Skip to content

Externalize mirroring from ghcr.io to docker hub in another workflow … #281

Externalize mirroring from ghcr.io to docker hub in another workflow …

Externalize mirroring from ghcr.io to docker hub in another workflow … #281

---
#########################
#########################
## Deploy Docker Image Flavors ##
#########################
#########################
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#######################################
# Start the job on all push to main #
#######################################
name: "Build & Deploy - ALPHA Flavors"
on:
push:
branches:
- "alpha"
paths:
- ".github/workflows/**"
- "Dockerfile"
- "flavors/**"
- "megalinter/**"
- "mega-linter-runner/**"
- "server/**"
- "**/linter-versions.json"
- "TEMPLATES/**"
- ".trivyignore"
- "**/.sh"
###############
# Set the Job #
###############
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
build:
# Name the Job
name: Deploy Docker Image - ALPHA - Flavors
# Set the agent to run on
runs-on: ${{ matrix.os }}
permissions:
packages: write
strategy:
fail-fast: false
max-parallel: 10
matrix:
os: [ubuntu-latest]
# flavors-start
flavor:
[
"ci_light",
"cupcake",
"documentation",
"dotnet",
"go",
"java",
"javascript",
"php",
"python",
"ruby",
"rust",
"salesforce",
"security",
"swift",
"terraform",
]
# flavors-end
# Only run this on the main repo
if: github.repository == 'oxsecurity/megalinter' && !contains(github.event.head_commit.message, 'skip deploy')
##################
# Load all steps #
##################
steps:
##########################
# Checkout the code base #
##########################
- name: Checkout Code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get current date
run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
- name: Build Image
uses: docker/build-push-action@v6
with:
context: .
file: flavors/${{ matrix.flavor }}/Dockerfile
platforms: linux/amd64
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=alpha
load: false
push: true
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
ghcr.io/oxsecurity/megalinter-${{ matrix.flavor }}:alpha
- name: Invoke Mirror docker image workflow (Flavor image)
uses: benc-uk/workflow-dispatch@v1
with:
workflow: mirror-docker-image.yml
inputs: '{ "source-image": "ghcr.io/oxsecurity/megalinter-${{ matrix.flavor }}:alpha", "target-image": "docker.io/oxsecurity/megalinter-${{ matrix.flavor }}:alpha" }'
ref: ${{ github.ref_name }}
- name: Build Worker Image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile-worker
platforms: linux/amd64
build-args: |
MEGALINTER_BASE_IMAGE=ghcr.io/oxsecurity/megalinter-${{ matrix.flavor }}:alpha
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=alpha
load: false
push: true
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
ghcr.io/oxsecurity/megalinter-worker-${{ matrix.flavor }}:alpha
- name: Invoke Mirror docker image workflow (Flavor worker image)
uses: benc-uk/workflow-dispatch@v1
with:
workflow: mirror-docker-image.yml
inputs: '{ "source-image": "ghcr.io/oxsecurity/megalinter-worker-${{ matrix.flavor }}:alpha", "target-image": "docker.io/oxsecurity/megalinter-worker-${{ matrix.flavor }}:alpha" }'
ref: ${{ github.ref_name }}
##############################################
# Check Docker image security with Trivy #
##############################################
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/oxsecurity/megalinter-worker-${{ matrix.flavor }}:alpha'
format: 'table'
exit-code: '1'
ignore-unfixed: true
scanners: vuln
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
timeout: 10m0s
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}