Skip to content
.github/workflows/build-and-push.yml

'.' #2

Sign in to view logs

'.'

'.' #2

Workflow file for this run

.github/workflows/build-and-push.yml at f27100d
name: Build and Push Docker Image
on:
workflow_call:
inputs:
image_name:
required: true
type: string
platforms:
required: true
type: string
default: linux/amd64,linux/arm64
secrets:
DOCKER_USERNAME:
required: true
DOCKER_TOKEN:
required: true
GITHUB_TOKEN:

Check failure on line 18 in .github/workflows/build-and-push.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/build-and-push.yml

Invalid workflow file 

secret name `GITHUB_TOKEN` within `workflow_call` can not be used since it would collide with system reserved name
required: true
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Update version
id: version
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install requests
chmod +x .github/workflows/build-push/update_version.py
.github/workflows/build-push/update_version.py
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Docker Tags
id: meta
run: |
TAGS_JSON='${{ steps.version.outputs.tags }}'
REPO_OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
DOCKERHUB_TAGS=$(echo "$TAGS_JSON" | jq -r '.[] | "${{ secrets.DOCKER_USERNAME }}/${{ inputs.image_name }}:" + .')
GHCR_TAGS=$(echo "$TAGS_JSON" | jq -r '.[] | "ghcr.io/$REPO_OWNER/${{ inputs.image_name }}:" + .')
ALL_TAGS=$(echo -e "${DOCKERHUB_TAGS}\n${GHCR_TAGS}" | paste -sd "," -)
echo "tags=${ALL_TAGS}" >> $GITHUB_OUTPUT
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: src
platforms: ${{ inputs.platforms }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: |
org.opencontainers.image.title=${{ inputs.image_name }}
org.opencontainers.image.version=${{ steps.version.outputs.full_version }}
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Save Docker image
run: |
set -e
VERSION="${{ steps.version.outputs.full_version }}"
REPO_OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
GHCR_TAG="ghcr.io/$REPO_OWNER/${{ inputs.image_name }}:$VERSION"
docker pull $GHCR_TAG
docker save $GHCR_TAG -o "${{ inputs.image_name }}.tar"
- name: Generate SBOM
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
FULL_VERSION: ${{ steps.version.outputs.full_version }}
run: |
chmod +x .github/workflows/build-push/generate_sbom.py
.github/workflows/build-push/generate_sbom.py
- name: Generate Vulnerability Report
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
FULL_VERSION: ${{ steps.version.outputs.full_version }}
run: |
chmod +x .github/workflows/build-push/generate_vulnerability_report.py
.github/workflows/build-push/generate_vulnerability_report.py
- name: Create Release
id: release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
chmod +x .github/workflows/build-push/publish_release.py
.github/workflows/build-push/publish_release.py
- name: Upload release assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION="${{ steps.version.outputs.full_version }}"
cp .vulnerability_report.txt vulnerability_report.txt
gh release upload "$VERSION" \
"${{ inputs.image_name }}.tar" \
".sbom/sbom.json" \
".sbom/sbom.txt" \
"vulnerability_report.txt"