2020-11-22 21:57:38 +01:00
|
|
|
name: Development docker build
|
2022-09-11 19:45:50 +02:00
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
on:
|
|
|
|
push:
|
|
|
|
branches:
|
2023-03-07 17:25:04 +01:00
|
|
|
- main
|
2020-11-22 21:57:38 +01:00
|
|
|
|
2022-09-11 19:45:50 +02:00
|
|
|
permissions:
|
|
|
|
security-events: write
|
|
|
|
actions: read
|
|
|
|
contents: read
|
|
|
|
packages: write
|
|
|
|
|
|
|
|
concurrency:
|
|
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
|
|
cancel-in-progress: true
|
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
jobs:
|
2022-09-11 19:45:50 +02:00
|
|
|
check:
|
|
|
|
name: Check if workflow should run
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
outputs:
|
|
|
|
enabled: ${{ steps.check.outputs.enabled }}
|
|
|
|
steps:
|
|
|
|
- name: Enabled Check
|
|
|
|
id: check
|
|
|
|
shell: bash
|
|
|
|
run: |
|
2022-09-12 10:40:01 +02:00
|
|
|
ENABLED=${{ secrets.DEVELOPMENT_DOCKER }}
|
2022-09-11 19:45:50 +02:00
|
|
|
|
|
|
|
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
|
|
|
|
ENABLED="true"
|
|
|
|
fi
|
|
|
|
|
2022-09-12 10:40:01 +02:00
|
|
|
if [[ "${ENABLED,,}" != "true" ]]; then
|
2022-10-21 21:50:36 +02:00
|
|
|
echo "enabled=0" >> $GITHUB_OUTPUT
|
2022-09-12 11:45:08 +02:00
|
|
|
|
|
|
|
echo "Workflow is disabled"
|
|
|
|
|
2022-09-12 11:32:07 +02:00
|
|
|
echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY
|
|
|
|
echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY
|
2022-09-11 19:45:50 +02:00
|
|
|
else
|
2022-10-21 21:50:36 +02:00
|
|
|
echo "enabled=1" >> $GITHUB_OUTPUT
|
2022-09-12 11:45:08 +02:00
|
|
|
|
2022-09-12 11:32:07 +02:00
|
|
|
echo "Workflow is enabled"
|
2022-09-11 19:45:50 +02:00
|
|
|
fi
|
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
docker:
|
2022-09-11 19:45:50 +02:00
|
|
|
name: Build Docker image
|
2020-11-22 21:57:38 +01:00
|
|
|
runs-on: ubuntu-latest
|
2022-09-11 19:45:50 +02:00
|
|
|
needs: check
|
2022-09-17 17:23:24 +02:00
|
|
|
if: ${{ needs.check.outputs.enabled == 1 }}
|
2022-09-11 19:45:50 +02:00
|
|
|
outputs:
|
2022-11-06 00:24:55 +01:00
|
|
|
repository: ${{ steps.get_vars.outputs.repository }}
|
2022-10-21 21:58:26 +02:00
|
|
|
branch: ${{ steps.get_vars.outputs.branch }}
|
2020-11-22 21:57:38 +01:00
|
|
|
steps:
|
|
|
|
- name: Checkout
|
2022-09-08 22:34:08 +02:00
|
|
|
uses: actions/checkout@v3
|
2021-01-16 22:24:05 +01:00
|
|
|
with:
|
|
|
|
fetch-depth: 0
|
2022-09-08 22:34:08 +02:00
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
- name: Set up QEMU
|
2022-09-08 22:34:08 +02:00
|
|
|
uses: docker/setup-qemu-action@v2
|
2022-09-16 10:54:16 +02:00
|
|
|
with:
|
|
|
|
platforms: arm,arm64
|
2022-09-08 22:34:08 +02:00
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
- name: Set up Docker Buildx
