paulmataruso/11note-docker-bind
1
0
Fork 0
mirror of https://github.com/11notes/docker-bind.git synced 2025-11-03 21:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[upgrade] latest workflow

Browse Source
This commit is contained in:
ElevenNotes
2025-04-30 10:28:43 +02:00
parent 9fedb70e7e
commit e454412a73
1 changed files with 173 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
.github/workflows/docker.yml vendored
View File

@@ -10,6 +10,12 @@ on:
required: false required: false
default: 'docker' default: 'docker'
runs-on:
description: 'set runs-on for workflow (github or selfhosted)'
type: string
required: false
default: 'ubuntu-22.04'
release: release:
description: 'set WORKFLOW_GITHUB_RELEASE' description: 'set WORKFLOW_GITHUB_RELEASE'
required: false required: false
@@ -20,29 +26,14 @@ on:
required: false required: false
default: 'false' default: 'false'
image: etc:
description: 'set IMAGE' description: 'base64 encoded json string'
required: false
uid:
description: 'set IMAGE_UID'
required: false
gid:
description: 'set IMAGE_GID'
required: false
semverprefix:
description: 'prefix for semver tags'
required: false
semversuffix:
description: 'suffix for semver tags'
required: false required: false
jobs: jobs:
docker: docker:
runs-on: ubuntu-22.04 runs-on: ${{ inputs.runs-on }}
timeout-minutes: 1440
services: services:
registry: registry:
@@ -54,7 +45,6 @@ jobs:
actions: read actions: read
contents: write contents: write
packages: write packages: write
security-events: write
steps: steps:
- name: init / checkout - name: init / checkout
@@ -69,12 +59,17 @@ jobs:
script: | script: |
const { existsSync, readFileSync } = require('node:fs'); const { existsSync, readFileSync } = require('node:fs');
const { resolve } = require('node:path'); const { resolve } = require('node:path');
const { inspect } = require('node:util');
const { Buffer } = require('node:buffer');
const inputs = `${{ toJSON(github.event.inputs) }}`; const inputs = `${{ toJSON(github.event.inputs) }}`;
const opt = {input:{}, dot:{}}; const opt = {input:{}, dot:{}};
try{ try{
if(inputs.length > 0){ if(inputs.length > 0){
opt.input = JSON.parse(inputs); opt.input = JSON.parse(inputs);
if(opt.input?.etc){
opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
}
} }
}catch(e){ }catch(e){
core.warning('could not parse github.event.inputs'); core.warning('could not parse github.event.inputs');
@@ -95,27 +90,30 @@ jobs:
core.setFailed(e); core.setFailed(e);
} }
core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
const docker = { const docker = {
image:{ image:{
name:(opt.input?.image || opt.dot.image), name:opt.dot.image,
arch:(opt.dot.arch || 'linux/amd64,linux/arm64'), arch:(opt.dot.arch || 'linux/amd64,linux/arm64'),
prefix:((opt.input?.semverprefix) ? `${opt.input?.semverprefix}-` : ''), prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
suffix:((opt.input?.semversuffix) ? `-${opt.input?.semversuffix}` : ''), suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
description:(opt.dot?.readme?.description || ''), description:(opt.dot?.readme?.description || ''),
tags:[], tags:[],
}, },
app:{ app:{
image:opt.dot.image, image:opt.dot.image,
name:opt.dot.name, name:opt.dot.name,
version:opt.dot.semver.version, version:(opt.input?.etc?.version || opt.dot.semver.version),
root:opt.dot.root, root:opt.dot.root,
UID:(opt.input?.uid || 1000), UID:(opt.input?.etc?.uid || 1000),
GID:(opt.input?.gid || 1000), GID:(opt.input?.etc?.gid || 1000),
no_cache:new Date().getTime(), no_cache:new Date().getTime(),
}, },
cache:{ cache:{
registry:'localhost:5000/', registry:'localhost:5000/',
} },
tags:[],
}; };
docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`; docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`;
@@ -124,6 +122,12 @@ jobs:
docker.app.suffix = docker.image.suffix; docker.app.suffix = docker.image.suffix;
// setup tags // setup tags
if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){
docker.image.tags.push(`${context.sha.substring(0,7)}`);
docker.image.tags.push(opt.input.etc.tag);
docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`);
docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`;
}else if(opt.dot?.semver?.version){
const semver = opt.dot.semver.version.split('.'); const semver = opt.dot.semver.version.split('.');
docker.image.tags.push(`${context.sha.substring(0,7)}`); docker.image.tags.push(`${context.sha.substring(0,7)}`);
if(Array.isArray(semver)){ if(Array.isArray(semver)){
@@ -133,12 +137,27 @@ jobs:
} }
if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable'); if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable');
if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest'); if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest');
}else if(opt.input?.etc?.version && opt.input.etc.version === 'latest'){
docker.image.tags.push('latest');
}
for(let i=0; i<docker.image.tags.length; i++){ for(const tag of docker.image.tags){
docker.image.tags[i] = `${docker.image.name}:${docker.image.prefix}${docker.image.tags[i]}${docker.image.suffix}`; docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
} }
// setup build arguments // setup build arguments
if(opt.input?.etc?.build?.args){
for(const arg in opt.input.etc.build.args){
docker.app[arg] = opt.input.etc.build.args[arg];
}
}
if(opt.dot?.build?.args){
for(const arg in opt.dot.build.args){
docker.app[arg] = opt.dot.build.args[arg];
}
}
const arguments = []; const arguments = [];
for(const argument in docker.app){ for(const argument in docker.app){
arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`); arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`);
@@ -151,24 +170,44 @@ jobs:
core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name); core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name);
core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch); core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch);
core.exportVariable('DOCKER_IMAGE_TAGS', docker.image.tags.join(',')); core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(','));
core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description); core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n")); core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile');
core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release || true)); core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release);
core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme || true)); core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme);
core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.json?.grpye?.fail || true)); core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail);
core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.json?.grpye?.severity || 'high')); core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
if(opt.dot?.readme?.comparison){
core.exportVariable('WORKFLOW_CREATE_COMPARISON', true);
core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image);
core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`);
}
# DOCKER # DOCKER
- name: docker / login to hub - name: docker / login to hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with: with:
username: 11notes username: 11notes
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ secrets.DOCKER_TOKEN }}
- name: github / login to ghcr
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: ghcr.io
username: 11notes
password: ${{ secrets.GITHUB_TOKEN }}
- name: quay / login to quay
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: quay.io
username: 11notes+github
password: ${{ secrets.QUAY_TOKEN }}
- name: docker / setup qemu - name: docker / setup qemu
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a
@@ -182,7 +221,7 @@ jobs:
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
with: with:
context: . context: .
file: arch.dockerfile file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
push: true push: true
platforms: ${{ env.DOCKER_IMAGE_ARCH }} platforms: ${{ env.DOCKER_IMAGE_ARCH }}
cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }} cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }}
@@ -194,7 +233,7 @@ jobs:
- name: grype / scan - name: grype / scan
id: grype id: grype
uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
with: with:
image: ${{ env.DOCKER_CACHE_GRYPE }} image: ${{ env.DOCKER_CACHE_GRYPE }}
fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }} fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }}
@@ -205,7 +244,7 @@ jobs:
- name: grype / fail - name: grype / fail
if: failure() || steps.grype.outcome == 'failure' if: failure() || steps.grype.outcome == 'failure'
uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
with: with:
image: ${{ env.DOCKER_CACHE_GRYPE }} image: ${{ env.DOCKER_CACHE_GRYPE }}
fail-build: false fail-build: false
@@ -218,7 +257,7 @@ jobs:
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
with: with:
context: . context: .
file: arch.dockerfile file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
push: true push: true
sbom: true sbom: true
provenance: mode=max provenance: mode=max
@@ -250,6 +289,12 @@ jobs:
if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-log.outcome == 'success' if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-log.outcome == 'success'
id: git-release id: git-release
uses: 11notes/action-docker-release@v1 uses: 11notes/action-docker-release@v1
# WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
# ---------------------------------------------------------------------------------
# the next step "github / release / create" creates a new release based on the code
# in the repo. This code is not modified and can't be modified by this action.
# It does create the markdown for the release, which could be abused, but to what
# extend? Adding a link to a malicious repo?
with: with:
git_log: ${{ steps.git-log.outputs.commits }} git_log: ${{ steps.git-log.outputs.commits }}
@@ -267,21 +312,91 @@ jobs:
# LICENSE
- name: license / update year
continue-on-error: true
uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
with:
script: |
const { existsSync, readFileSync, writeFileSync } = require('node:fs');
const { resolve } = require('node:path');
const file = 'LICENSE';
const year = new Date().getFullYear();
try{
const path = resolve(file);
if(existsSync(path)){
let license = readFileSync(file).toString();
if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){
license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `);
writeFileSync(path, license);
}
}else{
throw new Error(`file ${file} does not exist`);
}
}catch(e){
core.setFailed(e);
}
# README # README
- name: github / checkout master - name: github / checkout HEAD
continue-on-error: true continue-on-error: true
run: | run: |
git checkout master git checkout HEAD
- name: docker / setup comparison images
if: env.WORKFLOW_CREATE_COMPARISON == 'true'
continue-on-error: true
run: |
docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}
docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}
docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log
docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log
docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log
- name: github / create README.md - name: github / create README.md
id: github-readme id: github-readme
continue-on-error: true continue-on-error: true
if: env.WORKFLOW_CREATE_README == 'true' && steps.docker-build.outcome == 'success' if: env.WORKFLOW_CREATE_README == 'true' && steps.docker-build.outcome == 'success'
uses: 11notes/action-docker-readme@v1 uses: 11notes/action-docker-readme@v1
# WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
# ---------------------------------------------------------------------------------
# the next step "github / commit & push" only adds the README and LICENSE as well as
# compose.yaml to the repository. This does not pose a security risk if this action
# would be compromised. The code of the app can't be changed by this action. Since
# only the files mentioned are commited to the repo. Sure, someone could make a bad
# compose.yaml, but since this serves only as an example I see no harm in that.
with: with:
sarif_file: ${{ steps.grype.outputs.sarif }} sarif_file: ${{ steps.grype.outputs.sarif }}
build_output_metadata: ${{ steps.docker-build.outputs.metadata }} build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
- name: docker / push README.md to docker hub
continue-on-error: true
if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
env:
DOCKER_USER: 11notes
DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
with:
destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }}
provider: dockerhub
short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
readme_file: 'README_NONGITHUB.md'
- name: quay / push README.md to quay
continue-on-error: true
if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
env:
DOCKER_APIKEY: ${{ secrets.QUAY_TOKEN }}
with:
destination_container_repo: quay.io/${{ env.DOCKER_IMAGE_NAME }}
provider: quay
readme_file: 'README_NONGITHUB.md'
- name: github / commit & push - name: github / commit & push
continue-on-error: true continue-on-error: true
if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != '' if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
@@ -292,21 +407,12 @@ jobs:
if [ -f compose.yaml ]; then if [ -f compose.yaml ]; then
git add compose.yaml git add compose.yaml
fi fi
git commit -m "auto update README.md" if [ -f LICENSE ]; then
git push git add LICENSE
fi
git commit -m "github-actions[bot]: update README.md"
git push origin HEAD:master
- name: docker / push README.md to docker hub
continue-on-error: true
if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
env:
DOCKER_USER: 11notes
DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
with:
destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }}
provider: dockerhub
short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
readme_file: 'README.md'