Docker #1531
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| merge_group: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: [ "main" ] | |
| release: | |
| types: [ published ] | |
| permissions: read-all | |
| jobs: | |
| lint: | |
| name: Lint Dockerfile | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| build: | |
| name: Build and publish | |
| runs-on: ubuntu-24.04-arm | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| id: meta | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=schedule | |
| type=semver,pattern={{raw}} | |
| type=semver,pattern=v{{major}}.{{minor}} | |
| type=semver,pattern=v{{major}} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| # on.schedule: nightly | |
| # on.push:tag: latest (auto), v1.2.3, v.1,2, v.1 | |
| # on.push.branch: branchName | |
| # on.pull_request: pr-number (won't be pushed) | |
| - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| files: | | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| cwd://${{ steps.meta.outputs.bake-file-annotations }} | |
| ./docker-bake.hcl | |
| sbom: true | |
| provenance: true | |
| set: | | |
| *.cache-from=type=gha | |
| *.cache-to=type=gha,mode=max | |
| - uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 | |
| id: scan | |
| if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| with: | |
| image: "ghcr.io/bsstudio/robonaut-server:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}" | |
| cache-db: true | |
| severity-cutoff: 'high' | |
| fail-build: false | |
| - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 | |
| if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} |