Minor improvements #270

Workflow file for this run

	---
	# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

	name: ci

	on:
	push:
	branches: [main]
	paths:
	- '**/Dockerfile'
	- '**/.github/workflows/ci.yml'
	- '**/docker-bake.hcl'
	pull_request:
	branches: [main]
	workflow_dispatch:

	permissions:
	contents: read

	env:
	REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' \|\| 'ghcr.io' }}
	REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME \|\| github.repository_owner }}
	GITHUB_SHA: ${{ github.event.pull_request.head.sha \|\| github.event.after \|\| github.sha }}
	BUILDKIT_PROGRESS: plain

	jobs:
	test:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	# kics-scan ignore-line
	uses: actions/[email protected]

	- name: Setup Docker Buildx
	# kics-scan ignore-line
	uses: docker/[email protected]

	# get docker binary path to use it with env -i
	- name: Get the docker binary path
	id: docker-binary-path
	run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT"

	- name: Print the bake file with a empty env
	id: bake-file-no-env
	run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print

	- name: Verify the tags end on -local
	run: \|
	while IFS='' read -r container_tag; do
	printf "Container tag: %s\n" "${container_tag}"
	[[ "${container_tag}" == *"-local" ]] \|\| exit 1
	done < <(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print \| jq -r '.target[].tags[0]')

	- name: Print the bake file with the runner env
	run: docker buildx bake --print

	- name: Verify the tags end on -${{ github.head_ref \|\| github.ref_name }}
	run: \|
	while IFS='' read -r container_tag; do
	printf "Container tag: %s\n" "${container_tag}"
	[[ "${container_tag}" == *"-${REF}" ]] \|\| exit 1
	done < <(docker buildx bake --print \| jq -r '.target[].tags[0]')
	env:
	REF: ${{ github.head_ref \|\| github.ref_name}}

	generate-jobs:
	needs: [test]
	runs-on: ubuntu-latest
	outputs:
	targets: ${{ steps.targets.outputs.matrix }}
	platforms: ${{ steps.platforms.outputs.matrix }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]

	- name: Generate targets matrix
	id: targets
	run: \|
	printf "matrix=%s\n" "$(docker buildx bake --print \| jq -r '"\(.target \| keys)"')" >>"${GITHUB_OUTPUT}"
	# printf "matrix={\"targets\":%s}\n" "$(docker buildx bake --print \| jq -r '"\(.target \| keys)"')" >>"${GITHUB_OUTPUT}"

	- name: Show targets matrix
	run: "echo '${{ steps.targets.outputs.matrix }}' \| jq"

	- name: Generate platforms matrix
	id: platforms
	run: \|
	printf "matrix=%s\n" "$(docker buildx bake --print \| jq -cr '[.target[].platforms[]]\|unique')" >>"${GITHUB_OUTPUT}"
	# printf "matrix=[{\"targets\":%s},{\"platforms\":%s}]\n" "$(docker buildx bake --print \| jq -r '"\(.target \| keys)"')" "$(docker buildx bake --print \| jq -cr '[.target[].platforms[]]\|unique')" >>"${GITHUB_OUTPUT}"

	- name: Show platforms matrix
	run: "echo '${{ steps.platforms.outputs.matrix }}' \| jq"

	build:
	needs: [generate-jobs]
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	pull-requests: write
	security-events: write
	strategy:
	matrix:
	targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }}
	platforms: ${{ github.event_name == 'pull_request' && fromJson(needs.generate-jobs.outputs.platforms) \|\| '[]' }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]

	- name: Get meta data
	id: meta
	run: \|
	{
	printf "arch=%s\n" "${arch/\//-}";
	printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')";
	printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')";
	} >> "$GITHUB_OUTPUT"
	# printf "arch=%s\n" "${arch/\//-}" >> "$GITHUB_OUTPUT"
	# printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')" >> "$GITHUB_OUTPUT"
	# printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')" >> "$GITHUB_OUTPUT"
	env:
	arch: ${{ matrix.platforms }}

	- name: Setup QEMU
	# kics-scan ignore-line
	uses: docker/[email protected]
	with:
	platforms: ${{ steps.meta.outputs.arch }}
	# image: 'tonistiigi/binfmt:buildkit-latest'

	- name: Setup Docker Buildx
	# kics-scan ignore-line
	uses: docker/[email protected]
	with:
	driver: ${{ github.event_name == 'pull_request' && 'docker' \|\| 'docker-container' }}
	driver-opts: \|
	${{ github.event_name == 'pull_request' && 'network=host' \|\| '' }}
	# image=moby/buildkit:latest

	# Login against a container registry
	# https://github.com/docker/login-action
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Login to ${{ env.REGISTRY }}
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ env.REGISTRY_USER }}
	password: ${{ env.REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	logout: true

	# Free up space on the runner since the image is huge
	# kics-scan ignore-line
	- uses: ./.github/actions/free-space
	name: Free up disk space
	with:
	deleteDotnet: 'true'
	deleteAndroid: 'true'

	# Bake the image
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Build and Push
	id: bake
	with:
	files: docker-bake.hcl
	targets: ${{ matrix.targets }}
	sbom: ${{ github.event_name != 'pull_request' }}
	provenance: ${{ github.event_name != 'pull_request' }}
	set: \|
	${{ github.event_name == 'pull_request' && format('*.platform={0}', matrix.platforms) \|\| '' }}
	${{ github.event_name == 'pull_request' && format('*.tags={0}-{1}', steps.meta.outputs.tag, steps.meta.outputs.arch) \|\| '' }}
	${{ github.event_name == 'pull_request' && '*.cache-to=' \|\| '' }}
	push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
	load: ${{ github.event_name == 'pull_request' }}

	# vulnerability scanning
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Analyze for critical and high CVEs
	id: docker-scout-cves
	if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
	with:
	command: cves
	image: ${{ steps.meta.outputs.tag }}
	sarif-file: sarif.output.json
	summary: false
	- name: Upload SARIF result
	id: upload-sarif
	if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
	# kics-scan ignore-line
	uses: github/codeql-action/[email protected]
	with:
	sarif_file: sarif.output.json

	# vulnerability scanning to verify PRs
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Docker Scout PR Quickview
	id: pr-quickview
	if: ${{ github.event_name == 'pull_request' && steps.meta.outputs.tag != steps.meta.outputs.main_tag }}
	with:
	platform: ${{ matrix.platforms }}
	command: compare
	image: ${{ format('{0}-{1}', steps.meta.outputs.tag, steps.meta.outputs.arch) }}
	to: ${{ steps.meta.outputs.main_tag }}
	ignore-unchanged: true
	only-severities: critical,high
	write-comment: ${{ github.actor != 'nektos/act' }}
	summary: ${{ github.actor != 'nektos/act' }}
	github-token: ${{ secrets.GITHUB_TOKEN }}

	approve-pr:
	name: Approve PR
	runs-on: ubuntu-latest
	needs: [build]
	if: >-
	${{ github.actor != 'nektos/act' &&
	contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) &&
	github.event_name == 'pull_request' &&
	needs.build.result == 'success' }}
	permissions:
	contents: read
	pull-requests: write
	actions: write
	steps:
	# approve the PR (there is still a code-owner review necessary)
	- name: Approve PR
	run: gh pr review --approve "$PR_URL"
	env:
	PR_URL: ${{github.event.pull_request.html_url}}
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Minor improvements #270

Workflow file

Minor improvements #270

Jobs

Run details

Workflow file for this run