Build & Push #2178
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build & Push | |
| on: | |
| merge_group: | |
| pull_request: | |
| push: | |
| tags: ["v*.*.*"] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| build-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| attestations: write | |
| # dependency-submission needs contents write permission. | |
| contents: write | |
| # attest-build-provenance needs id-token write permission. | |
| id-token: write | |
| packages: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| flavor: ["cpp", "rust"] | |
| steps: | |
| - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
| - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| if: github.event_name != 'merge_group' | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
| if: matrix.flavor == 'cpp' | |
| id: buildkit-cache | |
| with: | |
| path: root-ccache | |
| key: buildkit-cache-${{ github.run_id }} | |
| restore-keys: | | |
| buildkit-cache | |
| - uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2 | |
| if: matrix.flavor == 'cpp' | |
| with: | |
| cache-map: | | |
| { | |
| "root-ccache": "/root/.ccache" | |
| } | |
| skip-extraction: ${{ steps.buildkit-cache.outputs.cache-hit }} | |
| - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
| id: metadata | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} | |
| # Generate Docker tags based on the following events/attributes | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=pr | |
| type=semver,pattern={{raw}} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| # Generate image LABEL for devcontainer.metadata | |
| # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"]) | |
| - run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT" | |
| id: devcontainer-metadata | |
| - run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" | |
| id: devcontainer-epoch | |
| - uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 | |
| id: build-and-push | |
| env: | |
| SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }} | |
| with: | |
| file: .devcontainer/${{ matrix.flavor }}/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'merge_group' }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| labels: | | |
| ${{ steps.metadata.outputs.labels }} | |
| devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }} | |
| annotations: ${{ steps.metadata.outputs.annotations }} | |
| sbom: true | |
| cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }} | |
| cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }} | |
| - uses: ./.github/actions/container-size-diff | |
| id: container-size-diff | |
| with: | |
| from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest | |
| to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 | |
| with: | |
| header: container-size-diff-${{ matrix.flavor }} | |
| message: | | |
| ${{ steps.container-size-diff.outputs.size-diff-markdown }} | |
| - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9 | |
| if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| dependency-snapshot: true | |
| - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| comment-summary-in-pr: on-failure | |
| fail-on-severity: critical | |
| - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
| if: github.event_name != 'merge_group' | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true | |
| - name: Verify attestation | |
| if: github.event_name != 'merge_group' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| acceptance-test: | |
| if: github.event_name == 'pull_request' | |
| needs: build-push | |
| secrets: inherit | |
| uses: ./.github/workflows/acceptance-test.yml | |
| with: | |
| flavor: cpp |