|
2022-09-08 22:34:08 +02:00
|
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
|
2022-11-04 21:55:29 +01:00
|
|
|
- name: Get registry token
|
|
|
|
id: get_token
|
|
|
|
shell: bash
|
|
|
|
run: |
|
|
|
|
if [ "${{ secrets.CR_PAT }}" ]; then
|
|
|
|
echo "token=${{ secrets.CR_PAT }}" >> $GITHUB_OUTPUT
|
|
|
|
else
|
|
|
|
echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT
|
|
|
|
fi
|
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
- name: Login to GitHub Container Registry
|
2022-09-08 22:34:08 +02:00
|
|
|
uses: docker/login-action@v2
|
2020-11-22 21:57:38 +01:00
|
|
|
with:
|
|
|
|
registry: ghcr.io
|
|
|
|
username: ${{ github.repository_owner }}
|
2022-11-04 21:55:29 +01:00
|
|
|
password: ${{ steps.get_token.outputs.token }}
|
2022-11-06 00:13:02 +01:00
|
|
|
|
|
|
|
- name: Login to DockerHub
|
|
|
|
if: github.repository_owner == '0xERR0R'
|
|
|
|
uses: docker/login-action@v2
|
|
|
|
with:
|
|
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
|
2022-10-21 21:58:26 +02:00
|
|
|
- name: Populate build variables
|
|
|
|
id: get_vars
|
2021-01-16 22:24:05 +01:00
|
|
|
shell: bash
|
2022-09-12 11:32:07 +02:00
|
|
|
run: |
|
2022-11-06 00:24:55 +01:00
|
|
|
REPOSITORY=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
|
|
|
|
echo "repository=${REPOSITORY}" >> $GITHUB_OUTPUT
|
|
|
|
echo "REPOSITORY: ${REPOSITORY}"
|
2022-11-06 00:20:57 +01:00
|
|
|
|
2022-09-12 11:32:07 +02:00
|
|
|
BRANCH=${GITHUB_REF#refs/heads/}
|
2022-10-21 21:50:36 +02:00
|
|
|
echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
|
2022-09-12 11:45:08 +02:00
|
|
|
echo "Branch: ${BRANCH}"
|
2022-10-21 21:58:26 +02:00
|
|
|
|
2022-10-21 20:54:43 +02:00
|
|
|
VERSION=$(git describe --always --tags)
|
2022-10-21 21:50:36 +02:00
|
|
|
echo "version=${VERSION}" >> $GITHUB_OUTPUT
|
2022-09-12 11:45:08 +02:00
|
|
|
echo "VERSION: ${VERSION}"
|
2022-10-21 21:58:26 +02:00
|
|
|
|
|
|
|
BUILD_TIME=$(date '+%Y%m%d-%H%M%S')
|
|
|
|
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT
|
2022-09-12 11:45:08 +02:00
|
|
|
echo "BUILD_TIME: ${BUILD_TIME}"
|
2022-11-06 00:13:02 +01:00
|
|
|
|
2023-03-07 16:29:05 +01:00
|
|
|
TAGS="ghcr.io/${REPOSITORY}:${BRANCH} , ghcr.io/${REPOSITORY}:development"
|
2022-11-06 00:13:02 +01:00
|
|
|
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
|
2023-03-07 16:29:05 +01:00
|
|
|
TAGS="${TAGS} , spx01/blocky:${BRANCH} , spx01/blocky:development"
|
2022-11-06 00:13:02 +01:00
|
|
|
fi
|
|
|
|
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
|
|
|
|
echo "TAGS: ${TAGS}"
|
2022-11-04 21:01:35 +01:00
|
|
|
|
2020-11-22 21:57:38 +01:00
|
|
|
- name: Build and push
|
2023-01-31 08:38:43 +01:00
|
|
|
uses: docker/build-push-action@v4
|
2020-11-22 21:57:38 +01:00
|
|
|
with:
|
2021-01-16 22:24:05 +01:00
|
|
|
context: .
