ci: use docker github builder to build the image #2915
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - 'master' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| env: | |
| DOCKERHUB_SLUG: crazymax/diun | |
| GHCR_SLUG: ghcr.io/crazy-max/diun | |
| DESTDIR: ./bin | |
| DOCKER_BUILD_SUMMARY: false | |
| SCOUT_VERSION: "1.18.2" | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| validate-includes: ${{ steps.validate.outputs.matrix }} | |
| artifact-includes: ${{ steps.artifact.outputs.matrix }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| - | |
| name: Validate matrix | |
| id: validate | |
| uses: docker/bake-action/subaction/matrix@v6 | |
| with: | |
| target: validate | |
| fields: platforms | |
| env: | |
| GOLANGCI_LINT_MULTIPLATFORM: 1 | |
| - | |
| name: Artifact matrix | |
| id: artifact | |
| uses: docker/bake-action/subaction/matrix@v6 | |
| with: | |
| target: artifact-all | |
| fields: platforms | |
| validate: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.prepare.outputs.validate-includes) }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Validate | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: ${{ matrix.target }} | |
| set: | | |
| *.platform=${{ matrix.platforms }} | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Test | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: test | |
| pull: true | |
| - | |
| name: Upload coverage | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| directory: ${{ env.DESTDIR }}/coverage | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| govulncheck: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Run | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: govulncheck | |
| env: | |
| GOVULNCHECK_FORMAT: sarif | |
| - | |
| name: Upload SARIF report | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ env.DESTDIR }}/govulncheck.out | |
| artifact: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| - validate | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.prepare.outputs.artifact-includes) }} | |
| steps: | |
| - | |
| name: Prepare | |
| run: | | |
| platform=${{ matrix.platforms }} | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Build | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: artifact | |
| provenance: mode=max | |
| sbom: true | |
| pull: true | |
| set: | | |
| *.platform=${{ matrix.platforms }} | |
| - | |
| name: Rename provenance and sbom | |
| working-directory: ${{ env.DESTDIR }}/artifact | |
| run: | | |
| binname=$(find . -name 'diun_*') | |
| filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') | |
| mv "provenance.json" "${filename}.provenance.json" | |
| mv "sbom-binary.spdx.json" "${filename}.sbom.json" | |
| find . -name 'sbom*.json' -exec rm {} \; | |
| - | |
| name: List artifacts | |
| run: | | |
| tree -nh ${{ env.DESTDIR }} | |
| - | |
| name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: diun-${{ env.PLATFORM_PAIR }} | |
| path: ${{ env.DESTDIR }} | |
| if-no-files-found: error | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required to create GitHub release | |
| contents: write | |
| needs: | |
| - artifact | |
| - test | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| - | |
| name: Download artifacts | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: ${{ env.DESTDIR }} | |
| pattern: diun-* | |
| merge-multiple: true | |
| - | |
| name: List artifacts | |
| run: | | |
| tree -nh ${{ env.DESTDIR }} | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Build | |
| uses: docker/bake-action@v6 | |
| with: | |
| source: . | |
| targets: release | |
| provenance: false | |
| - | |
| name: GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| draft: true | |
| files: | | |
| ${{ env.DESTDIR }}/release/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| image-prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| repo-slugs: | | |
| ${{ env.DOCKERHUB_SLUG }} | |
| ${{ env.GHCR_SLUG }} | |
| steps: | |
| # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 | |
| - run: echo "Exposing env vars for reusable workflow" | |
| image: | |
| uses: docker/github-builder-experimental/.github/workflows/bake.yml@main | |
| permissions: | |
| contents: read # same as global permission | |
| id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token | |
| packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow) | |
| needs: | |
| - image-prepare | |
| - artifact | |
| - test | |
| with: | |
| target: image-all | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| set-meta-labels: true | |
| meta-images: | | |
| ${{ needs.image-prepare.outputs.repo-slugs }} | |
| meta-tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=ref,event=pr | |
| type=edge | |
| meta-labels: | | |
| org.opencontainers.image.title=Diun | |
| org.opencontainers.image.description=Docker image update notifier | |
| org.opencontainers.image.vendor=CrazyMax | |
| bake-sbom: true | |
| secrets: | |
| registry-auths: | | |
| - registry: docker.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| scout: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| needs: | |
| - image | |
| steps: | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - | |
| name: Scout | |
| id: scout | |
| uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 | |
| with: | |
| version: ${{ env.SCOUT_VERSION }} | |
| format: sarif | |
| image: registry://${{ env.DOCKERHUB_SLUG }}:edge | |
| - | |
| name: Upload SARIF report | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ steps.scout.outputs.result-file }} |