Skip to content

typo

typo #106

Workflow file for this run

---
name: main
on:
push:
pull_request:
workflow_dispatch:
# schedule:
# - cron: "0 6 * * *"
defaults:
run:
shell: bash
jobs:
containers:
runs-on: ubuntu-22.04
strategy:
matrix:
package: ["FSL", "Freesurfer"]
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: skip if unchanged
run: |
set -euxo pipefail
SKIP=0
if ! git diff --name-only HEAD^ | grep "software/${{ matrix.package }}" | grep -v README > /dev/null
then
SKIP=1
fi
echo "SKIP=$SKIP" >> "$GITHUB_ENV"
- name: Run insightsengineering/disk-space-reclaimer@v1
if: env.SKIP == '0'
uses: insightsengineering/disk-space-reclaimer@v1
with:
tools-cache: true
- name: build image
if: env.SKIP == '0'
run: |
set -euxo pipefail
package="${{ matrix.package }}"
cd "software/$package"
img="ghcr.io/smi/${package,,}"
tag="$(grep _VERSION= Dockerfile | cut -d'"' -f2)"
docker build . --tag "$img:$tag"
docker tag "$img:$tag" "$img:latest"
echo "img=$img" >> "$GITHUB_ENV"
echo "tag=$tag" >> "$GITHUB_ENV"
- name: free disk space
if: env.SKIP == '0'
run: |
set -euxo pipefail
df -h
docker builder prune -a -f
# docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}')
df -h
# debug
docker image ls -a --digests --no-trunc
- name: run trivy
if: env.SKIP == '0'
run: |
set -euxo pipefail
out_dir=$(mktemp -d)
docker run \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${out_dir}":/out \
docker.io/aquasec/trivy:0.52.2 \
image \
--scanners vuln \
--severity MEDIUM,HIGH,CRITICAL \
--output /out/dependency-results.sbom.json \
"$img:$tag"
ls -la "${out_dir}"
# - name: run trivy
# if: env.SKIP == '0'
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "${{ env.img }}:${{ env.tag }}"
# format: 'github'
# output: 'dependency-results.sbom.json'
# github-pat: "${{ secrets.GITHUB_TOKEN }}"
# severity: 'MEDIUM,CRITICAL,HIGH'
# scanners: "vuln"
# TODO
# - name: upload trivy report
# if: env.SKIP == '0' && !cancelled()
# uses: actions/upload-artifact@v4
# with:
# name: 'trivy-sbom-report-${{ matrix.package }}'
# path: 'dependency-results.sbom.json'
- name: push image
if: env.SKIP == '0' && github.ref == 'refs/heads/main'
run: |
set -euxo pipefail
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
docker push "$img:$tag"
docker push "$img:latest"