Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't push container image on PR, but compare to published image #31

Merged
merged 53 commits into from
Sep 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
bc7b315
update ci.yml
mauwii Sep 15, 2023
bec74c1
split platforms on PR
mauwii Sep 15, 2023
be64ecf
update ci.yml
mauwii Sep 15, 2023
199bc15
update ci.yml
mauwii Sep 15, 2023
499fec2
update ci.yml
mauwii Sep 15, 2023
de26e53
update README.md
mauwii Sep 15, 2023
dc36f43
remove broken extension from recommends
mauwii Sep 15, 2023
a5bdb52
set-safe-directory when checking out
mauwii Sep 15, 2023
f3efa16
use fixed image in scout step
mauwii Sep 15, 2023
dee5be7
good ol days when image names where image names
mauwii Sep 15, 2023
eb50ba4
more image names
mauwii Sep 15, 2023
75cb06e
remove image without registry
mauwii Sep 15, 2023
a7be94e
remove debug step
mauwii Sep 15, 2023
5af1893
it works on my local
mauwii Sep 15, 2023
bedddb7
try to pull image manually
mauwii Sep 15, 2023
c61b8bb
fix dependencie, add other debug step
mauwii Sep 15, 2023
3e3ac36
set credentials for registry
mauwii Sep 15, 2023
bb4a6a4
push if main, load if not
mauwii Sep 16, 2023
dc8f6d3
remove registry login
mauwii Sep 16, 2023
a1336d7
use outputs type=image
mauwii Sep 16, 2023
cee4c86
back to always push but not nektos
mauwii Sep 16, 2023
c549089
single arch if not default branch
mauwii Sep 16, 2023
d917751
manual build
mauwii Sep 16, 2023
477df73
add --load
mauwii Sep 16, 2023
8e1c366
try multiarch with manual build command
mauwii Sep 16, 2023
7bebb80
add more parameters to build command
mauwii Sep 16, 2023
4bf238d
use docker build
mauwii Sep 16, 2023
c46021b
remove sbom attestation
mauwii Sep 16, 2023
75a4221
retry with build-push-action
mauwii Sep 16, 2023
adda10d
disable labels
mauwii Sep 16, 2023
6ec0461
stick with manual build step
mauwii Sep 16, 2023
68a7e3e
push main, load others
mauwii Sep 16, 2023
da68498
sbom for main, compare if other
mauwii Sep 16, 2023
a2972a4
add env.IMAGE_TAG
mauwii Sep 16, 2023
8701954
split archs if not main
mauwii Sep 16, 2023
06f80d6
use FROM_TAG and TO_TAG
mauwii Sep 16, 2023
7d1757b
try to set registry to insecure localhost
mauwii Sep 16, 2023
d732163
try pushing to localhost
mauwii Sep 16, 2023
c0a6205
fix format
mauwii Sep 16, 2023
ccdfa4b
put localhost in front of image
mauwii Sep 16, 2023
278f7d3
try to pull image
mauwii Sep 16, 2023
36ba84d
only imagename:tag
mauwii Sep 16, 2023
6cdfd80
add org to scout
mauwii Sep 16, 2023
e9892ff
validate PRs via Archive
mauwii Sep 16, 2023
641ad12
fix formatting
mauwii Sep 16, 2023
0700968
fix path
mauwii Sep 16, 2023
138b818
fix path, build multiarch, sbom only amd64
mauwii Sep 16, 2023
433cb3e
small update to settings and free space action
mauwii Sep 16, 2023
c88b803
add labels to manual build step
mauwii Sep 16, 2023
022b009
fix syntax
mauwii Sep 16, 2023
b375981
use meta-step outputs
mauwii Sep 16, 2023
b3e3a43
resolve linter issue
mauwii Sep 16, 2023
c194f9b
fix linter issue
mauwii Sep 16, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 16 additions & 14 deletions .cspell.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,28 +9,20 @@
],
"language": "en,en-GB",
"words": [
"ASPNET",
"BASEPATH",
"CODEOWNERS",
"MARKDOWNLINT",
"NOLOGO",
"ONBUILD",
"OPTOUT",
"Sfrg",
"TOOLSDIRECTORY",
"WORKDIR",
"XMLDOC",
"Zrmnxj",
"actrc",
"aliyun",
"aquasecurity",
"ASPNET",
"automake",
"BASEPATH",
"binutils",
"brotli",
"buildkit",
"buildpack",
"buildx",
"catthehacker",
"cmdline",
"CODEOWNERS",
"commandlinetools",
"containerd",
"coreutils",
Expand Down Expand Up @@ -74,6 +66,7 @@
"libxkbfile",
"libxss",
"libyaml",
"MARKDOWNLINT",
"mauwii",
"mediainfo",
"mediatypes",
Expand All @@ -82,11 +75,14 @@
"nbgv",
"nektos",
"netcat",
"NOLOGO",
"noninteractive",
"noto",
"nupkg",
"oldci",
"ONBUILD",
"opencontainers",
"OPTOUT",
"patchelf",
"pigz",
"pipefail",
Expand All @@ -95,21 +91,27 @@
"pwsh",
"quickview",
"rubygems",
"Sfrg",
"shellcheck",
"singlearch",
"sphinxsearch",
"sshpass",
"stefanzweifel",
"targetproc",
"texinfo",
"trivy",
"trivyignore",
"toolcache",
"TOOLSDIRECTORY",
"toolsets",
"trivy",
"trivyignore",
"tzdata",
"vercel",
"vuln",
"WORKDIR",
"XMLDOC",
"xorriso",
"xvfb",
"Zrmnxj",
"zstd",
"zsync"
],
Expand Down
13 changes: 7 additions & 6 deletions .github/actions/free-space/action.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json

name: Free some disk space
name: Free disk space
author: mauwii
description: |
This Action can be used to free up some disk-space on
github hosted runners
description: This Action can be used to free up some disk-space on github hosted runners
branding:
icon: 'trash-2'
color: 'blue'

inputs:
deleteDotnet:
Expand All @@ -26,8 +27,8 @@ runs:
shell: bash
run: |
for dir in /usr/share/dotnet /opt/hostedtoolcache/dotnet; do
if [ -d $dir ]; then
sudo rm -Rf $dir # Ubuntu 18/20
if [ -d "${dir}" ]; then
sudo rm -Rf "${dir}"
fi
done

Expand Down
182 changes: 121 additions & 61 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ name: ci

on:
push:
branches: [main]
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
Expand All @@ -21,6 +22,9 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
platforms: ['linux/amd64,linux/arm64']
# platforms: ${{ github.ref == 'refs/heads/main' && fromJson('["linux/amd64,linux/arm64"]') || fromJson(format('["{0}", "{1}"]', 'linux/amd64','linux/arm64')) }}
from-version: ['22.04', '20.04']
include:
- from-version: '22.04'
from-version-major: '22'
Expand All @@ -34,13 +38,21 @@ jobs:
distro: 'ubuntu'
codename: 'focal'
from-flavor: 'act'
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
REGISTRY: docker.io
BUILDKIT_PROGRESS: plain
IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }}
IMAGE_REPOSITORY: ${{ format('{0}/{1}', github.repository_owner, format('{0}-{1}', matrix.distro, matrix.from-flavor)) }}
IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
DOCKERHUB_USERNAME: ${{ github.repository_owner }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
FROM_TAG: ${{ format('{0}-{1}:{2}-{3}', matrix.distro, matrix.from-flavor, matrix.from-version, github.head_ref || github.ref_name) }}
# FROM_TAG: ${{ format('{0}/{1}/{2}-{3}:{4}-{5}', github.ref == 'refs/heads/main' && 'docker.io' || 'localhost:5000', vars.DOCKERHUB_USER, matrix.distro, matrix.from-flavor, matrix.from-version, github.head_ref || github.ref_name) }}
TO_TAG: ${{ format('{0}/{1}/{2}-{3}:{4}', 'docker.io', vars.DOCKERHUB_USER, matrix.distro, matrix.from-flavor, matrix.from-version) }}
REGISTRY: ${{ vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io' }}
PATH_TO_IMAGE: /tmp/${{ matrix.distro }}-${{ matrix.from-version }}.tar
steps:
- uses: actions/checkout@v4

Expand All @@ -55,104 +67,152 @@ jobs:

- name: Set up Docker Buildx
uses: docker/[email protected]
# with:
# driver-opts: |
# image=moby/buildkit:v0.12.2
# network=host
with:
driver: docker-container
driver-opts: image=moby/buildkit:v0.12.2,network=host
install: true
use: true
cleanup: true
platforms: ${{ matrix.platforms }}

# - name: Login to GitHub Container Registry
# uses: docker/[email protected]
# with:
# registry: ghcr.io
# username: ${{ github.repository_owner }}
# password: ${{ secrets.GITHUB_TOKEN }}
# Login to github container registry
# https://github.com/docker/login-action
- name: Login to GitHub Container Registry
uses: docker/[email protected]
if: vars.DOCKERHUB_USER == ''
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

# Login against a Docker registry
# https://github.com/docker/login-action
- name: Login to Docker Hub
uses: docker/[email protected]
if: vars.DOCKERHUB_USER != ''
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
registry: docker.io
username: ${{ vars.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true

# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v4.4.0
uses: docker/metadata-action@v4.6.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
images: ${{ github.actor == 'nektos/act' && env.IMAGE_REPOSITORY || env.REGISTRY_IMAGE }}
tags: |
type=raw,value=${{ matrix.from-version }},enable={{is_default_branch}},priority=900
type=sha,prefix=${{ matrix.from-version }}-,format=short,enable=${{ github.ref == 'refs/heads/main' }},priority=1000
type=raw,value=${{ matrix.from-version }},enable=${{ github.ref == 'refs/heads/main' }},priority=900
type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600
type=sha,prefix=${{ matrix.from-version }}-,format=short,enable={{is_default_branch}},priority=100
flavor: |
latest=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.from-version == '22.04' }}
latest=${{ github.ref == 'refs/heads/main' && matrix.from-version == '22.04' }}
labels: |
org.opencontainers.image.authors=['${{ env.REPOSITORY_LINK }}','${{ github.actor }}']
org.opencontainers.image.authors='${{ env.REPOSITORY_LINK }},${{ github.actor }}'
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }}
org.opencontainers.image.revision=${{ env.SHA }}
org.opencontainers.image.source=${{ github.repositoryUrl }}
org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ github.head_ref || github.ref_name }}
org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }}
org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile
org.opencontainers.image.vendor=${{ github.repository_owner }}
env:
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
REPOSITORY_LINK: https://github.com/${{ github.repository }}

# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push
id: build
uses: docker/build-push-action@v4
with:
context: .
# github-token for the repository context
github-token: ${{ secrets.GITHUB_TOKEN }}
file: ./linux/${{ matrix.distro }}/Dockerfile
platforms: linux/amd64,linux/arm64
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta.outputs.tags }}
build-args: |
FROM_IMAGE=buildpack-deps
FROM_VERSION_MAJOR=${{ matrix.from-version-major }}
FROM_VERSION_MINOR=${{ matrix.from-version-minor }}
FROM_FLAVOR=${{ matrix.from-flavor }}
DISTRO=${{ matrix.distro }}
CODENAME=${{ matrix.codename }}
# caching to speed up the build
cache-from: |
type=registry,ref=${{ env.REGISTRY_IMAGE }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }}
type=registry,ref=${{ env.REGISTRY_IMAGE }}:cache-${{ matrix.codename }}
# cache exporter doesn't work with docker driver
cache-to: |
type=registry,ref=${{ env.REGISTRY_IMAGE }}:cache-${{ matrix.codename }},mode=max
# this will give us some useful information about the build
provenance: mode=max
push: true
# outputs: type=image,name=${{ env.REGISTRY_IMAGE }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},push=true
# # Build and push Docker image with Buildx (don't push on PR)
# # https://github.com/docker/build-push-action
# - name: Build and push
# id: build
# uses: docker/build-push-action@v4
# with:
# context: .
# # github-token for the repository context
# github-token: ${{ secrets.GITHUB_TOKEN }}
# file: ./linux/${{ matrix.distro }}/Dockerfile
# platforms: ${{ matrix.platforms }}
# labels: ${{ steps.meta.outputs.labels }}
# tags: ${{ steps.meta.outputs.tags }}
# # tags: ${{ format('{0}:{1}-{2}', github.actor != 'nektos/act' && env.REGISTRY_IMAGE || env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }}
# build-args: |
# FROM_IMAGE=buildpack-deps
# FROM_VERSION_MAJOR=${{ matrix.from-version-major }}
# FROM_VERSION_MINOR=${{ matrix.from-version-minor }}
# FROM_FLAVOR=${{ matrix.from-flavor }}
# DISTRO=${{ matrix.distro }}
# CODENAME=${{ matrix.codename }}
# # caching to speed up the build
# cache-from: |
# ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }}
# ${{ format('type=registry,ref={0}:cache-{1}', env.REGISTRY_IMAGE, matrix.codename) }}
# # don't export cache on PR
# cache-to: ${{ github.ref == 'refs/heads/main' && format('type=registry,ref={0}:cache-{1},mode=max', env.REGISTRY_IMAGE, matrix.codename) || '' }}
# # this will give us some useful information about the build
# provenance: mode=max
# # push if not building with act
# push: ${{ github.ref == 'refs/heads/main' }}
# outputs: 'type=oci,dest=${{ env.PATH_TO_IMAGE }}'
# env:
# REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}

