fix tag validation #238
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
name: ci | |
on: | |
push: | |
paths: | |
- '**/Dockerfile' | |
- '**/toolsets/*.json' | |
- '**/.github/workflows/ci.yml' | |
- '**/docker-bake.hcl' | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
packages: write | |
pull-requests: write | |
env: | |
REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }} | |
REGISTRY_USER: ${{ vars.DOCKERHUB_USER || github.repository_owner }} | |
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
BUILDKIT_PROGRESS: plain | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }} | |
outputs: | |
targets: ${{ steps.matrix.outputs.targets }} | |
steps: | |
# kics-scan ignore-line | |
- uses: actions/checkout@v4 | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Set up QEMU | |
- name: Set up Docker Buildx | |
# kics-scan ignore-line | |
uses: docker/[email protected] | |
- name: get docker binary path | |
id: docker-binary-path | |
run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT" | |
- name: print bake file with empty env | |
id: bake-file-no-env | |
run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | |
- name: verify tag ends on -local | |
run: | | |
BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
[[ "${BAKE_TAG}" == *"-local" ]] || exit 1 | |
- name: print bake file | |
run: docker buildx bake --print | |
- name: validate tag | |
run: | | |
BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
[[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1 | |
- name: Create matrix | |
id: matrix | |
run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}" | |
- name: Show matrix | |
run: echo '${{ steps.matrix.outputs.targets }}' | jq | |
build: | |
needs: test | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
targets: ${{ fromJson(needs.test.outputs.targets) }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Free up disk space | |
# kics-scan ignore-line | |
uses: ./.github/actions/free-space | |
with: | |
deleteDotnet: 'true' | |
deleteAndroid: 'true' | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Set up QEMU | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Set up Docker Buildx | |
with: | |
driver: docker-container | |
driver-opts: image=moby/buildkit:v0.12.2 | |
# driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} | |
# Login against a container registry | |
# https://github.com/docker/login-action | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Login to ${{ env.REGISTRY }} | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ vars.DOCKERHUB_USER || github.repository_owner }} | |
password: ${{ secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
logout: true | |
# Bake the image | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Build and Push | |
id: bake | |
with: | |
files: docker-bake.hcl | |
targets: ${{ matrix.targets }} | |
sbom: true | |
provenance: true | |
push: ${{ github.event_name != 'pull_request' }} | |
# # vulnerability scanning to verify PRs | |
# - name: Docker Scout | |
# id: docker-scout | |
# uses: docker/[email protected] | |
# if: github.event_name == 'pull_request' | |
# with: | |
# platform: ${{ matrix.platforms }} | |
# command: quickview | |
# image: ${{ env.FROM_IMAGE_PATH }} | |
# type: archive | |
# to: ${{ env.TO_TAG }} | |
# ignore-unchanged: true | |
# only-severities: critical | |
# write-comment: ${{ github.actor != 'nektos/act' }} | |
# summary: ${{ github.actor != 'nektos/act' }} | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
# organization: ${{ vars.DOCKERHUB_USER || github.repository_owner }} | |
approve-pr: | |
name: Approve PR | |
runs-on: ubuntu-latest | |
needs: [build] | |
if: >- | |
${{ github.actor != 'nektos/act' && | |
contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && | |
github.event_name == 'pull_request' && | |
needs.build.result == 'success' }} | |
permissions: | |
contents: read | |
pull-requests: write | |
actions: write | |
steps: | |
# approve the PR (there is still a code-owner review necessary) | |
- name: Approve PR | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
# auto merge dependabot PRs | |
- name: Merge DependaBot | |
if: github.actor == 'dependabot[bot]' && needs.build.result == 'success' | |
run: gh pr merge --auto --merge "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |