Skip to content

update versions, move locales to baseimage #279

update versions, move locales to baseimage

update versions, move locales to baseimage #279

Workflow file for this run

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: ci
on:
push:
paths:
- '**/Dockerfile'
- '**/.github/workflows/ci.yml'
- '**/docker-bake.hcl'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
env:
REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }}
REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }}
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
BUILDKIT_PROGRESS: plain
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/[email protected]
# get docker binary path to use it with env -i
- name: Get the docker binary path
id: docker-binary-path
run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}"
- name: Print the bake file with a empty env
id: bake-file-no-env
run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print
- name: Verify the tags end on -local
run: |
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-local" ]] || exit 1
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]')
- name: Print the bake file with the runner env
run: docker buildx bake --print
- name: Verify the tags are valid
run: |
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-${REF//\//-}" ]] || exit 1
done < <(docker buildx bake --print | jq -r '.target[].tags[0]')
env:
REF: ${{ github.head_ref || github.ref_name}}
generate-jobs:
needs: [test]
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.targets.outputs.matrix }}
# platforms: ${{ steps.platforms.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Generate targets matrix
id: targets
run: |
printf "matrix=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}"
build:
needs: [generate-jobs]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
pull-requests: write
security-events: write
strategy:
matrix:
targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }}
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Setup QEMU
# kics-scan ignore-line
uses: docker/[email protected]
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/[email protected]
with:
driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }}
# Login against a container registry
# https://github.com/docker/login-action
# kics-scan ignore-line
- uses: docker/[email protected]
name: Login to ${{ env.REGISTRY }}
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true
# Free up space on the runner since the image is huge
# kics-scan ignore-line
- uses: ./.github/actions/free-space
name: Free up disk space
with:
deleteDotnet: 'false'
deleteAndroid: 'true'
- name: Get meta data
id: meta
run: |
{
printf "arch=linux/%s\n" "$(docker run --rm --quiet ubuntu:22.04 dpkg --print-architecture)";
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
} | tee "${GITHUB_OUTPUT}"
# Bake the image
# kics-scan ignore-line
- uses: docker/[email protected]
name: Build and Push
id: bake
with:
files: docker-bake.hcl
targets: ${{ matrix.targets }}
sbom: ${{ github.event_name != 'pull_request' }}
provenance: ${{ github.event_name != 'pull_request' }}
set: |
${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }}
${{ github.event_name == 'pull_request' && format('*.platform={0}', steps.meta.outputs.arch) || '' }}
push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
load: ${{ github.event_name == 'pull_request' }}
# vulnerability scan the image
# kics-scan ignore-line
- uses: docker/[email protected]
name: Analyze for critical and high CVEs
id: docker-scout-cves
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
with:
command: cves
image: ${{ steps.meta.outputs.tag }}
sarif-file: sarif.output.json
summary: false
# upload the results as a SARIF file to gh security tab
# kics-scan ignore-line
- uses: github/codeql-action/[email protected]
name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
with:
sarif_file: sarif.output.json
# vulnerability scanning to verify PRs
# kics-scan ignore-line
- uses: docker/scout-action@64ca6fb5e6ada64f5febd1a991b499900b29faf0
name: Docker Scout compare
id: pr-quickview
if: ${{ github.event_name == 'pull_request' && steps.meta.outputs.tag != steps.meta.outputs.main_tag && vars.DOCKERHUB_USERNAME != '' }}
with:
command: compare
platform: ${{ steps.meta.outputs.arch }}
image: ${{ steps.meta.outputs.tag }}
to: ${{ steps.meta.outputs.main_tag }}
ignore-unchanged: true
only-fixed: true
only-severities: critical,high
write-comment: ${{ github.actor != 'nektos/act' }}
summary: ${{ github.actor != 'nektos/act' }}
github-token: ${{ secrets.GITHUB_TOKEN }}
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: >-
${{ github.actor != 'nektos/act' &&
contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) &&
github.event_name == 'pull_request' &&
needs.build.result == 'success' }}
permissions:
contents: read
pull-requests: write
actions: write
steps:
# approve the PR (there is still a code-owner review necessary)
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}