Skip to content

Build & Release

Build & Release #1871

Workflow file for this run

name: "Build & Release"
# This worflow needs those secrets:
#
# DOCKERPASSWORD = Docker Hub token
on:
schedule:
- cron: '3 3 * * *'
workflow_dispatch:
repository_dispatch:
types:
- 'new-version'
pull_request:
types: [assigned, opened, synchronize, reopened]
env:
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm/v6,linux/arm64" # Build for which platforms
DOCKER_USER: "tdeutsch" # Which user to use to login to DockerHub
UPSTREAM_GITHUB_REPOSITORY: "mxpv/podsync" # Upstream repo
#####
# To rebuild someone else's repo, do this:
#
# - New env REPOSITORY: "githubuser/githubrepo"
# - Add this to the checkout:
# with:
# repository: ${{ env.REPOSITORY }}
# - One may also need to disable hadolint, due to the quality of others Dockerfile
#####
jobs:
get_version:
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
outputs:
build_version: ${{ steps.get_version.outputs.build_version }}
steps:
-
name: Get current version
id: get_version
run: |
VERSION=""
VERSION=$(curl --silent https://api.github.com/repos/${GITHUB_REPOSITORY}/git/refs/tags | jq -r '.[-1].ref' | awk -F/ '{print $NF}')
echo ${VERSION}
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
VERSION="v${VERSION}"
fi
echo ${VERSION}
echo "build_version=${VERSION}" >> $GITHUB_OUTPUT
lint:
uses: ./.github/workflows/ci-lint.yml
build-test:
needs: [get_version]
uses: ./.github/workflows/ci-build-test.yml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
YTTOKEN: ${{ secrets.YTTOKEN }}
with:
build_version: ${{needs.get_version.outputs.build_version}}
build_and_release:
needs: [build-test, lint]
runs-on: ubuntu-latest
#if: !contains(github.event.head_commit.message, '[skip ci]')
steps:
-
name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
name: Prepare
id: prep
run: |
echo "Debug version ${{needs.get_version.outputs.build_version}}"
UPSTREAM_VERSION=${{needs.get_version.outputs.build_version}}
UPSTREAM_VERSION=$(curl --silent https://api.github.com/repos/${GITHUB_REPOSITORY}/git/refs/tags | jq -r '.[-1].ref' | awk -F/ '{print $NF}')
if [[ $UPSTREAM_VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
UPSTREAM_VERSION="v${UPSTREAM_VERSION}"
fi
IMAGENAME=$(echo ${{ github.repository }} | sed 's/${{ github.repository_owner }}\/docker-//g')
VERSION=$UPSTREAM_VERSION
if [[ $GITHUB_REF == refs/pull/* ]]; then
VERSION=pr${{ github.event.number }}-${VERSION}
fi
for IMAGEPREFIX in "ghcr.io/${{ github.repository_owner }}" "docker.io/${{ env.DOCKER_USER }}"; do
IMAGE="${IMAGEPREFIX}/${IMAGENAME}"
TAGS="${TAGS},${IMAGE}:${VERSION}"
if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
MINOR=${VERSION%.*}
MAJOR=${MINOR%.*}
TAGS="$TAGS,${IMAGE}:${MINOR},${IMAGE}:${MAJOR},${IMAGE}:latest"
fi
done
echo "prep_tags=${TAGS}" >> $GITHUB_ENV
echo "prep_imagename=${IMAGENAME}" >> $GITHUB_ENV
echo "prep_image=${IMAGE}" >> $GITHUB_ENV
echo "prep_version=${VERSION}" >> $GITHUB_ENV
echo "prep_upstream_version=${UPSTREAM_VERSION}" >> $GITHUB_ENV
echo "prep_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-
name: Hadolint
uses: brpaz/hadolint-action@c27bd9edc1e95eed30474db8f295ff5807ebca14 # v1.5.0
with:
dockerfile: Dockerfile
-
name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
-
name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: docker.io
username: ${{ env.DOCKER_USER }}
password: ${{ secrets.DOCKERPASSWORD }}
-
name: Build and push
id: docker_build
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORMS }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.prep_tags }}
build-args: |
UPSTREAM_VERSION=${{ env.prep_upstream_version }}
labels: |
org.opencontainers.image.title=${{ env.prep_imagename }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.version=${{ env.prep_version }}
org.opencontainers.image.created=${{ env.prep_created }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
-
name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ env.DOCKER_USER }}
password: ${{ secrets.DOCKERPASSWORD }}
repository: "${{ env.DOCKER_USER }}/${{ env.prep_imagename }}"
short-description: ${{ github.event.repository.description }}
-
name: Monitor published image for vulnerabilities with Snyk
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --project-name=ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
-
name: Test the image with Snyk for high-severity vulnerabilities
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile --severity-threshold=high
-
name: Output a SARIF file from Snyk
continue-on-error: true
uses: snyk/actions/docker@master
if: ${{ github.event_name != 'pull_request' }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
sarif: true
image: ghcr.io/${{ github.repository_owner }}/${{ env.prep_imagename }}:${{ env.prep_version }}
args: --file=Dockerfile
-
name: Upload SARIF artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
if: ${{ github.event_name != 'pull_request' }}
with:
name: SARIF
path: snyk.sarif
-
name: Upload the SARIF file to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: snyk.sarif
# -
# name: Install latest Skopeo # GitHub's ubuntu 22 uses Skopeo 1.4 but we need newer to fix the "unsupported MIME type for compression: application/vnd.in-toto+json" error
# run: |
# echo 'deb http://download.opensuse.org/repositories/home:/alvistack/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:alvistack.list
# curl -fsSL https://download.opensuse.org/repositories/home:alvistack/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_alvistack.gpg > /dev/null
# sudo apt update
# sudo apt -o Dpkg::Options::="--force-overwrite" install skopeo
# -
# name: Copy to Docker Hub
# id: copy_images
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
# do
# GHTAG=$(echo $i | sed "s/ghcr.io/docker.io/g" | sed "s/${{ github.repository_owner }}/${{ env.DOCKER_USER }}/g")
# skopeo copy --all --src-creds=${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }} --dest-creds=${{ env.DOCKER_USER }}:${{ secrets.DOCKERPASSWORD }} docker://${i} docker://${GHTAG}
# done
-
name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@789d2886c082e8fb7b9710810b73c3f0840573ed
with:
cosign-release: 'v1.4.0'
-
name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > cosign.key
for i in $(echo ${{ env.prep_tags }} | sed "s/,/ /g")
do
cosign sign --key cosign.key ${i}
done
rm -f cosign.key
cleanup:
needs: [build_and_release]
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
steps:
-
name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
name: Dump public key
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
echo "$KEY" > $GITHUB_WORKSPACE/cosign-signing-key.pub
sha256sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha256
sha512sum $GITHUB_WORKSPACE/cosign-signing-key.pub > $GITHUB_WORKSPACE/cosign-signing-key.pub.sha512
-
uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5