some small config / format / readme updates (#50) #244
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
name: ci | |
on: | |
push: | |
paths: | |
- '**/Dockerfile' | |
- '**/toolsets/*.json' | |
- '**/.github/workflows/ci.yml' | |
- '**/docker-bake.hcl' | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
packages: write | |
pull-requests: write | |
env: | |
REGISTRY: ${{ vars.DOCKERHUB_USERNAME && 'docker.io' || 'ghcr.io' }} | |
REGISTRY_USER: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
BUILDKIT_PROGRESS: plain | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY: ${{ vars.DOCKERHUB_USERNAME && 'docker.io' || 'ghcr.io' }} | |
outputs: | |
targets: ${{ steps.matrix.outputs.targets }} | |
steps: | |
- name: Checkout code | |
# kics-scan ignore-line | |
uses: actions/[email protected] | |
- name: Setup QEMU | |
# kics-scan ignore-line | |
uses: docker/[email protected] | |
- name: Setup Docker Buildx | |
# kics-scan ignore-line | |
uses: docker/[email protected] | |
- name: Get the docker binary path | |
id: docker-binary-path | |
run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT" | |
- name: Print the bake file with a empty env | |
id: bake-file-no-env | |
run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | |
- name: Verify the tag ends on -local | |
run: | | |
BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
[[ "${BAKE_TAG}" == *"-local" ]] || exit 1 | |
- name: Print the bake file with the runner env | |
run: docker buildx bake --print | |
- name: Validate tag ends on -${{ github.base_ref || github.ref_name }} | |
run: | | |
BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
[[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1 | |
- name: Create matrix | |
id: matrix | |
run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}" | |
- name: Show matrix | |
run: "echo '${{ steps.matrix.outputs.targets }}' | jq" | |
build: | |
needs: test | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
targets: ${{ fromJson(needs.test.outputs.targets) }} | |
steps: | |
- uses: actions/[email protected] | |
- name: Free up disk space | |
# kics-scan ignore-line | |
uses: ./.github/actions/free-space | |
with: | |
deleteDotnet: 'true' | |
deleteAndroid: 'true' | |
- name: Setup QEMU | |
# kics-scan ignore-line | |
uses: docker/[email protected] | |
- name: Setup Docker Buildx | |
# kics-scan ignore-line | |
uses: docker/[email protected] | |
with: | |
driver: docker-container | |
driver-opts: image=moby/buildkit:v0.12.2 | |
# driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} | |
# Login against a container registry | |
# https://github.com/docker/login-action | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Login to ${{ env.REGISTRY }} | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
password: ${{ secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
logout: true | |
# Bake the image | |
# kics-scan ignore-line | |
- uses: docker/[email protected] | |
name: Build and Push | |
id: bake | |
with: | |
files: docker-bake.hcl | |
targets: ${{ matrix.targets }} | |
sbom: true | |
provenance: true | |
push: ${{ github.event_name != 'pull_request' }} | |
# # vulnerability scanning to verify PRs | |
# - name: Docker Scout | |
# id: docker-scout | |
# uses: docker/[email protected] | |
# if: github.event_name == 'pull_request' | |
# with: | |
# platform: ${{ matrix.platforms }} | |
# command: quickview | |
# image: ${{ env.FROM_IMAGE_PATH }} | |
# type: archive | |
# to: ${{ env.TO_TAG }} | |
# ignore-unchanged: true | |
# only-severities: critical | |
# write-comment: ${{ github.actor != 'nektos/act' }} | |
# summary: ${{ github.actor != 'nektos/act' }} | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
# organization: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
approve-pr: | |
name: Approve PR | |
runs-on: ubuntu-latest | |
needs: [build] | |
if: >- | |
${{ github.actor != 'nektos/act' && | |
contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && | |
github.event_name == 'pull_request' && | |
needs.build.result == 'success' }} | |
permissions: | |
contents: read | |
pull-requests: write | |
actions: write | |
steps: | |
# approve the PR (there is still a code-owner review necessary) | |
- name: Approve PR | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |