ci #190
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '**/Dockerfile' | |
| - '**/toolsets/*.json' | |
| pull_request: | |
| paths: | |
| - '**/Dockerfile' | |
| - '**/toolsets/*.json' | |
| - '**/.github/workflows/ci.yml' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platforms: ['linux/amd64,linux/arm64'] | |
| # platforms: ${{ github.ref == 'refs/heads/main' && fromJson('["linux/amd64,linux/arm64"]') || fromJson(format('["{0}", "{1}"]', 'linux/amd64','linux/arm64')) }} | |
| from-version: ['22.04', '20.04'] | |
| include: | |
| - from-version: '22.04' | |
| from-version-major: '22' | |
| from-version-minor: '04' | |
| distro: 'ubuntu' | |
| codename: 'jammy' | |
| from-flavor: 'act' | |
| - from-version: '20.04' | |
| from-version-major: '20' | |
| from-version-minor: '04' | |
| distro: 'ubuntu' | |
| codename: 'focal' | |
| from-flavor: 'act' | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| env: | |
| BUILDKIT_PROGRESS: plain | |
| IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }} | |
| IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }} | |
| SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
| TO_TAG: ${{ format('{0}/{1}/{2}-{3}:{4}', 'docker.io', vars.DOCKERHUB_USER, matrix.distro, matrix.from-flavor, matrix.from-version) }} | |
| REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }} | |
| PATH_TO_IMAGE: /tmp/${{ matrix.distro }}-${{ matrix.from-version }}.tar | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Free up disk space | |
| uses: ./.github/actions/free-space | |
| with: | |
| deleteDotnet: 'true' | |
| deleteAndroid: 'true' | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| driver: docker-container | |
| driver-opts: image=moby/buildkit:v0.12.2,network=host | |
| install: true | |
| use: true | |
| cleanup: true | |
| platforms: ${{ matrix.platforms }} | |
| # Login to github container registry | |
| # https://github.com/docker/login-action | |
| - name: Login to GitHub Container Registry | |
| uses: docker/[email protected] | |
| if: vars.DOCKERHUB_USER == '' | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Login against a Docker registry | |
| # https://github.com/docker/login-action | |
| - name: Login to Docker Hub | |
| uses: docker/[email protected] | |
| if: vars.DOCKERHUB_USER != '' | |
| with: | |
| registry: docker.io | |
| username: ${{ vars.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| logout: true | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| images: ${{ github.actor == 'nektos/act' && env.IMAGE_REPOSITORY || env.REGISTRY_IMAGE }} | |
| tags: | | |
| type=sha,prefix=${{ matrix.from-version }}-,format=short,enable=${{ github.ref == 'refs/heads/main' }},priority=1000 | |
| type=raw,value=${{ matrix.from-version }},enable=${{ github.ref == 'refs/heads/main' }},priority=900 | |
| type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600 | |
| flavor: | | |
| latest=${{ github.ref == 'refs/heads/main' && matrix.from-version == '22.04' }} | |
| labels: | | |
| org.opencontainers.image.authors='${{ env.REPOSITORY_LINK }},${{ github.actor }}' | |
| org.opencontainers.image.description=${{ github.event.repository.description }} | |
| org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }} | |
| org.opencontainers.image.revision=${{ env.SHA }} | |
| org.opencontainers.image.source=${{ github.repositoryUrl }} | |
| org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }} | |
| org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| env: | |
| REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} | |
| REPOSITORY_LINK: https://github.com/${{ github.repository }} | |
| # # Build and push Docker image with Buildx (don't push on PR) | |
| # # https://github.com/docker/build-push-action | |
| # - name: Build and push | |
| # id: build | |
| # uses: docker/build-push-action@v4 | |
| # with: | |
| # context: . | |
| # # github-token for the repository context | |
| # github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # file: ./linux/${{ matrix.distro }}/Dockerfile | |
| # platforms: ${{ matrix.platforms }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # # tags: ${{ format('{0}:{1}-{2}', github.actor != 'nektos/act' && env.REGISTRY_IMAGE || env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }} | |
| # build-args: | | |