|
2022-09-20 10:56:38 +02:00
|
|
|
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
|
2020-11-22 21:57:38 +01:00
|
|
|
push: true
|
2022-11-06 00:13:02 +01:00
|
|
|
tags: ${{ steps.get_vars.outputs.tags }}
|
2022-09-12 10:40:01 +02:00
|
|
|
build-args: |
|
2022-10-21 21:58:26 +02:00
|
|
|
VERSION=${{ steps.get_vars.outputs.version }}
|
|
|
|
BUILD_TIME=${{ steps.get_vars.outputs.build_time }}
|
2022-10-21 23:16:18 +02:00
|
|
|
cache-from: type=gha
|
|
|
|
cache-to: type=gha,mode=max
|
2022-11-05 23:57:36 +01:00
|
|
|
|
2022-09-11 19:45:50 +02:00
|
|
|
repo-scan:
|
|
|
|
name: Repo vulnerability scan
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
needs: check
|
|
|
|
if: needs.check.outputs.enabled == 1
|
|
|
|
steps:
|
|
|
|
- name: Checkout code
|
|
|
|
uses: actions/checkout@v3
|
|
|
|
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
|
|
uses: aquasecurity/trivy-action@master
|
|
|
|
with:
|
|
|
|
scan-type: 'fs'
|
|
|
|
ignore-unfixed: true
|
|
|
|
format: 'sarif'
|
|
|
|
output: 'trivy-repo-results.sarif'
|
|
|
|
severity: 'CRITICAL'
|
|
|
|
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
|
|
with:
|
|
|
|
sarif_file: 'trivy-repo-results.sarif'
|
|
|
|
|
|
|
|
image-scan:
|
|
|
|
name: Image vulnerability scan
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
needs: docker
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
uses: actions/checkout@v3
|
|
|
|
with:
|
|
|
|
fetch-depth: 0
|
|
|
|
|
|
|
|
- name: Run Trivy vulnerability scanner on Docker image
|
|
|
|
uses: aquasecurity/trivy-action@master
|
2022-02-22 10:54:36 +01:00
|
|
|
with:
|
2022-11-04 21:01:35 +01:00
|
|
|
image-ref: 'ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }}'
|
2022-09-11 19:45:50 +02:00
|
|
|
format: 'sarif'
|
|
|
|
output: 'trivy-image-results.sarif'
|
2022-09-08 22:34:08 +02:00
|
|
|
|
2022-09-11 19:45:50 +02:00
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
|
|
uses: github/codeql-action/upload-sarif@v2
|
2022-02-22 10:54:36 +01:00
|
|
|
with:
|
2022-09-17 17:23:24 +02:00
|
|
|
sarif_file: 'trivy-image-results.sarif'
|
|
|
|
|
|
|
|
image-test:
|
|
|
|
name: Test docker images
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
needs: docker
|
|
|
|
steps:
|
2022-09-23 19:39:50 +02:00
|
|
|
- name: Set up QEMU
|
|
|
|
uses: docker/setup-qemu-action@v2
|
|
|
|
with:
|
|
|
|
platforms: arm,arm64
|
|
|
|
|
|
|
|
- name: Test images
|
2022-09-17 17:23:24 +02:00
|
|
|
shell: bash
|
2022-09-20 10:56:38 +02:00
|
|
|
run: |
|
2022-09-23 19:39:50 +02:00
|
|
|
echo '::group::Version for linux/amd64'
|
2022-11-04 21:01:35 +01:00
|
|
|
docker run --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
|
2022-09-20 10:56:38 +02:00
|
|
|
echo '::endgroup::'
|
2022-09-17 17:23:24 +02:00
|
|
|
|
2022-09-23 19:39:50 +02:00
|
|
|
echo '::group::Version for linux/arm/v6'
|
2022-11-04 21:01:35 +01:00
|
|
|
docker run --platform linux/arm/v6 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
|
2022-09-23 19:49:44 +02:00
|
|
|
echo '::endgroup::'
|
|
|
|
|
|
|
|
echo '::group::Version for linux/arm/v7'
|
2022-11-04 21:01:35 +01:00
|
|
|
docker run --platform linux/arm/v7 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
|
2022-09-23 19:49:44 +02:00
|
|
|
echo '::endgroup::'
|
|
|
|
|
|
|
|
echo '::group::Version for linux/arm64'
|
2022-11-04 21:01:35 +01:00
|
|
|
docker run --platform linux/arm64 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
|
2022-09-23 19:39:50 +02:00
|
|
|
echo '::endgroup::'
|