Skip to content

update Dockerfile, ci and readme (#46) #223

update Dockerfile, ci and readme (#46)

update Dockerfile, ci and readme (#46) #223

Workflow file for this run

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: ci
on:
push:
branches: [main]
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
- '**/.github/workflows/ci.yml'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
packages: write
pull-requests: write
env:
IS_NOT_ACT: ${{ github.actor != 'nektos/act' }}
IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
platforms: ${{ github.event_name == 'pull_request' && fromJson('["linux/amd64", "linux/arm64"]') || fromJson('["linux/amd64,linux/arm64"]') }}
from-version: ['22.04', '20.04']
include:
- from-version: '22.04'
from-version-major: '22'
from-version-minor: '04'
distro: 'ubuntu'
codename: 'jammy'
from-flavor: 'act'
- from-version: '20.04'
from-version-major: '20'
from-version-minor: '04'
distro: 'ubuntu'
codename: 'focal'
from-flavor: 'act'
env:
BUILDKIT_PROGRESS: plain
FROM_IMAGE_PATH: /tmp/${{ matrix.distro }}-${{ matrix.from-version }}.tar
IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }}
IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }}
REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
TO_TAG: ${{ format('{0}/{1}/{2}-{3}:{4}', 'docker.io', vars.DOCKERHUB_USER, matrix.distro, matrix.from-flavor, matrix.from-version) }}
steps:
- uses: actions/checkout@v4
- name: Free up disk space
uses: ./.github/actions/free-space
with:
deleteDotnet: 'true'
deleteAndroid: 'true'
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
driver: docker-container
driver-opts: image=moby/buildkit:v0.12.2,network=host
install: true
use: true
cleanup: true
platforms: ${{ matrix.platforms }}
# Login against a Docker registry
# https://github.com/docker/login-action
- name: Login to ${{ env.REGISTRY }}
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.DOCKERHUB_USER || github.repository_owner }}
password: ${{ secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: ${{ github.actor == 'nektos/act' && env.IMAGE_REPOSITORY || env.REGISTRY_IMAGE }}
tags: |
type=sha,prefix=${{ matrix.from-version }}-,format=short,enable=${{ github.ref == 'refs/heads/main' }},priority=1000
type=raw,value=${{ matrix.from-version }},enable=${{ github.ref == 'refs/heads/main' }},priority=900
type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600
flavor: |
latest=${{ github.ref == 'refs/heads/main' && matrix.from-version == '22.04' }}
labels: |
org.opencontainers.image.authors='${{ env.REPOSITORY_LINK }},${{ github.actor }}'
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }}
org.opencontainers.image.revision=${{ env.SHA }}
org.opencontainers.image.source=${{ github.repositoryUrl }}
org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }}
org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile
org.opencontainers.image.vendor=${{ github.repository_owner }}
env:
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
REPOSITORY_LINK: https://github.com/${{ github.repository }}
# # Build and push Docker image with Buildx (don't push on PR)
# # https://github.com/docker/build-push-action
# - name: Build and push
# id: build
# uses: docker/build-push-action@v4
# with:
# context: .
# # github-token for the repository context
# github-token: ${{ secrets.GITHUB_TOKEN }}
# file: ./linux/${{ matrix.distro }}/Dockerfile
# platforms: ${{ matrix.platforms }}
# labels: ${{ steps.meta.outputs.labels }}
# tags: ${{ steps.meta.outputs.tags }}
# # tags: ${{ format('{0}:{1}-{2}', env.IS_NOT_ACT && env.REGISTRY_IMAGE || env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }}
# build-args: |
# FROM_IMAGE=buildpack-deps
# FROM_VERSION_MAJOR=${{ matrix.from-version-major }}
# FROM_VERSION_MINOR=${{ matrix.from-version-minor }}
# FROM_FLAVOR=${{ matrix.from-flavor }}
# DISTRO=${{ matrix.distro }}
# CODENAME=${{ matrix.codename }}
# # caching to speed up the build
# cache-from: |
# ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }}
# ${{ format('type=registry,ref={0}:cache-{1}', env.REGISTRY_IMAGE, matrix.codename) }}
# # don't export cache on PR
# cache-to: ${{ github.ref == 'refs/heads/main' && format('type=registry,ref={0}:cache-{1},mode=max', env.REGISTRY_IMAGE, matrix.codename) || '' }}
# # this will give us some useful information about the build
# push: ${{ github.ref == 'refs/heads/main' }}
# provenance: mode=max
# # push if not building with act
# outputs: 'type=oci,dest=${{ env.FROM_IMAGE_PATH }}'
# env:
# REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
# Get the architecture to use for the cache tag
- name: get arch