| # FROM_IMAGE=buildpack-deps | |
| # FROM_VERSION_MAJOR=${{ matrix.from-version-major }} | |
| # FROM_VERSION_MINOR=${{ matrix.from-version-minor }} | |
| # FROM_FLAVOR=${{ matrix.from-flavor }} | |
| # DISTRO=${{ matrix.distro }} | |
| # CODENAME=${{ matrix.codename }} | |
| # # caching to speed up the build | |
| # cache-from: | | |
| # ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }} | |
| # ${{ format('type=registry,ref={0}:cache-{1}', env.REGISTRY_IMAGE, matrix.codename) }} | |
| # # don't export cache on PR | |
| # cache-to: ${{ github.ref == 'refs/heads/main' && format('type=registry,ref={0}:cache-{1},mode=max', env.REGISTRY_IMAGE, matrix.codename) || '' }} | |
| # # this will give us some useful information about the build | |
| # provenance: mode=max | |
| # # push if not building with act | |
| # push: ${{ github.ref == 'refs/heads/main' }} | |
| # outputs: 'type=oci,dest=${{ env.PATH_TO_IMAGE }}' | |
| # env: | |
| # REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} | |
| # Build and push Docker images | |
| - name: build image | |
| run: >- | |
| while IFS='' read -r line; do tags+=(-t "${line}"); done < <(echo "${DOCKER_METADATA_OUTPUT_JSON}" | jq -r '.tags[]') | |
| && docker build "${tags[@]}" | |
| --file linux/${{ matrix.distro }}/Dockerfile | |
| --cache-from ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }} | |
| --cache-from ${{ format('type=registry,ref={0}:cache-{1}', env.REGISTRY_IMAGE, matrix.codename) }} | |
| --build-arg FROM_IMAGE='buildpack-deps' | |
| --build-arg FROM_VERSION_MAJOR='${{ matrix.from-version-major }}' | |
| --build-arg FROM_VERSION_MINOR='${{ matrix.from-version-minor }}' | |
| --build-arg FROM_FLAVOR='${{ matrix.from-flavor }}' | |
| --build-arg DISTRO='${{ matrix.distro }}' | |
| --build-arg CODENAME='${{ matrix.codename }}' | |
| ${{ fromJson(env.IS_MAIN) && '--output=type=registry,push=true' || format('--output=type=docker,dest={0}', env.PATH_TO_IMAGE) }} | |
| --label org.opencontainers.image.authors='${{ env.TAG_AUTHORS }}' | |
| --label org.opencontainers.image.description='${{ github.event.repository.description }}' | |
| --label org.opencontainers.image.documentation='${{ env.REPOSITORY_LINK }}' | |
| --label org.opencontainers.image.revision='${{ env.SHA }}' | |
| --label org.opencontainers.image.source='${{ github.repositoryUrl }}' | |
| --label org.opencontainers.image.title='${{ env.TITLE_TAG }}' | |
| --label org.opencontainers.image.url='${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile' | |
| --label org.opencontainers.image.vendor='${{ github.repository_owner }}' | |
| . | |
| env: | |
| IS_MAIN: ${{ github.ref == 'refs/heads/main' }} | |
| REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} | |
| REPOSITORY_LINK: https://github.com/${{ github.repository }} | |
| TAG_AUTHORS: ${{ format('{0},{1}', env.REPOSITORY_LINK, github.triggering_actor) }} | |
| TITLE_TAG: ${{ format('{0}:{1}', env.IMAGE_REPOSITORY, github.head_ref || github.ref_name) }} | |
| # vulnerability scanning to verify PRs | |
| - name: Docker Scout | |
| id: docker-scout | |
| uses: docker/[email protected] | |
| with: | |
| # platform: linux/amd64 | |
| command: sbom,compare | |
| image: ${{ github.ref == 'refs/heads/main' && steps.meta.outputs.tags || env.PATH_TO_IMAGE }} | |
| type: ${{ github.ref == 'refs/heads/main' && 'image' || 'archive' }} | |
| to: ${{ env.TO_TAG }} | |
| ignore-unchanged: true | |
| only-severities: critical | |
| write-comment: ${{ github.event_name == 'pull_request' && github.actor != 'nektos/act' }} | |
| keep-previous-comments: true | |
| summary: ${{ github.event_name == 'pull_request' && github.actor != 'nektos/act' }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| organization: ${{ vars.DOCKERHUB_USER || github.repository_owner }} | |
| # ToDo: Move into a separate workflow and depend on ci and mega-linter | |
| approve-pr: | |
| name: Approve PR | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| actions: write | |
| steps: | |
| - name: Approve PR | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| # auto merge dependabot PRs | |
| - name: Merge DependaBot | |
| if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' && needs.build.result == 'success' | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |