build(deps): bump github.com/docker/docker (#1691) #1021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Development docker build | |
on: | |
push: | |
branches: | |
- main | |
- fb-* | |
permissions: | |
security-events: write | |
actions: read | |
contents: read | |
packages: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
check: | |
name: Check if workflow should run | |
runs-on: ubuntu-latest | |
outputs: | |
enabled: ${{ steps.check.outputs.enabled }} | |
steps: | |
- name: Enabled Check | |
id: check | |
shell: bash | |
run: | | |
ENABLED=${{ secrets.DEVELOPMENT_DOCKER }} | |
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then | |
ENABLED="true" | |
fi | |
if [[ "${ENABLED,,}" != "true" ]]; then | |
echo "enabled=0" >> $GITHUB_OUTPUT | |
echo "Workflow is disabled" | |
echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY | |
echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY | |
else | |
if [[ "${{ github.repository_owner }}" != "0xERR0R" && "${GITHUB_REF#refs/heads/}" == "main" ]]; then | |
echo "enabled=0" >> $GITHUB_OUTPUT | |
echo "Workflow is disabled for main branch on forks" | |
else | |
echo "enabled=1" >> $GITHUB_OUTPUT | |
echo "Workflow is enabled" | |
fi | |
fi | |
docker: | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
needs: check | |
if: ${{ needs.check.outputs.enabled == 1 }} | |
outputs: | |
repository: ${{ steps.get_vars.outputs.repository }} | |
branch: ${{ steps.get_vars.outputs.branch }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: arm,arm64 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Get registry token | |
id: get_token | |
shell: bash | |
run: | | |
if [ "${{ secrets.CR_PAT }}" ]; then | |
echo "token=${{ secrets.CR_PAT }}" >> $GITHUB_OUTPUT | |
else | |
echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT | |
fi | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ steps.get_token.outputs.token }} | |
- name: Login to DockerHub | |
if: github.repository_owner == '0xERR0R' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_TOKEN }} | |
- name: Populate build variables | |
id: get_vars | |
shell: bash | |
run: | | |
REPOSITORY=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') | |
echo "repository=${REPOSITORY}" >> $GITHUB_OUTPUT | |
echo "REPOSITORY: ${REPOSITORY}" | |
BRANCH=${GITHUB_REF#refs/heads/} | |
echo "branch=${BRANCH}" >> $GITHUB_OUTPUT | |
echo "Branch: ${BRANCH}" | |
VERSION=$(git describe --always --tags) | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
echo "VERSION: ${VERSION}" | |
BUILD_TIME=$(date --iso-8601=seconds) | |
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT | |
echo "BUILD_TIME: ${BUILD_TIME}" | |
DOC_PATH="main" | |
echo "doc_path=${DOC_PATH}" >> $GITHUB_OUTPUT | |
echo "DOC_PATH: ${DOC_PATH}" | |
TAGS="ghcr.io/${REPOSITORY}:${BRANCH}" | |
if [[ "${BRANCH}" == "main" ]]; then | |
TAGS="${TAGS} , ghcr.io/${REPOSITORY}:development" | |
fi | |
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then | |
TAGS="${TAGS} , spx01/blocky:${BRANCH}" | |
if [[ "${BRANCH}" == "main" ]]; then | |
TAGS="${TAGS} , spx01/blocky:development" | |
fi | |
fi | |
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
echo "TAGS: ${TAGS}" | |
- name: Build and push | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64 | |
push: true | |
tags: ${{ steps.get_vars.outputs.tags }} | |
build-args: | | |
VERSION=${{ steps.get_vars.outputs.version }} | |
BUILD_TIME=${{ steps.get_vars.outputs.build_time }} | |
DOC_PATH=${{ steps.get_vars.outputs.doc_path }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
repo-scan: | |
name: Repo vulnerability scan | |
runs-on: ubuntu-latest | |
needs: check | |
if: needs.check.outputs.enabled == 1 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "fs" | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-repo-results.sarif" | |
severity: "CRITICAL" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-repo-results.sarif" | |
image-scan: | |
name: Image vulnerability scan | |
runs-on: ubuntu-latest | |
needs: docker | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Run Trivy vulnerability scanner on Docker image | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }}" | |
format: "sarif" | |
output: "trivy-image-results.sarif" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-image-results.sarif" | |
image-test: | |
name: Test docker images | |
runs-on: ubuntu-latest | |
needs: docker | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: arm,arm64 | |
- name: Test images | |
shell: bash | |
run: | | |
echo '::group::Version for linux/amd64' | |
docker run --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | |
echo '::endgroup::' | |
echo '::group::Version for linux/arm/v6' | |
docker run --platform linux/arm/v6 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | |
echo '::endgroup::' | |
echo '::group::Version for linux/arm/v7' | |
docker run --platform linux/arm/v7 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | |
echo '::endgroup::' | |
echo '::group::Version for linux/arm64' | |
docker run --platform linux/arm64 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | |
echo '::endgroup::' |