Build & Release Nightly #620
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build & Release Nightly" | |
# This worflow needs those secrets: | |
# | |
# DOCKERPASSWORD = Docker Hub token | |
on: | |
schedule: | |
- cron: '3 2 * * *' | |
workflow_dispatch: | |
env: | |
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm/v6,linux/arm64" # Build for which platforms | |
DOCKER_USER: "tdeutsch" # Which user to use to login to DockerHub | |
UPSTREAM_GITHUB_REPOSITORY: "mxpv/podsync" # Upstream repo | |
##### | |
# To rebuild someone else's repo, do this: | |
# | |
# - New env REPOSITORY: "githubuser/githubrepo" | |
# - Add this to the checkout: | |
# with: | |
# repository: ${{ env.REPOSITORY }} | |
# - One may also need to disable hadolint, due to the quality of others Dockerfile | |
##### | |
jobs: | |
get_version: | |
runs-on: ubuntu-latest | |
#if: !contains(github.event.head_commit.message, '[skip ci]') | |
outputs: | |
build_version: ${{ env.build_version }} | |
steps: | |
- | |
name: Get current version | |
id: get_version | |
run: | | |
VERSION="master" | |
echo "build_version=${VERSION}" >> $GITHUB_ENV | |
lint: | |
uses: ./.github/workflows/ci-lint.yml | |
build-test: | |
needs: [get_version] | |
uses: ./.github/workflows/ci-build-test.yml | |
secrets: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
YTTOKEN: ${{ secrets.YTTOKEN }} | |
with: | |
build_version: ${{needs.get_version.outputs.build_version}} | |
build_and_release: | |
needs: [build-test, lint] | |
runs-on: ubuntu-latest | |
#if: !contains(github.event.head_commit.message, '[skip ci]') | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- | |
name: Prepare | |
id: prep | |
run: | | |
IMAGENAME=$(echo ${{ github.repository }} | sed 's/${{ github.repository_owner }}\/docker-//g') | |
VERSION="nightly" | |
for IMAGEPREFIX in "ghcr.io/${{ github.repository_owner }}" "docker.io/${{ env.DOCKER_USER }}"; do | |
IMAGE="${IMAGEPREFIX}/${IMAGENAME}" | |
TAGS="${TAGS},${IMAGE}:${VERSION}" | |
done | |
echo "prep_tags=${TAGS}" >> $GITHUB_ENV | |
echo "prep_imagename=${IMAGENAME}" >> $GITHUB_ENV | |
echo "prep_image=${IMAGE}" >> $GITHUB_ENV | |
echo "prep_version=${VERSION}" >> $GITHUB_ENV | |
echo "prep_upstream_version=${UPSTREAM_VERSION}" >> $GITHUB_ENV | |
echo "prep_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV | |
- | |
name: Hadolint | |
uses: brpaz/hadolint-action@c27bd9edc1e95eed30474db8f295ff5807ebca14 # v1.5.0 | |
with: | |
dockerfile: Dockerfile | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3 | |
- | |
name: Login to GHCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: docker.io | |
username: ${{ env.DOCKER_USER }} | |
password: ${{ secrets.DOCKERPASSWORD }} | |
- | |
name: Build and push | |
id: docker_build | |
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
with: | |
context: . | |
file: ./Dockerfile | |
platforms: ${{ env.PLATFORMS }} | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ env.prep_tags }} | |
labels: | | |
org.opencontainers.image.title=${{ env.prep_imagename }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.source=${{ github.event.repository.clone_url }} | |
org.opencontainers.image.version=${{ env.prep_version }} | |
org.opencontainers.image.created=${{ env.prep_created }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} | |
- | |
name: Monitor published image for vulnerabilities with Snyk | |
uses: snyk/actions/docker@master | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
command: monitor | |
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }} | |
args: --file=Dockerfile --project-name=ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }} | |
- | |
name: Test the image with Snyk for high-severity vulnerabilities | |
uses: snyk/actions/docker@master | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }} | |
args: --file=Dockerfile --severity-threshold=high | |
- | |
name: Output a SARIF file from Snyk | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
sarif: true | |
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }} | |
args: --file=Dockerfile | |
- | |
name: Upload SARIF artifact | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 | |
if: ${{ github.event_name != 'pull_request' }} | |
with: | |
name: SARIF | |
path: snyk.sarif | |
- | |
name: Upload the SARIF file to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3 | |
if: ${{ github.event_name != 'pull_request' }} | |
with: | |
sarif_file: snyk.sarif | |
# - | |
# name: Copy to Docker Hub | |
# id: copy_images | |
# if: ${{ github.event_name != 'pull_request' }} | |
# run: | | |
# for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g") | |
# do | |
# GHTAG=$(echo $i | sed "s/ghcr.io/docker.io/g" | sed "s/${{ github.repository_owner }}/${{ env.DOCKER_USER }}/g") | |
# skopeo copy --all --src-creds=${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }} --dest-creds=${{ env.DOCKER_USER }}:${{ secrets.DOCKERPASSWORD }} docker://${i} docker://${GHTAG} | |
# done | |
- | |
name: Install cosign | |
if: github.event_name != 'pull_request' | |
uses: sigstore/cosign-installer@cc23fe1cf04164ea4c208611cf647a013c6f8cc5 | |
with: | |
cosign-release: 'v1.4.0' | |
- | |
name: Sign the published Docker image | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: | | |
echo "$KEY" > cosign.key | |
for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g") | |
do | |
cosign sign --key cosign.key ${i} | |
done | |
rm -f cosign.key | |
cleanup: | |
needs: [build_and_release] | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name != 'pull_request' }} | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- | |
name: Dump public key | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: | | |
echo "$KEY" > $GITHUB_WORKSPACE/cosign-signing-key.pub | |
sha256sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha256 | |
sha512sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha512 | |
- | |
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5 |