Skip to content

Build & Release Nightly #803

Build & Release Nightly

Build & Release Nightly #803

name: "Build & Release Nightly"
# This worflow needs those secrets:
#
# DOCKERPASSWORD = Docker Hub token
on:
schedule:
- cron: '3 2 * * *'
workflow_dispatch:
env:
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm/v6,linux/arm64" # Build for which platforms
DOCKER_USER: "tdeutsch" # Which user to use to login to DockerHub
UPSTREAM_GITHUB_REPOSITORY: "mxpv/podsync" # Upstream repo
#####
# To rebuild someone else's repo, do this:
#
# - New env REPOSITORY: "githubuser/githubrepo"
# - Add this to the checkout:
# with:
# repository: ${{ env.REPOSITORY }}
# - One may also need to disable hadolint, due to the quality of others Dockerfile
#####
jobs:
get_version:
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
outputs:
build_version: ${{ env.build_version }}
steps:
-
name: Get current version
id: get_version
run: |
VERSION="master"
echo "build_version=${VERSION}" >> $GITHUB_ENV
lint:
uses: ./.github/workflows/ci-lint.yml
build-test:
needs: [get_version]
uses: ./.github/workflows/ci-build-test.yml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
YTTOKEN: ${{ secrets.YTTOKEN }}
with:
build_version: ${{needs.get_version.outputs.build_version}}
build_and_release:
needs: [build-test, lint]
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
steps:
-
name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
name: Prepare
id: prep
run: |
IMAGENAME=$(echo ${{ github.repository }} | sed 's/${{ github.repository_owner }}\/docker-//g')
VERSION="nightly"
for IMAGEPREFIX in "ghcr.io/${{ github.repository_owner }}" "docker.io/${{ env.DOCKER_USER }}"; do
IMAGE="${IMAGEPREFIX}/${IMAGENAME}"
TAGS="${TAGS},${IMAGE}:${VERSION}"
done
echo "prep_tags=${TAGS}" >> $GITHUB_ENV
echo "prep_imagename=${IMAGENAME}" >> $GITHUB_ENV
echo "prep_image=${IMAGE}" >> $GITHUB_ENV
echo "prep_version=${VERSION}" >> $GITHUB_ENV
echo "prep_upstream_version=${UPSTREAM_VERSION}" >> $GITHUB_ENV
echo "prep_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-
name: Hadolint
uses: brpaz/hadolint-action@c27bd9edc1e95eed30474db8f295ff5807ebca14 # v1.5.0
with:
dockerfile: Dockerfile
-
name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
-
name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: docker.io
username: ${{ env.DOCKER_USER }}
password: ${{ secrets.DOCKERPASSWORD }}
-
name: Build and push
id: docker_build
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORMS }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.prep_tags }}
labels: |
org.opencontainers.image.title=${{ env.prep_imagename }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.version=${{ env.prep_version }}
org.opencontainers.image.created=${{ env.prep_created }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
-
name: Monitor published image for vulnerabilities with Snyk
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --project-name=ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
-
name: Test the image with Snyk for high-severity vulnerabilities
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --severity-threshold=high
-
name: Output a SARIF file from Snyk
continue-on-error: true
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
sarif: true
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile
-
name: Upload SARIF artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
if: ${{ github.event_name != 'pull_request' }}
with:
name: SARIF
path: snyk.sarif
-
name: Upload the SARIF file to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: snyk.sarif
# -
# name: Install latest Skopeo # GitHub's ubuntu 22 uses Skopeo 1.4 but we need newer to fix the "unsupported MIME type for compression: application/vnd.in-toto+json" error
# run: |
# echo 'deb http://download.opensuse.org/repositories/home:/alvistack/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:alvistack.list
# curl -fsSL https://download.opensuse.org/repositories/home:alvistack/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_alvistack.gpg > /dev/null
# sudo apt update
# sudo apt -o Dpkg::Options::="--force-overwrite" install skopeo
# -
# name: Copy to Docker Hub
# id: copy_images
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
# do
# GHTAG=$(echo $i | sed "s/ghcr.io/docker.io/g" | sed "s/${{ github.repository_owner }}/${{ env.DOCKER_USER }}/g")
# skopeo copy --all --src-creds=${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }} --dest-creds=${{ env.DOCKER_USER }}:${{ secrets.DOCKERPASSWORD }} docker://${i} docker://${GHTAG}
# done
-
name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@789d2886c082e8fb7b9710810b73c3f0840573ed
with:
cosign-release: 'v1.4.0'
-
name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > cosign.key
for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
do
cosign sign --key cosign.key ${i}
done
rm -f cosign.key
cleanup:
needs: [build_and_release]
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
steps:
-
name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
name: Dump public key
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > $GITHUB_WORKSPACE/cosign-signing-key.pub
sha256sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha256
sha512sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha512
-
uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5