Merge pull request #52 from RadCod3/feat/47-persist-oauth-tokens #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Publish Docker Image | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| outputs: | |
| image-tags: ${{ steps.meta.outputs.tags }} | |
| image-version: ${{ steps.meta.outputs.version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Validate version tag | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| run: | | |
| # Extract version from tag (e.g., v0.1.0 -> 0.1.0) | |
| TAG_VERSION=${GITHUB_REF#refs/tags/v} | |
| echo "Tag version: $TAG_VERSION" | |
| # Extract version from pyproject.toml | |
| PYPROJECT_VERSION=$(grep '^version = ' pyproject.toml | cut -d'"' -f2) | |
| echo "pyproject.toml version: $PYPROJECT_VERSION" | |
| # Compare versions | |
| if [ "$TAG_VERSION" != "$PYPROJECT_VERSION" ]; then | |
| echo "::error::Version mismatch! Tag version ($TAG_VERSION) doesn't match pyproject.toml version ($PYPROJECT_VERSION)" | |
| exit 1 | |
| fi | |
| echo "::notice::Version validation passed: $TAG_VERSION" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=raw,value=edge,enable={{is_default_branch}} | |
| type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILDKIT_INLINE_CACHE=1 | |
| - name: Determine scan tag | |
| id: scan-tag | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| # Lowercase the image name (Docker registries require lowercase) | |
| IMAGE_NAME_LOWER=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]') | |
| # Use the version tag if this is a tag push, otherwise use edge | |
| if [[ "${{ github.ref }}" == refs/tags/* ]]; then | |
| TAG="${GITHUB_REF#refs/tags/}" | |
| SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:${TAG#v}" | |
| else | |
| SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:edge" | |
| fi | |
| echo "tag=$SCAN_TAG" >> $GITHUB_OUTPUT | |
| echo "Scanning image: $SCAN_TAG" | |
| - name: Run security scan on image | |
| if: github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.scan-tag.outputs.tag }} | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: github.event_name != 'pull_request' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Generate build summary | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo "## Docker Build Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Image**: \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Tags**: \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Platforms**: \`linux/amd64, linux/arm64\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Registry**: \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY |