docker-rst/.github/workflows/docker-build-push.yml at 87a89863c444101abd68f6686ab3a722d50ff6ed · leplusorg/docker-rst · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
---
name: Docker

on:
  push:
  pull_request:
  schedule:
    - cron: "0 0 * * 0"
  workflow_dispatch:

permissions: {}

env:
  DOCKER_BUILDKIT: 1

jobs:
  docker-build-push:
    if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
    permissions:
      # Required to create a release
      contents: write
      # Required to sign the Docker image
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Set IMAGE
        shell: bash
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 1
          persist-credentials: false
      - name: Set SOURCE_DATE_EPOCH
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
      - if: github.ref == 'refs/heads/main'
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        id: meta
        with:
          images: ${{ github.repository_owner }}/${{ env.IMAGE }}
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=sha
      - name: Test the Docker image
        working-directory: ${{ env.IMAGE }}
        shell: bash
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          docker compose -f docker-compose.test.yml run sut
      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        if: github.ref == 'refs/heads/main'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        id: build
        with:
          # zizmor: ignore[template-injection] no user input
          context: ${{ env.IMAGE }}
          platforms: linux/amd64,linux/arm64
          pull: true
          push: ${{ github.ref == 'refs/heads/main' }}
          sbom: true
          provenance: mode=max
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Sign the Docker image
        if: github.ref == 'refs/heads/main'
        working-directory: ${{ env.IMAGE }}
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        shell: bash
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          images=()
          for tag in ${TAGS}; do
            images+=("${tag}@${DIGEST}")
          done
          cosign sign --recursive --yes "${images[@]}"
      - name: Set VERSION
        if: github.ref == 'refs/heads/main'
        shell: bash
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
          if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then
            echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
          fi
      - name: Check if release already exists
        if: env.VERSION != ''
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        id: check-release
        with:
          script: |
            const { VERSION } = process.env
            return github.rest.repos.getReleaseByTag({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag: `v${VERSION}`,
            }).then(function(result) {
              core.debug(JSON.stringify(result))
              core.info(`Release ${result.data.tag_name} found`)
              return result.data.tag_name
            }).catch(function(error) {
              if (error.status === 404) {
                core.info(`Release v${VERSION} not found`)
                return
              } else {
                throw error
              }
            })
          result-encoding: string
      - name: Trigger Release
        if: env.VERSION != '' && steps.check-release.outputs.result == 'undefined'
        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        with:
          release_name: ${{ env.VERSION }}
          tag_name: v${{ env.VERSION }}