Fix workflow #59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Docker Image | |
| on: | |
| push: | |
| tags: | |
| - '[0-9]+.[0-9]+.[0-9]+' | |
| branches: | |
| - main | |
| jobs: | |
| check-files: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has-relevant-changes: ${{ steps.changes.outputs.workflow || steps.changes.outputs.docker || steps.changes.outputs.server }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: changes | |
| with: | |
| filters: | | |
| workflow: | |
| - '.github/workflows/deploy.yml' | |
| docker: | |
| - 'bin/**' | |
| - 'Dockerfile' | |
| - '.dockerignore' | |
| server: | |
| - 'server/**' | |
| run-deployment: | |
| needs: check-files | |
| if: ${{ needs.check-files.outputs.has-relevant-changes == 'true' }} | |
| environment: ${{ github.ref_type == 'tag' && 'production' || 'development'}} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: docker/[email protected] | |
| id: image-meta | |
| with: | |
| images: ${{ vars.DOCKER_REGISTRY }}/${{ vars.DOCKER_IMAGE }} | |
| flavor: latest=false | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha,format=short,prefix=rev-,enable=${{ github.ref_type != 'tag' }} | |
| type=raw,value=stable,priority=50,enable=${{ github.ref_type == 'tag' }} | |
| type=raw,value=latest,priority=50,enable=${{ github.ref_type != 'tag' }} | |
| - name: Get image parameters | |
| id: image-parameters | |
| shell: bash | |
| env: | |
| IS_RELEASE: ${{ github.ref_type == 'tag' }} | |
| IMAGE_VERSION: ${{ steps.image-meta.outputs.version }} | |
| META_JSON: ${{ steps.image-meta.outputs.json }} | |
| run: | | |
| VERSION_TAG='' | |
| if [ "${IS_RELEASE}" = 'true' ]; then | |
| VERSION_TAG="${IMAGE_VERSION}" | |
| else | |
| VERSION_TAG="$(echo -n "${META_JSON}" | jq --raw-output ' | |
| .tags | |
| | map(split(":") | |
| | .[1:] | |
| | join(":") | |
| | select(startswith("rev-"))) | |
| | first')" | |
| fi | |
| echo "version-arg=${VERSION_TAG}" >> "${GITHUB_OUTPUT}" | |
| - uses: docker/[email protected] | |
| - uses: docker/[email protected] | |
| - uses: docker/[email protected] | |
| with: | |
| registry: ${{ vars.DOCKER_IMAGE }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - uses: docker/[email protected] | |
| with: | |
| pull: true | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| VERSION=${{ steps.image-parameters.outputs.version-arg }} | |
| tags: ${{ steps.image-meta.outputs.tags }} | |
| labels: ${{ steps.image-meta.outputs.labels }} | |
| annotations: ${{ steps.image-meta.outputs.annotations }} | |
| sbom: true | |
| provenance: mode=min | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate SBOM name | |
| id: sbom-name | |
| shell: bash | |
| env: | |
| REPO: ${{ github.repository }} | |
| IMAGE_VERSION: ${{ steps.image-meta.outputs.version }} | |
| run: echo "artifact-name=${REPO##*/}-${IMAGE_VERSION}-sbom.spdx" >> "${GITHUB_OUTPUT}" | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }} | |
| artifact-name: ${{ steps.sbom-name.outputs.artifact-name }} | |
| dependency-snapshot: true | |
| - uses: actions/checkout@v4 | |
| with: | |
| path: .sarif-scan-temp | |
| sparse-checkout: Dockerfile | |
| sparse-checkout-cone-mode: false | |
| - name: Pull built image | |
| shell: bash | |
| env: | |
| DOCKER_IMAGE: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }} | |
| run: docker pull "${DOCKER_IMAGE}" | |
| - uses: crazy-max/ghaction-container-scan@v3 | |
| # continue-on-error: true | |
| id: image-scan | |
| with: | |
| image: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }} | |
| dockerfile: ./.sarif-scan-temp/Dockerfile | |
| annotations: true | |
| - uses: github/codeql-action/upload-sarif@v3 | |
| if: ${{ steps.image-scan.outputs.sarif != '' }} | |
| continue-on-error: true # if advanced security is disabled, this will fail. | |
| with: | |
| sarif_file: ${{ steps.image-scan.outputs.sarif }} | |
| - name: Build Payload | |
| id: build-payload | |
| shell: bash | |
| env: | |
| TAGS: ${{ steps.image-meta.outputs.tags }} | |
| run: | | |
| JSON_PAYLOAD="$(echo -n "${TAGS}" | jq --raw-input --slurp --raw-output --compact-output ' | |
| split(" |\n"; null) | |
| | map(split(":") | select(length >= 2)) | |
| | reduce .[] as $i (null; .[($i[0])] += [($i[1:] | join(":"))]) | |
| | to_entries | |
| | map({"image": .key, "tags": .value})')" | |
| echo "payload=${JSON_PAYLOAD}" >> "${GITHUB_OUTPUT}" | |
| - uses: fjogeleit/[email protected] | |
| with: | |
| method: POST | |
| url: ${{ secrets.DEPLOYER_URL }}/api/v1/deploy | |
| bearerToken: ${{ secrets.DEPLOYER_TOKEN }} | |
| timeout: 150000 # 2.5 minutes | |
| retry: 3 | |
| retryWait: 3000 # 3 seconds | |
| contentType: application/json | |
| data: ${{ steps.build-payload.outputs.payload }} |