ci: use docker github builder to build the image #2925
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - 'master' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| env: | |
| DOCKERHUB_SLUG: crazymax/diun | |
| GHCR_SLUG: ghcr.io/crazy-max/diun | |
| DESTDIR: ./bin | |
| DOCKER_BUILD_SUMMARY: false | |
| SCOUT_VERSION: "1.18.2" | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| validate-includes: ${{ steps.validate.outputs.matrix }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| - | |
| name: Validate matrix | |
| id: validate | |
| uses: docker/bake-action/subaction/matrix@v6 | |
| with: | |
| target: validate | |
| fields: platforms | |
| env: | |
| GOLANGCI_LINT_MULTIPLATFORM: 1 | |
| validate: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.prepare.outputs.validate-includes) }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Validate | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: ${{ matrix.target }} | |
| set: | | |
| *.platform=${{ matrix.platforms }} | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Test | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: test | |
| pull: true | |
| - | |
| name: Upload coverage | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| directory: ${{ env.DESTDIR }}/coverage | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| govulncheck: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Run | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: govulncheck | |
| env: | |
| GOVULNCHECK_FORMAT: sarif | |
| - | |
| name: Upload SARIF report | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ env.DESTDIR }}/govulncheck.out | |
| artifacts: | |
| uses: docker/github-builder-experimental/.github/workflows/bake.yml@813ea76fdb0a744196f46fd25149937a6dbd42a2 | |
| permissions: | |
| contents: read | |
| id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token | |
| packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow) | |
| with: | |
| runner: amd64 | |
| target: artifact-all | |
| output: local | |
| push: ${{ github.event_name != 'pull_request' }} | |
| artifact-name: diun | |
| bake-sbom: true | |
| artifacts-finalize: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - artifacts | |
| steps: | |
| - | |
| name: Download artifacts | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: /tmp/buildx-output | |
| pattern: ${{ needs.artifacts.outputs.artifact-name }}* | |
| merge-multiple: true | |
| - | |
| name: Rename provenance and sbom | |
| run: | | |
| for pdir in /tmp/buildx-output/*/; do | |
| ( | |
| cd "$pdir" | |
| binname=$(find . -name 'diun_*') | |
| filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') | |
| mv "provenance.json" "${filename}.provenance.json" | |
| mv "sbom-binary.spdx.json" "${filename}.sbom.json" | |
| find . -name 'sbom*.json' -exec rm {} \; | |
| if [ -f "provenance.sigstore.json" ]; then | |
| mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json" | |
| fi | |
| ) | |
| done | |
| mkdir -p "${{ env.DESTDIR }}" | |
| mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/" | |
| - | |
| name: List artifacts | |
| working-directory: ${{ env.DESTDIR }} | |
| run: | | |
| tree -nh . | |
| - | |
| name: Check artifacts | |
| working-directory: ${{ env.DESTDIR }} | |
| run: | | |
| find . -type f -exec file -e ascii -- {} + | |
| - | |
| name: Upload release binaries | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: release | |
| path: ${{ env.DESTDIR }}/* | |
| if-no-files-found: error | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required to create GitHub release | |
| contents: write | |
| needs: | |
| - artifacts-finalize | |
| - test | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| - | |
| name: Download release binaries | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: ${{ env.DESTDIR }} | |
| name: release | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Build | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: release | |
| provenance: false | |
| - | |
| name: List artifacts | |
| working-directory: ${{ env.DESTDIR }}/release | |
| run: | | |
| tree -nh . | |
| - | |
| name: GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| draft: true | |
| files: | | |
| ${{ env.DESTDIR }}/release/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| image-prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| repo-slugs: | | |
| ${{ env.DOCKERHUB_SLUG }} | |
| ${{ env.GHCR_SLUG }} | |
| steps: | |
| # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 | |
| - run: echo "Exposing env vars for reusable workflow" | |
| image: | |
| uses: docker/github-builder-experimental/.github/workflows/bake.yml@813ea76fdb0a744196f46fd25149937a6dbd42a2 | |
| permissions: | |
| contents: read # same as global permission | |
| id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token | |
| packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow) | |
| needs: | |
| - image-prepare | |
| - artifacts-finalize | |
| - test | |
| with: | |
| runner: amd64 | |
| target: image-all | |
| output: image | |
| push: ${{ github.event_name != 'pull_request' }} | |
| set-meta-labels: true | |
| meta-images: | | |
| ${{ needs.image-prepare.outputs.repo-slugs }} | |
| meta-tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=ref,event=pr | |
| type=edge | |
| meta-labels: | | |
| org.opencontainers.image.title=Diun | |
| org.opencontainers.image.description=Docker image update notifier | |
| org.opencontainers.image.vendor=CrazyMax | |
| bake-sbom: true | |
| secrets: | |
| registry-auths: | | |
| - registry: docker.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| scout: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| needs: | |
| - image | |
| steps: | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - | |
| name: Scout | |
| id: scout | |
| uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 | |
| with: | |
| version: ${{ env.SCOUT_VERSION }} | |
| format: sarif | |
| image: registry://${{ env.DOCKERHUB_SLUG }}:edge | |
| - | |
| name: Upload SARIF report | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ steps.scout.outputs.result-file }} |