msml/.github/workflows/release.yml at main · spejder/msml · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Docker build and push

on:
  workflow_run:
    workflows: ["Linting, analysis, tests"]
    branches: [main]
    types:
      - completed

permissions:
  contents: write
  packages: write
  security-events: write

jobs:
  build:
    name: Docker build and push
    if: >
      ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-24.04
    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: 0
    - name: Bump version and push tag
      uses: anothrNick/github-tag-action@1.75.0
      id: version
      env:
        GITHUB_TOKEN: ${{ github.token }}
        WITH_V: true
        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
        DEFAULT_BUMP: patch
    - name: Set up Docker Buildx
      id: buildx
      uses: docker/setup-buildx-action@master
    - name: Login to DockerHub
      uses: docker/login-action@v4
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ github.token }}
    - name: Build and push Docker images
      uses: docker/build-push-action@v7
      with:
        builder: ${{ steps.buildx.outputs.name }}
        push: true
        context: .
        labels: |
          org.opencontainers.image.source=https://github.com/${{ github.repository }}
          org.opencontainers.image.version=${{ steps.version.outputs.tag || github.sha }}
          org.opencontainers.image.revision=${{ github.sha }}
        tags: |
          ghcr.io/${{ github.repository }}:latest
          ghcr.io/${{ github.repository }}:${{ steps.version.outputs.tag || github.sha }}
    - name: Build ChangeLog
      if: ${{ steps.version.outputs.new_tag != '' }}
      run: npx conventional-changelog-cli --release-count=2 --outfile="${{ runner.temp }}/ChangeLog.md"
    - name: Create release
      if: ${{ steps.version.outputs.new_tag != '' }}
      uses: ncipollo/release-action@v1
      with:
        token: ${{ github.token }}
        tag: ${{ steps.version.outputs.new_tag }}
        name: Release ${{ steps.version.outputs.new_tag }}
        bodyFile: ${{ runner.temp }}/ChangeLog.md
    - name: Anchore Container Vulnerability Scan
      uses: anchore/scan-action@v7
      id: scan
      with:
        image: ghcr.io/${{ github.repository }}:${{ steps.version.outputs.tag || github.sha }}
        severity-cutoff: critical
        fail-build: false
    - name: Upload Anchore Container Vulnerability Scan SARIF report
      uses: github/codeql-action/upload-sarif@v4
      with:
        sarif_file: ${{ steps.scan.outputs.sarif }}