chore(deps): update github/codeql-action digest to dd74661 #2088
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Test Docker Images | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| push: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '20 03 * * *' # 3:20am everyday | |
| jobs: | |
| build_and_push_docker_images: | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| containerdistro: [ alpine, min, debian, ubuntu, centos ] | |
| arches: [ linux/amd64, linux/arm64 ] | |
| patchsets: [ vanilla, highload, redis ] | |
| exclude: | |
| - containerdistro: debian | |
| arches: linux/arm64 | |
| - containerdistro: ubuntu | |
| arches: linux/arm64 | |
| - containerdistro: centos | |
| arches: linux/arm64 | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| name: Docker Images | |
| steps: | |
| # SETUP | |
| - name: Check out the repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| submodules: recursive | |
| # PREPARE | |
| - name: Get patches | |
| run: | | |
| chmod u+x scripts/* | |
| ./scripts/get-patches.sh | |
| ./scripts/apply-patches.sh ${{ matrix.patchsets }} | |
| ./scripts/fix-git-compile.sh | |
| - name: Generate tags | |
| id: generate-tags | |
| shell: bash | |
| run: | | |
| alias_tags=() | |
| while IFS= read -r line; do | |
| alias_tags+=("$line") | |
| done < <(./scripts/generate-tags.sh ${{ matrix.containerdistro }} ${{ matrix.patchsets }} ${{ matrix.arches }}) | |
| echo "Generated tags:" | |
| for TAG in "${alias_tags[@]}"; do | |
| echo "$TAG" | |
| done | |
| echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT | |
| # - name: Get the last (and most specific) tag | |
| # id: specific-tag | |
| # run: | | |
| # echo "super_specific_tag=$(echo ${{ steps.generate-tags.outputs.alias_tags }} | awk '{print $NF}')" >> $GITHUB_OUTPUT | |
| - name: Install packages for testing | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y qemu-user-static podman | |
| - name: Cache Shards | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 | |
| with: | |
| path: ${{ github.workspace }}/shardscache | |
| key: shards-${{ hashFiles('invidious/shard.lock') }} | |
| # Ensure shardscache exists | |
| - run: mkdir -p ${{ github.workspace }}/shardscache | |
| # BUILD | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
| with: | |
| image: invidious | |
| tags: ${{ steps.generate-tags.outputs.alias_tags }} | |
| containerfiles: Dockerfile.${{ matrix.containerdistro }} | |
| platforms: ${{ matrix.arches }} | |
| extra-args: | | |
| --volume=${{ github.workspace }}/shardscache:/invidious/lib | |
| --cache-from=ghcr.io/${{ github.repository_owner }}/invidious | |
| context: invidious | |
| # TEST | |
| - name: Test image | |
| if: matrix.arches == 'linux/amd64' | |
| run: ./scripts/test-image.sh ${{ steps.build-image.outputs.image }} | |
| # PUSH | |
| - name: Push To GHCR | |
| if: github.event_name != 'pull_request' | |
| id: push-to-ghcr | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| # SIGN | |
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| if: github.event_name != 'pull_request' | |
| - name: Sign GHCR Image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cosign login ghcr.io -u ${{ github.actor }} -p ${{ github.token }} | |
| cosign sign -y --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository_owner }}/${{ steps.build-image.outputs.image }}@${{ steps.push-to-ghcr.outputs.digest }} | |
| env: | |
| COSIGN_EXPERIMENTAL: false | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| # SCAN | |
| - name: Run Trivy vulnerability scanner | |
| if: github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/${{ steps.build-image.outputs.image }}@${{ steps.push-to-ghcr.outputs.digest }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: github.event_name != 'pull_request' | |
| uses: github/codeql-action/upload-sarif@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Print image URLs | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}" |