paulmataruso/docker-kms
1
0
Fork 0
mirror of https://github.com/11notes/docker-kms.git synced 2025-11-02 13:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
57a78065901030c429829dd965ba1bc82d4be3fc
docker-kms/.github/workflows/docker.yml
ElevenNotes 57a7806590 add no-cache
2025-02-07 07:20:47 +01:00

160 lines
6.3 KiB
YAML
Raw Blame History

name: create and publish docker image
on:
workflow_dispatch:
push:
tags:
- 'v*'
env:
DOCKER_USERNAME: 11notes
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
security-events: write
steps:
- name: init / checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: init / .json to env
uses: rgarcia-phi/json-to-variables@9835d537368468c4e4de5254dc3efeadda183793
with:
filename: '.json'
- name: init / setup environment
run: |
: # set default arch if not set
echo "IMAGE_ARCH=${json_arch:-linux/amd64,linux/arm64}" >> $GITHUB_ENV
: # create tags for semver, stable and other shenanigans
export LOCAL_SHA=$(git rev-parse --short HEAD)
export LOCAL_SEMVER_MAJOR=$(awk -F. '{ print $1 }' <<< ${json_version})
export LOCAL_SEMVER_MINOR=$(awk -F. '{ print $2 }' <<< ${json_version})
export LOCAL_SEMVER_PATCH=$(awk -F. '{ print $3 }' <<< ${json_version})
export LOCAL_TAGS="${json_image}:latest"
if [ ! -z ${LOCAL_SEMVER_MAJOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}"; fi
if [ ! -z ${LOCAL_SEMVER_MINOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}"; fi
if [ ! -z ${LOCAL_SEMVER_PATCH} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}.${LOCAL_SEMVER_PATCH}"; fi
if echo "${LOCAL_TAGS}" | grep -q "${json_stable}" ; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:stable"; fi
if [ ! -z ${json_tags} ]; then SPECIAL_LOCAL_TAGS=$(echo ${json_tags} | sed 's/,/ /g'); for LOCAL_TAG in ${json_tags}; do LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_TAG}"; done; fi
LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SHA}"
echo "IMAGE_TAGS=${LOCAL_TAGS}" >> $GITHUB_ENV
: # if for whatever reason UID/GID must be changed at build time
echo "IMAGE_UID=${json_uid:-1000}" >> $GITHUB_ENV
echo "IMAGE_GID=${json_gid:-1000}" >> $GITHUB_ENV
- name: docker / login to hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: docker / setup qemu
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a
- name: docker / setup buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
- name: grype / build & push
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
with:
context: .
file: arch.dockerfile
push: true
platforms: ${{ env.IMAGE_ARCH }}
cache-from: type=registry,ref=${{ env.json_image }}:buildcache
cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
build-args: |
APP_IMAGE=${{ env.json_image }}
APP_NAME=${{ env.json_name }}
APP_VERSION=${{ env.json_version }}
APP_ROOT=${{ env.json_root }}
APP_UID=${{ env.IMAGE_UID }}
APP_GID=${{ env.IMAGE_GID }}
NO_CACHE=$(date +%s)
tags: |
${{ env.json_image }}:grype
- name: grype / scan
id: scan
uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
with:
image: ${{ env.json_image }}:grype
severity-cutoff: high
- name: grype / delete tag
if: success() || failure()
run: |
curl --request DELETE \
--url https://hub.docker.com/v2/repositories/${{ env.json_image }}/tags/grype/ \
--header 'authorization: jwt ${{ secrets.DOCKER_TOKEN }}' \
--header 'content-type: application/json' \
--fail
- name: grype / report / upload
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: grype / report / print
run: cat ${{ steps.scan.outputs.sarif }}
- name: docker / build & push
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
with:
context: .
file: arch.dockerfile
push: true
sbom: true
provenance: mode=max
platforms: ${{ env.IMAGE_ARCH }}
cache-from: type=registry,ref=${{ env.json_image }}:buildcache
cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
build-args: |
APP_IMAGE=${{ env.json_image }}
APP_NAME=${{ env.json_name }}
APP_VERSION=${{ env.json_version }}
APP_ROOT=${{ env.json_root }}
APP_UID=${{ env.IMAGE_UID }}
APP_GID=${{ env.IMAGE_GID }}
NO_CACHE=$(date +%s)
tags: |
${{ env.IMAGE_TAGS }}
- name: github / create release notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release create ${{ github.ref_name }} -F RELEASE.md
- name: github / update description and set repo defaults
run: |
curl --request PATCH \
--url https://api.github.com/repos/${{ github.repository }} \
--header 'authorization: Bearer ${{ secrets.REPOSITORY_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"description":"${{ env.json_description }}",
"homepage":"",
"has_issues":true,
"has_discussions":true,
"has_projects":false,
"has_wiki":false
}' \
--fail
- name: docker / push README.md to docker hub
uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
env:
DOCKER_USER: ${{ env.DOCKER_USERNAME }}
DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
with:
destination_container_repo: ${{ env.json_image }}
provider: dockerhub
short_description: ${{ env.json_description }}
readme_file: 'README.md'
Reference in New Issue View Git Blame Copy Permalink