-
-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (123 loc) · 4.98 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: ci
on:
push:
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
- '**/.github/workflows/ci.yml'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
packages: write
pull-requests: write
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
platforms: ${{ github.event_name == 'pull_request' && fromJson('["linux/amd64", "linux/arm64"]') || fromJson('["linux/amd64,linux/arm64"]') }}
env:
BUILDKIT_PROGRESS: plain
# FROM_IMAGE_PATH: /tmp/${{ matrix.distro }}-${{ matrix.from-version }}.tar
# IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }}
# IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }}
REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
# TO_TAG: ${{ format('{0}/{1}/{2}-{3}:{4}', 'docker.io', vars.DOCKERHUB_USER, matrix.distro, matrix.from-flavor, matrix.from-version) }}
steps:
- uses: actions/checkout@v4
- name: Free up disk space
uses: ./.github/actions/free-space
with:
deleteDotnet: 'true'
deleteAndroid: 'true'
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
driver: docker-container
driver-opts: image=moby/buildkit:v0.12.2
install: true
use: true
cleanup: true
platforms: ${{ matrix.platforms }}
# Login against a Docker registry
# https://github.com/docker/login-action
- name: Login to ${{ env.REGISTRY }}
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.DOCKERHUB_USER || github.repository_owner }}
password: ${{ secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true
# # Get the architecture to use for the cache tag
# - name: get arch
# id: cache-arch
# if: github.event_name == 'pull_request'
# run: >-
# printf "CACHE_ARCH=%s\n" "$(
# docker run
# --quiet
# --platform ${{ matrix.platforms }}
# --rm
# "${PULL_IMAGE}"
# /bin/bash -c "dpkg --print-architecture"
# )" >> "$GITHUB_OUTPUT"
# env:
# PULL_IMAGE: ${{ format('{0}:{1}', matrix.distro, matrix.codename) }}
- name: Build and Push
uses: docker/[email protected]
with:
files: docker-bake.hcl
set: |
ubuntu*.platform=${{ matrix.platforms }}
ubuntu*.output=type=${{ env.OUTPUT_TYPE }},${{ env.OUTPUT_KIND }}
${{ github.event_name == 'pull_request' && github.actor != 'nektos/act' && '*.cache-to=type=registry,mode=max' || '' }}
env:
OUTPUT_KIND: ${{ github.event_name != 'pull_request' && 'push=true' || format('dest={0}', env.FROM_IMAGE_PATH) }}
OUTPUT_TYPE: ${{ github.event_name != 'pull_request' && 'registry' || 'docker' }}
# REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
# # vulnerability scanning to verify PRs
# - name: Docker Scout
# id: docker-scout
# uses: docker/[email protected]
# if: github.event_name == 'pull_request'
# with:
# platform: ${{ matrix.platforms }}
# command: quickview
# image: ${{ env.FROM_IMAGE_PATH }}
# type: archive
# to: ${{ env.TO_TAG }}
# ignore-unchanged: true
# only-severities: critical
# write-comment: ${{ github.actor != 'nektos/act' }}
# summary: ${{ github.actor != 'nektos/act' }}
# github-token: ${{ secrets.GITHUB_TOKEN }}
# organization: ${{ vars.DOCKERHUB_USER || github.repository_owner }}
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: github.actor != 'nektos/act' && contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success'
permissions:
contents: read
pull-requests: write
actions: write
steps:
# approve the PR (there is still a code-owner review necessary)
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
# auto merge dependabot PRs
- name: Merge DependaBot
if: github.actor == 'dependabot[bot]' && needs.build.result == 'success'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}