# Build and push Docker images
- name: build image
run: >-
docker build
--tag ${{ steps.meta.outputs.tags }}
--file linux/${{ matrix.distro }}/Dockerfile
--cache-from ${{ format('type=registry,ref={0}:{1}', env.REGISTRY_IMAGE, matrix.from-version) }}
--cache-from ${{ format('type=registry,ref={0}:cache-{1}', env.REGISTRY_IMAGE, matrix.codename) }}
--build-arg FROM_IMAGE='buildpack-deps'
--build-arg FROM_VERSION_MAJOR='${{ matrix.from-version-major }}'
--build-arg FROM_VERSION_MINOR='${{ matrix.from-version-minor }}'
--build-arg FROM_FLAVOR='${{ matrix.from-flavor }}'
--build-arg DISTRO='${{ matrix.distro }}'
--build-arg CODENAME='${{ matrix.codename }}'
${{ fromJson(env.IS_MAIN) && '--push' || format('--output type=docker,dest={0}', env.PATH_TO_IMAGE) }}
--label org.opencontainers.image.authors='${{ env.REPOSITORY_LINK }}, ${{ github.actor }}'
--label org.opencontainers.image.description='${{ github.event.repository.description }}'
--label org.opencontainers.image.documentation='${{ env.REPOSITORY_LINK }}'
--label org.opencontainers.image.revision='${{ env.SHA }}'
--label org.opencontainers.image.source='${{ github.repositoryUrl }}'
--label org.opencontainers.image.title='${{ env.TITLE_TAG }}'
--label org.opencontainers.image.url='${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile'
--label org.opencontainers.image.vendor='${{ github.repository_owner }}'
.
env:
IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
REPOSITORY_LINK: https://github.com/${{ github.repository }}
TITLE_TAG: ${{ format('{0}:{1}', env.IMAGE_REPOSITORY, github.head_ref || github.ref_name) }}

# Just for debugging
- name: inspect FROM_TAG
continue-on-error: true
run: docker inspect ${{ env.FROM_TAG }}
- name: inspect steps.meta.outputs.tags
continue-on-error: true
run: docker inspect ${{ steps.meta.outputs.tags }}

# vulnerability scanning to verify PRs
- name: Docker Scout
id: docker-scout
continue-on-error: true
uses: docker/[email protected]
with:
# platform: linux/amd64
command: sbom,compare
image: ${{ steps.meta.outputs.tags }}
to: ${{ format('{0}/{1}:{2}', env.REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version) }}
organization: ${{ github.repository_owner }}
image: ${{ github.ref == 'refs/heads/main' && steps.meta.outputs.tags || env.PATH_TO_IMAGE }}
type: ${{ github.ref == 'refs/heads/main' && 'image' || 'archive' }}
to: ${{ env.TO_TAG }}
ignore-unchanged: true
only-severities: critical
write-comment: ${{ github.actor != 'nektos/act' }}
write-comment: ${{ github.event_name == 'pull_request' && github.actor != 'nektos/act' }}
keep-previous-comments: true
summary: ${{ github.actor != 'nektos/act' }}
summary: ${{ github.event_name == 'pull_request' && github.actor != 'nektos/act' }}
github-token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ vars.DOCKERHUB_USER || github.repository_owner }}

# ToDo: Move into a separate workflow and depend on ci and mega-linter
approve-pr:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/mega-linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ jobs:
- name: Checkout Code
uses: actions/checkout@v3
with:
set-safe-directory: true
# token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
Expand Down
2 changes: 1 addition & 1 deletion .mega-linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ APPLY_FIXES: all # all, none, or list of linter keys
SHOW_ELAPSED_TIME: true
FILEIO_REPORTER: false
# DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass
FILTER_REGEX_EXCLUDE: '(megalinter-reports/)'
# FILTER_REGEX_EXCLUDE: '(\.*/megalinter-reports/\.*)'
YAML_V8R_FILTER_REGEX_EXCLUDE: '(\.prettierrc\.yaml)'
VALIDATE_ALL_CODEBASE: true
SPELL_LYCHEE_FILTER_REGEX_EXCLUDE: '(.github/workflows|\.mega-linter\.yml)'
1 change: 0 additions & 1 deletion .vscode/extensions.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"recommendations": [
"AquaSecurityOfficial.trivy-vulnerability-scanner",
"editorconfig.editorconfig",
"esbenp.prettier-vscode",
"exiasr.hadolint",
Expand Down
Loading
Loading