Skip to content

Build & Release

Build & Release #1637

Workflow file for this run

name: "Build & Release"
# This worflow needs those secrets:
#
# DOCKERPASSWORD = Docker Hub token
on:
schedule:
- cron: '3 3 * * *'
workflow_dispatch:
repository_dispatch:
types:
- 'new-version'
pull_request:
types: [assigned, opened, synchronize, reopened]
env:
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm/v6,linux/arm64" # Build for which platforms
DOCKER_USER: "tdeutsch" # Which user to use to login to DockerHub
UPSTREAM_GITHUB_REPOSITORY: "mxpv/podsync" # Upstream repo
#####
# To rebuild someone else's repo, do this:
#
# - New env REPOSITORY: "githubuser/githubrepo"
# - Add this to the checkout:
# with:
# repository: ${{ env.REPOSITORY }}
# - One may also need to disable hadolint, due to the quality of others Dockerfile
#####
jobs:
get_version:
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
outputs:
build_version: ${{ steps.get_version.outputs.build_version }}
steps:
-
name: Get current version
id: get_version
run: |
VERSION=""
VERSION=$(curl --silent https://api.github.com/repos/${GITHUB_REPOSITORY}/git/refs/tags | jq -r '.[-1].ref' | awk -F/ '{print $NF}')
echo ${VERSION}
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
VERSION="v${VERSION}"
fi
echo ${VERSION}
echo "build_version=${VERSION}" >> $GITHUB_OUTPUT
lint:
uses: ./.github/workflows/ci-lint.yml
build-test:
needs: [get_version]
uses: ./.github/workflows/ci-build-test.yml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
YTTOKEN: ${{ secrets.YTTOKEN }}
with:
build_version: ${{needs.get_version.outputs.build_version}}
build_and_release:
needs: [build-test, lint]
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
steps:
-
name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
name: Prepare
id: prep
run: |
echo "Debug version ${{needs.get_version.outputs.build_version}}"
UPSTREAM_VERSION=${{needs.get_version.outputs.build_version}}
UPSTREAM_VERSION=$(curl --silent https://api.github.com/repos/${GITHUB_REPOSITORY}/git/refs/tags | jq -r '.[-1].ref' | awk -F/ '{print $NF}')
if [[ $UPSTREAM_VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
UPSTREAM_VERSION="v${UPSTREAM_VERSION}"
fi
IMAGENAME=$(echo ${{ github.repository }} | sed 's/${{ github.repository_owner }}\/docker-//g')
VERSION=$UPSTREAM_VERSION
if [[ $GITHUB_REF == refs/pull/* ]]; then
VERSION=pr${{ github.event.number }}-${VERSION}
fi
for IMAGEPREFIX in "ghcr.io/${{ github.repository_owner }}" "docker.io/${{ env.DOCKER_USER }}"; do
IMAGE="${IMAGEPREFIX}/${IMAGENAME}"
TAGS="${TAGS},${IMAGE}:${VERSION}"
if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
MINOR=${VERSION%.*}
MAJOR=${MINOR%.*}
TAGS="$TAGS,${IMAGE}:${MINOR},${IMAGE}:${MAJOR},${IMAGE}:latest"
fi
done
echo "prep_tags=${TAGS}" >> $GITHUB_ENV
echo "prep_imagename=${IMAGENAME}" >> $GITHUB_ENV
echo "prep_image=${IMAGE}" >> $GITHUB_ENV
echo "prep_version=${VERSION}" >> $GITHUB_ENV
echo "prep_upstream_version=${UPSTREAM_VERSION}" >> $GITHUB_ENV
echo "prep_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-
name: Hadolint
uses: brpaz/hadolint-action@c27bd9edc1e95eed30474db8f295ff5807ebca14 # v1.5.0
with:
dockerfile: Dockerfile
-
name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3
-
name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: docker.io
username: ${{ env.DOCKER_USER }}
password: ${{ secrets.DOCKERPASSWORD }}
-
name: Build and push
id: docker_build
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORMS }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.prep_tags }}
build-args: |
UPSTREAM_VERSION=${{ env.prep_upstream_version }}
labels: |
org.opencontainers.image.title=${{ env.prep_imagename }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.version=${{ env.prep_version }}
org.opencontainers.image.created=${{ env.prep_created }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
-
name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ env.DOCKER_USER }}
password: ${{ secrets.DOCKERPASSWORD }}
repository: "${{ env.DOCKER_USER }}/${{ env.prep_imagename }}"
short-description: ${{ github.event.repository.description }}
-
name: Monitor published image for vulnerabilities with Snyk
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --project-name=ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
-
name: Test the image with Snyk for high-severity vulnerabilities
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --severity-threshold=high
-
name: Output a SARIF file from Snyk
continue-on-error: true
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
sarif: true
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile
-
name: Upload SARIF artifact
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
if: ${{ github.event_name != 'pull_request' }}
with:
name: SARIF
path: snyk.sarif
-
name: Upload the SARIF file to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: snyk.sarif
# -
# name: Copy to Docker Hub
# id: copy_images
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
# do
# GHTAG=$(echo $i | sed "s/ghcr.io/docker.io/g" | sed "s/${{ github.repository_owner }}/${{ env.DOCKER_USER }}/g")
# skopeo copy --all --src-creds=${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }} --dest-creds=${{ env.DOCKER_USER }}:${{ secrets.DOCKERPASSWORD }} docker://${i} docker://${GHTAG}
# done
-
name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@cc23fe1cf04164ea4c208611cf647a013c6f8cc5
with:
cosign-release: 'v1.4.0'
-
name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > cosign.key
for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
do
cosign sign --key cosign.key ${i}
done
rm -f cosign.key
cleanup:
needs: [build_and_release]
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
steps:
-
name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
name: Dump public key
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > $GITHUB_WORKSPACE/cosign-signing-key.pub
sha256sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha256
sha512sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha512
-
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5