update versions, move locales to baseimage #299
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: ci | |
| on: | |
| push: | |
| paths: | |
| - '**/Dockerfile' | |
| - '**/.github/workflows/ci.yml' | |
| - '**/docker-bake.hcl' | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }} | |
| CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
| GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
| BUILDKIT_PROGRESS: plain | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| - name: Setup Docker Buildx | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| # get docker binary path to use it with env -i | |
| - name: Get the docker binary path | |
| id: docker-binary-path | |
| run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}" | |
| - name: Print the bake file with a empty env | |
| id: bake-file-no-env | |
| run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | |
| - name: Verify the tags end on -local | |
| run: | | |
| while IFS='' read -r container_tag; do | |
| printf "Container tag: %s\n" "${container_tag}" | |
| [[ "${container_tag}" == *"-local" ]] || exit 1 | |
| done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]') | |
| - name: Print the bake file with the runner env | |
| run: docker buildx bake --print | |
| - name: Verify the tags are valid | |
| run: | | |
| while IFS='' read -r container_tag; do | |
| printf "Container tag: %s\n" "${container_tag}" | |
| [[ "${container_tag}" == *"-${REF//\//-}" ]] || exit 1 | |
| done < <(docker buildx bake --print | jq -r '.target[].tags[0]') | |
| env: | |
| REF: ${{ github.head_ref || github.ref_name}} | |
| generate-jobs: | |
| needs: [test] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.targets.outputs.matrix }} | |
| # platforms: ${{ steps.platforms.outputs.matrix }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| - name: Generate targets matrix | |
| id: targets | |
| run: | | |
| printf "matrix=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}" | |
| build: | |
| needs: [generate-jobs] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| security-events: write | |
| strategy: | |
| fail-fast: ${{ fromJson(github.event_name != 'pull_request') }} | |
| matrix: | |
| targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| - name: Setup QEMU | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| - name: Setup Docker Buildx | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| with: | |
| driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} | |
| # Login against a container registry | |
| # https://github.com/docker/login-action | |
| # kics-scan ignore-line | |
| - uses: docker/[email protected] | |
| name: Login to ${{ env.CONTAINER_REGISTRY }} | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY }} | |
| username: ${{ env.CONTAINER_REGISTRY_USER }} | |
| password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| logout: true | |
| # Free up space on the runner since the image is huge | |
| # kics-scan ignore-line | |
| - uses: ./.github/actions/free-space | |
| name: Free up disk space | |
| with: | |
| deleteDotnet: 'false' | |
| deleteAndroid: 'true' | |
| - name: Get meta data | |
| id: meta | |
| run: | | |
| { | |
| printf "arch=linux/%s\n" "$(docker run --rm --quiet ubuntu:22.04 dpkg --print-architecture)"; | |
| printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
| printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
| } | tee "${GITHUB_OUTPUT}" | |
| # Bake the image | |
| # kics-scan ignore-line | |
| - uses: docker/[email protected] | |
| name: Build and Push | |
| id: bake | |
| with: | |
| files: docker-bake.hcl | |
| targets: ${{ matrix.targets }} | |
| pull: true | |
| sbom: ${{ github.event_name != 'pull_request' }} | |
| provenance: ${{ github.event_name != 'pull_request' }} | |
| set: | | |
| ${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }} | |
| ${{ github.event_name == 'pull_request' && format('*.platform={0}', steps.meta.outputs.arch) || '' }} | |
| push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }} | |
| load: ${{ github.event_name == 'pull_request' }} | |
| # vulnerability scan the image for main branch | |
| # kics-scan ignore-line | |
| - uses: docker/[email protected] | |
| name: Analyze for critical and high CVEs | |
| id: docker-scout-cves | |
| continue-on-error: true | |
| if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' && github.ref_name == 'main' }} | |
| with: | |
| command: cves | |
| image: ${{ steps.meta.outputs.tag }} | |
| sarif-file: sarif.output.json | |
| summary: false | |
| # upload the results as a SARIF file to gh security tab | |
| # kics-scan ignore-line | |
| - uses: github/codeql-action/[email protected] | |
| name: Upload SARIF result | |
| id: upload-sarif | |
| if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' && steps.docker-scout-cves.outcome == 'success' }} | |
| with: | |
| sarif_file: sarif.output.json | |
| # vulnerability scanning to verify PRs | |
| # kics-scan ignore-line | |
| - uses: docker/[email protected] | |
| name: Docker Scout compare | |
| id: pr-compare | |
| if: ${{ github.event_name == 'pull_request' && steps.meta.outputs.tag != steps.meta.outputs.main_tag && vars.DOCKERHUB_USERNAME != '' }} | |
| with: | |
| command: compare | |
| platform: ${{ steps.meta.outputs.arch }} | |
| image: ${{ steps.meta.outputs.tag }} | |
| to: ${{ steps.meta.outputs.main_tag }} | |
| ignore-unchanged: true | |
| only-fixed: true | |
| only-severities: critical,high | |
| write-comment: ${{ github.actor != 'nektos/act' }} | |
| summary: ${{ github.actor != 'nektos/act' }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| approve-pr: | |
| name: Approve PR | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: >- | |
| ${{ github.actor != 'nektos/act' && | |
| contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && | |
| github.event_name == 'pull_request' && | |
| (success() || cancelled()) }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| actions: write | |
| steps: | |
| # approve the PR (there is still a code-owner review necessary) | |
| - name: Approve PR | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |