Skip to content

build(deps): bump github.com/docker/docker (#1691) #1021

build(deps): bump github.com/docker/docker (#1691)

build(deps): bump github.com/docker/docker (#1691) #1021

name: Development docker build
on:
push:
branches:
- main
- fb-*
permissions:
security-events: write
actions: read
contents: read
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
name: Check if workflow should run
runs-on: ubuntu-latest
outputs:
enabled: ${{ steps.check.outputs.enabled }}
steps:
- name: Enabled Check
id: check
shell: bash
run: |
ENABLED=${{ secrets.DEVELOPMENT_DOCKER }}
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
ENABLED="true"
fi
if [[ "${ENABLED,,}" != "true" ]]; then
echo "enabled=0" >> $GITHUB_OUTPUT
echo "Workflow is disabled"
echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY
echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY
else
if [[ "${{ github.repository_owner }}" != "0xERR0R" && "${GITHUB_REF#refs/heads/}" == "main" ]]; then
echo "enabled=0" >> $GITHUB_OUTPUT
echo "Workflow is disabled for main branch on forks"
else
echo "enabled=1" >> $GITHUB_OUTPUT
echo "Workflow is enabled"
fi
fi
docker:
name: Build Docker image
runs-on: ubuntu-latest
needs: check
if: ${{ needs.check.outputs.enabled == 1 }}
outputs:
repository: ${{ steps.get_vars.outputs.repository }}
branch: ${{ steps.get_vars.outputs.branch }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm,arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Get registry token
id: get_token
shell: bash
run: |
if [ "${{ secrets.CR_PAT }}" ]; then
echo "token=${{ secrets.CR_PAT }}" >> $GITHUB_OUTPUT
else
echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT
fi
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ steps.get_token.outputs.token }}
- name: Login to DockerHub
if: github.repository_owner == '0xERR0R'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Populate build variables
id: get_vars
shell: bash
run: |
REPOSITORY=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
echo "repository=${REPOSITORY}" >> $GITHUB_OUTPUT
echo "REPOSITORY: ${REPOSITORY}"
BRANCH=${GITHUB_REF#refs/heads/}
echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
echo "Branch: ${BRANCH}"
VERSION=$(git describe --always --tags)
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "VERSION: ${VERSION}"
BUILD_TIME=$(date --iso-8601=seconds)
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT
echo "BUILD_TIME: ${BUILD_TIME}"
DOC_PATH="main"
echo "doc_path=${DOC_PATH}" >> $GITHUB_OUTPUT
echo "DOC_PATH: ${DOC_PATH}"
TAGS="ghcr.io/${REPOSITORY}:${BRANCH}"
if [[ "${BRANCH}" == "main" ]]; then
TAGS="${TAGS} , ghcr.io/${REPOSITORY}:development"
fi
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
TAGS="${TAGS} , spx01/blocky:${BRANCH}"
if [[ "${BRANCH}" == "main" ]]; then
TAGS="${TAGS} , spx01/blocky:development"
fi
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "TAGS: ${TAGS}"
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
push: true
tags: ${{ steps.get_vars.outputs.tags }}
build-args: |
VERSION=${{ steps.get_vars.outputs.version }}
BUILD_TIME=${{ steps.get_vars.outputs.build_time }}
DOC_PATH=${{ steps.get_vars.outputs.doc_path }}
cache-from: type=gha
cache-to: type=gha,mode=max
repo-scan:
name: Repo vulnerability scan
runs-on: ubuntu-latest
needs: check
if: needs.check.outputs.enabled == 1
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-repo-results.sarif"
severity: "CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-repo-results.sarif"
image-scan:
name: Image vulnerability scan
runs-on: ubuntu-latest
needs: docker
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner on Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: "ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }}"
format: "sarif"
output: "trivy-image-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-image-results.sarif"
image-test:
name: Test docker images
runs-on: ubuntu-latest
needs: docker
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm,arm64
- name: Test images
shell: bash
run: |
echo '::group::Version for linux/amd64'
docker run --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm/v6'
docker run --platform linux/arm/v6 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm/v7'
docker run --platform linux/arm/v7 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm64'
docker run --platform linux/arm64 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'