user input
context: ${{ env.IMAGE }}
platforms: linux/amd64,linux/arm64
pull: true
push: false
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
docker-build-push:
# Publishes and signs the image and triggers the release. Only runs on the
# trusted main branch, which is the only place the write, id-token and
# registry credentials are exposed.
needs: docker-test
if: github.ref == 'refs/heads/main'
permissions:
# Required to create a release
contents: write
# Required to sign the Docker image
id-token: write
runs-on: ubuntu-latest
steps:
- name: Set IMAGE
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- name: Set SOURCE_DATE_EPOCH
run: |
set -euo pipefail
IFS=$'\n\t'
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
id: meta
with:
images: ${{ github.repository_owner }}/${{ env.IMAGE }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=sha
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
id: build
with:
# zizmor: ignore[template-injection] no user input
context: ${{ env.IMAGE }}
platforms: linux/amd64,linux/arm64
pull: true
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Sign the Docker image
working-directory: ${{ env.IMAGE }}
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
images=()
for tag in ${TAGS}; do
images+=("${tag}@${DIGEST}")
done
cosign sign --recursive --yes "${images[@]}"
- name: Set VERSION
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then
echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
fi
- name: Check if release already exists
if: env.VERSION != ''
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
id: check-release
with:
script: |
const { VERSION } = process.env
return github.rest.repos.getReleaseByTag({
owner: context.repo.owner,
repo: context.repo.repo,
tag: `v${VERSION}`,
}).then(function(result) {
core.debug(JSON.stringify(result))
core.info(`Release ${result.data.tag_name} found`)
return result.data.tag_name
}).catch(function(error) {
if (error.status === 404) {
core.info(`Release v${VERSION} not found`)
return
} else {
throw error
}
})
result-encoding: string
- name: Trigger Release
if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined'
env:
GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
gh release create --generate-notes "v${VERSION}" --title "${VERSION}"