chore(main): release 5.6.2 #2275
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build & Push | |
| on: | |
| merge_group: | |
| pull_request: | |
| push: | |
| tags: ["v*.*.*"] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| build-push: | |
| # The ARM64 build segfaults with Ubuntu 24.04, so use 22.04 (for now) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| attestations: write | |
| # dependency-submission needs contents write permission. | |
| contents: write | |
| # attest-build-provenance needs id-token write permission. | |
| id-token: write | |
| packages: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| flavor: ["cpp", "rust"] | |
| steps: | |
| - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 | |
| - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| if: github.event_name != 'merge_group' | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1 | |
| if: matrix.flavor == 'cpp' | |
| id: buildkit-cache | |
| with: | |
| path: root-ccache | |
| key: buildkit-cache-${{ github.run_id }} | |
| restore-keys: | | |
| buildkit-cache | |
| - uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2 | |
| if: matrix.flavor == 'cpp' | |
| with: | |
| cache-map: | | |
| { | |
| "root-ccache": "/root/.ccache" | |
| } | |
| skip-extraction: ${{ steps.buildkit-cache.outputs.cache-hit }} | |
| - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
| id: metadata | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} | |
| # Generate Docker tags based on the following events/attributes | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=pr | |
| type=semver,pattern={{raw}} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| # Generate image LABEL for devcontainer.metadata | |
| # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"]) | |
| - run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT" | |
| id: devcontainer-metadata | |
| - run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" | |
| id: devcontainer-epoch | |
| - uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0 | |
| id: build-and-push | |
| env: | |
| SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }} | |
| with: | |
| file: .devcontainer/${{ matrix.flavor }}/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'merge_group' }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| labels: | | |
| ${{ steps.metadata.outputs.labels }} | |
| devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }} | |
| annotations: ${{ steps.metadata.outputs.annotations }} | |
| sbom: true | |
| cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }} | |
| cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }} | |
| - uses: ./.github/actions/container-size-diff | |
| id: container-size-diff | |
| with: | |
| from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest | |
| to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 | |
| with: | |
| header: container-size-diff-${{ matrix.flavor }} | |
| message: | | |
| ${{ steps.container-size-diff.outputs.size-diff-markdown }} | |
| - uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 | |
| if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| dependency-snapshot: true | |
| - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| comment-summary-in-pr: on-failure | |
| fail-on-severity: critical | |
| - uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 | |
| if: github.event_name != 'merge_group' | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true | |
| - name: Verify attestation | |
| if: github.event_name != 'merge_group' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} | |
| acceptance-test: | |
| if: github.event_name == 'pull_request' | |
| needs: build-push | |
| secrets: inherit | |
| uses: ./.github/workflows/acceptance-test.yml | |
| with: | |
| flavor: cpp |