Docker #1786
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Docker | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: "0 0 * * 0" | |
| workflow_dispatch: | |
| permissions: {} | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| docker-build-push: | |
| if: ${{ ! startsWith(github.ref, 'refs/tags/') }} | |
| permissions: | |
| # Required to create a release | |
| contents: write | |
| # Required to sign the Docker image | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set IMAGE | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}" | |
| - name: Free disk space | |
| run: | | |
| sudo rm -rf /usr/share/dotnet # not using .NET | |
| sudo rm -rf /usr/local/lib/android # not building Android | |
| sudo rm -rf /opt/ghc # not using Haskell | |
| docker system prune -af --volumes | |
| sudo apt-get clean | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Set SOURCE_DATE_EPOCH | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}" | |
| - if: github.ref == 'refs/heads/main' | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| id: meta | |
| with: | |
| images: ${{ github.repository_owner }}/${{ env.IMAGE }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha | |
| - name: Test the Docker image | |
| working-directory: ${{ env.IMAGE }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| docker compose -f docker-compose.test.yml run sut | |
| - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| id: build | |
| with: | |
| # zizmor: ignore[template-injection] no user input | |
| context: ${{ env.IMAGE }} | |
| platforms: linux/amd64,linux/arm64 | |
| pull: true | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| sbom: true | |
| provenance: mode=max | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign the Docker image | |
| if: github.ref == 'refs/heads/main' | |
| working-directory: ${{ env.IMAGE }} | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| images=() | |
| for tag in ${TAGS}; do | |
| images+=("${tag}@${DIGEST}") | |
| done | |
| cosign sign --recursive --yes "${images[@]}" | |
| - name: Set VERSION | |
| if: github.ref == 'refs/heads/main' | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/\-[A-Za-z][A-Za-z0-9]*@.*$//; s/^.*://;')" | |
| if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]\.[0-9]+$ ]] ; then | |
| echo "VERSION=${VERSION}" >> "${GITHUB_ENV}" | |
| elif [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+$ ]] ; then | |
| echo "VERSION=${VERSION}.0" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Check if release already exists | |
| if: env.VERSION != '' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| id: check-release | |
| with: | |
| script: | | |
| const { VERSION } = process.env | |
| return github.rest.repos.getReleaseByTag({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| tag: `v${VERSION}`, | |
| }).then(function(result) { | |
| core.debug(JSON.stringify(result)) | |
| core.info(`Release ${result.data.tag_name} found`) | |
| return result.data.tag_name | |
| }).catch(function(error) { | |
| if (error.status === 404) { | |
| core.info(`Release v${VERSION} not found`) | |
| return | |
| } else { | |
| throw error | |
| } | |
| }) | |
| result-encoding: string | |
| - name: Trigger Release | |
| if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined' | |
| uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| with: | |
| release_name: ${{ env.VERSION }} | |
| tag_name: v${{ env.VERSION }} |