-
Notifications
You must be signed in to change notification settings - Fork 0
79 lines (76 loc) · 2.22 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
---
name: main
on:
push:
pull_request:
workflow_dispatch:
# schedule:
# - cron: "0 6 * * *"
defaults:
run:
shell: bash
jobs:
containers:
runs-on: ubuntu-22.04
strategy:
matrix:
# package: ["FSL", "Freesurfer"]
package: ["test"]
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: skip if unchanged
run: |
set -euxo pipefail
SKIP=0
if ! git diff --name-only HEAD^ | grep "software/${{ matrix.package }}" | grep -v README > /dev/null
then
SKIP=1
fi
# echo "SKIP=$SKIP" >> "$GITHUB_ENV"
echo "SKIP=0" >> "$GITHUB_ENV"
- name: free disk space
if: env.SKIP == '0'
run: |
set -euxo pipefail
df -h
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/local/share/boost
sudo rm -rf /opt/ghc
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
# sudo docker image prune --all --force
df -h
- name: build image
if: env.SKIP == '0'
run: |
set -euxo pipefail
package="${{ matrix.package }}"
cd "software/$package"
img="ghcr.io/smi/${package,,}"
tag="$(grep _VERSION= Dockerfile | cut -d'"' -f2)"
docker build . --tag "$img:$tag"
docker tag "$img:$tag" "$img:latest"
echo "img=$img" >> "$GITHUB_ENV"
echo "tag=$tag" >> "$GITHUB_ENV"
- name: run trivy
if: env.SKIP == '0'
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.img }}:${{ env.tag }}"
format: 'github'
output: 'dependency-results.sbom.json'
exit-code: '1'
github-pat: "${{ secrets.GITHUB_TOKEN }}"
severity: 'MEDIUM,CRITICAL,HIGH'
scanners: "vuln"
- name: push image
# if: env.SKIP == '0' && github.ref == 'refs/heads/main'
if: false
run: |
set -euxo pipefail
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
docker push "$img:$tag"
docker push "$img:latest"