-
Notifications
You must be signed in to change notification settings - Fork 0
149 lines (146 loc) · 5.35 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: CI
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
branches:
- main
jobs:
check-files:
runs-on: ubuntu-latest
outputs:
has-relevant-changes: ${{ steps.changes.outputs.changes != '[]' }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: changes
with:
filters: |
workflow:
- '.github/workflows/ci.yml'
docker:
- 'bin/**'
- 'Dockerfile'
- '.dockerignore'
server:
- 'server/**'
run-deployment:
needs: check-files
if: ${{ needs.check-files.outputs.has-relevant-changes == 'true' }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
environment: ${{ github.ref_type == 'tag' && 'production' || 'development'}}
runs-on: ubuntu-latest
steps:
- uses: docker/[email protected]
id: image-meta
with:
images: ${{ vars.DOCKER_REGISTRY }}/${{ vars.DOCKER_IMAGE }}
flavor: latest=false
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,format=short,prefix=rev-,enable=${{ github.ref_type != 'tag' }}
type=raw,value=stable,priority=50,enable=${{ github.ref_type == 'tag' }}
type=raw,value=latest,priority=50,enable=${{ github.ref_type != 'tag' }}
- name: Get image parameters
id: image-parameters
shell: bash
env:
IS_RELEASE: ${{ github.ref_type == 'tag' }}
IMAGE_VERSION: ${{ steps.image-meta.outputs.version }}
META_JSON: ${{ steps.image-meta.outputs.json }}
run: |
VERSION_TAG=''
if [ "${IS_RELEASE}" = 'true' ]; then
VERSION_TAG="${IMAGE_VERSION}"
else
VERSION_TAG="$(echo -n "${META_JSON}" | jq --raw-output '
.tags
| map(split(":")
| .[1:]
| join(":")
| select(startswith("rev-")))
| first')"
fi
echo "version-arg=${VERSION_TAG}" >> "${GITHUB_OUTPUT}"
- uses: docker/[email protected]
- uses: docker/[email protected]
- uses: docker/[email protected]
with:
registry: ${{ vars.DOCKER_REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- uses: docker/[email protected]
with:
pull: true
push: true
platforms: linux/amd64,linux/arm64
build-args: |
VERSION=${{ steps.image-parameters.outputs.version-arg }}
tags: ${{ steps.image-meta.outputs.tags }}
labels: ${{ steps.image-meta.outputs.labels }}
annotations: ${{ steps.image-meta.outputs.annotations }}
sbom: true
provenance: mode=min
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate SBOM name
id: sbom-name
shell: bash
env:
REPO: ${{ github.repository }}
IMAGE_VERSION: ${{ steps.image-meta.outputs.version }}
run: echo "artifact-name=${REPO##*/}-${IMAGE_VERSION}-sbom.spdx" >> "${GITHUB_OUTPUT}"
- uses: anchore/sbom-action@v0
with:
image: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }}
artifact-name: ${{ steps.sbom-name.outputs.artifact-name }}
dependency-snapshot: true
- uses: actions/checkout@v4
with:
path: .sarif-scan-temp
sparse-checkout: Dockerfile
sparse-checkout-cone-mode: false
- name: Pull built image
shell: bash
env:
DOCKER_IMAGE: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }}
run: docker pull "${DOCKER_IMAGE}"
- uses: crazy-max/ghaction-container-scan@v3
# continue-on-error: true
id: image-scan
with:
image: ${{ fromJson(steps.image-meta.outputs.json).tags[0] }}
dockerfile: ./.sarif-scan-temp/Dockerfile
annotations: true
- uses: github/codeql-action/upload-sarif@v3
if: ${{ steps.image-scan.outputs.sarif != '' }}
continue-on-error: true # if advanced security is disabled, this will fail.
with:
sarif_file: ${{ steps.image-scan.outputs.sarif }}
- name: Build Payload
id: build-payload
shell: bash
env:
TAGS: ${{ steps.image-meta.outputs.tags }}
run: |
JSON_PAYLOAD="$(echo -n "${TAGS}" | jq --raw-input --slurp --raw-output --compact-output '
split(" |\n"; null)
| map(split(":") | select(length >= 2))
| reduce .[] as $i (null; .[($i[0] | split("/") | .[1:] | join("/"))] += [($i[1:] | join(":"))])
| to_entries
| map({"image": .key, "tags": .value})')"
echo "payload=${JSON_PAYLOAD}" >> "${GITHUB_OUTPUT}"
- uses: fjogeleit/[email protected]
with:
method: POST
url: ${{ secrets.DEPLOYER_URL }}/api/v1/deploy
bearerToken: ${{ secrets.DEPLOYER_TOKEN }}
timeout: 150000 # 2.5 minutes
retry: 3
retryWait: 3000 # 3 seconds
contentType: application/json
data: ${{ steps.build-payload.outputs.payload }}