Skip to content

some small config / format / readme updates (#50) #244

some small config / format / readme updates (#50)

some small config / format / readme updates (#50) #244

Workflow file for this run

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: ci
on:
push:
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
- '**/.github/workflows/ci.yml'
- '**/docker-bake.hcl'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
packages: write
pull-requests: write
env:
REGISTRY: ${{ vars.DOCKERHUB_USERNAME && 'docker.io' || 'ghcr.io' }}
REGISTRY_USER: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }}
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
BUILDKIT_PROGRESS: plain
jobs:
test:
runs-on: ubuntu-latest
env:
REGISTRY: ${{ vars.DOCKERHUB_USERNAME && 'docker.io' || 'ghcr.io' }}
outputs:
targets: ${{ steps.matrix.outputs.targets }}
steps:
- name: Checkout code
# kics-scan ignore-line
uses: actions/[email protected]
- name: Setup QEMU
# kics-scan ignore-line
uses: docker/[email protected]
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/[email protected]
- name: Get the docker binary path
id: docker-binary-path
run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT"
- name: Print the bake file with a empty env
id: bake-file-no-env
run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print
- name: Verify the tag ends on -local
run: |
BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')"
[[ "${BAKE_TAG}" == *"-local" ]] || exit 1
- name: Print the bake file with the runner env
run: docker buildx bake --print
- name: Validate tag ends on -${{ github.base_ref || github.ref_name }}
run: |
BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')"
[[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1
- name: Create matrix
id: matrix
run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}"
- name: Show matrix
run: "echo '${{ steps.matrix.outputs.targets }}' | jq"
build:
needs: test
runs-on: ubuntu-latest
strategy:
matrix:
targets: ${{ fromJson(needs.test.outputs.targets) }}
steps:
- uses: actions/[email protected]
- name: Free up disk space
# kics-scan ignore-line
uses: ./.github/actions/free-space
with:
deleteDotnet: 'true'
deleteAndroid: 'true'
- name: Setup QEMU
# kics-scan ignore-line
uses: docker/[email protected]
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/[email protected]
with:
driver: docker-container
driver-opts: image=moby/buildkit:v0.12.2
# driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }}
# Login against a container registry
# https://github.com/docker/login-action
# kics-scan ignore-line
- uses: docker/[email protected]
name: Login to ${{ env.REGISTRY }}
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }}
password: ${{ secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true
# Bake the image
# kics-scan ignore-line
- uses: docker/[email protected]
name: Build and Push
id: bake
with:
files: docker-bake.hcl
targets: ${{ matrix.targets }}
sbom: true
provenance: true
push: ${{ github.event_name != 'pull_request' }}
# # vulnerability scanning to verify PRs
# - name: Docker Scout
# id: docker-scout
# uses: docker/[email protected]
# if: github.event_name == 'pull_request'
# with:
# platform: ${{ matrix.platforms }}
# command: quickview
# image: ${{ env.FROM_IMAGE_PATH }}
# type: archive
# to: ${{ env.TO_TAG }}
# ignore-unchanged: true
# only-severities: critical
# write-comment: ${{ github.actor != 'nektos/act' }}
# summary: ${{ github.actor != 'nektos/act' }}
# github-token: ${{ secrets.GITHUB_TOKEN }}
# organization: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }}
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: >-
${{ github.actor != 'nektos/act' &&
contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) &&
github.event_name == 'pull_request' &&
needs.build.result == 'success' }}
permissions:
contents: read
pull-requests: write
actions: write
steps:
# approve the PR (there is still a code-owner review necessary)
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}