id: cache-arch
if: env.IS_PULL_REQUEST
run: >-
printf "CACHE_ARCH=%s\n" "$(
docker run
--quiet
--platform ${{ matrix.platforms }}
--rm
"${PULL_IMAGE}"
/bin/bash -c "dpkg --print-architecture"
)" >> "$GITHUB_OUTPUT"
env:
PULL_IMAGE: ubuntu:22.04
# Build and push Docker images
- name: build image
run: >-
while IFS='' read -r line; do tags+=(-t "${line}"); done < <(echo "${DOCKER_METADATA_OUTPUT_JSON}" | jq -r '.tags[]')
&& docker build "${tags[@]}"
--file linux/${{ matrix.distro }}/Dockerfile
--platform ${{ matrix.platforms }}
--cache-from ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }}
--cache-from ${{ format('type=registry,ref={0}:cache-{1}-{2}', env.REGISTRY_IMAGE, matrix.codename, 'amd64') }}
--cache-from ${{ format('type=registry,ref={0}:cache-{1}-{2}', env.REGISTRY_IMAGE, matrix.codename, 'arm64') }}
--ulimit=nofile=4096:4096
${{ (env.IS_PULL_REQUEST && env.IS_NOT_ACT) && format('--cache-to type=registry,ref={0}:cache-{1}-{2},mode=max', env.REGISTRY_IMAGE, matrix.codename, steps.cache-arch.outputs.CACHE_ARCH) || '' }}
--build-arg FROM_IMAGE='buildpack-deps'
--build-arg FROM_VERSION_MAJOR='${{ matrix.from-version-major }}'
--build-arg FROM_VERSION_MINOR='${{ matrix.from-version-minor }}'
--build-arg CODENAME='${{ matrix.codename }}'
--build-arg FROM_FLAVOR='${{ matrix.from-flavor }}'
--build-arg DISTRO='${{ matrix.distro }}'
--output=type=${{ env.OUTPUT_TYPE }},${{ env.OUTPUT_KIND }}
--label org.opencontainers.image.authors='${{ env.TAG_AUTHORS }}'
--label org.opencontainers.image.description='${{ github.event.repository.description }}'
--label org.opencontainers.image.documentation='${{ env.REPOSITORY_LINK }}'
--label org.opencontainers.image.revision='${{ env.SHA }}'
--label org.opencontainers.image.source='${{ github.repositoryUrl }}'
--label org.opencontainers.image.title='${{ env.TITLE_TAG }}'
--label org.opencontainers.image.url='${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile'
--label org.opencontainers.image.vendor='${{ github.repository_owner }}'
.
env:
IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
OUTPUT_KIND: ${{ env.IS_MAIN && 'push=true' || format('dest={0}', env.FROM_IMAGE_PATH) }}
OUTPUT_TYPE: ${{ env.IS_MAIN && 'registry' || 'docker' }}
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
REPOSITORY_LINK: https://github.com/${{ github.repository }}
TAG_AUTHORS: ${{ format('{0},{1}', env.REPOSITORY_LINK, github.triggering_actor) }}
TITLE_TAG: ${{ format('{0}:{1}', env.IMAGE_REPOSITORY, github.head_ref || github.ref_name) }}
# vulnerability scanning to verify PRs
- name: Docker Scout
id: docker-scout
uses: docker/[email protected]
if: env.IS_PULL_REQUEST
with:
platform: ${{ matrix.platforms }}
command: quickview
image: ${{ env.FROM_IMAGE_PATH }}
type: archive
to: ${{ env.TO_TAG }}
ignore-unchanged: true
only-severities: critical
write-comment: ${{ env.IS_NOT_ACT }}
summary: ${{ env.IS_NOT_ACT }}
github-token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ vars.DOCKERHUB_USER || github.repository_owner }}
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: github.actor != 'nektos/act' && contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success'
permissions:
contents: read
pull-requests: write
actions: write
steps:
# approve the PR (there is still a code-owner review necessary)
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
# auto merge dependabot PRs
- name: Merge DependaBot
if: github.actor == 'dependabot[bot]' && needs.build.result == 'success'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}