Skip to content

ci(ossf): configured GitHub action and badge for OpenSSF scorecard #1

ci(ossf): configured GitHub action and badge for OpenSSF scorecard

ci(ossf): configured GitHub action and badge for OpenSSF scorecard #1

name: example-supply-chain-app-publish
on:
push:
# Publish `main` as Docker `latest` image.
branches:
- main
# Publish `v1.2.3` tags as releases.
tags:
- v*
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
IMAGE_NAME: cactus-example-supply-chain-app
jobs:
# Push image to GitHub Packages.
# See also https://docs.docker.com/docker-hub/builds/
build-tag-push-container:
runs-on: ubuntu-22.04
env:
DOCKER_BUILDKIT: 1
DOCKERFILE_PATH: ./examples/cactus-example-supply-chain-backend/Dockerfile
DOCKER_BUILD_DIR: ./
permissions:
packages: write
contents: read
steps:
- uses: actions/checkout@v4.1.1
- name: Build image
run: docker build "$DOCKER_BUILD_DIR" --file "$DOCKERFILE_PATH" --tag "$IMAGE_NAME" --label "runnumber=${GITHUB_RUN_ID}"
- name: Log in to registry
# This is where you will update the PAT to GITHUB_TOKEN
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image
run: |
SHORTHASH=$(git rev-parse --short "$GITHUB_SHA")
TODAYS_DATE="$(date +%F)"
DOCKER_TAG="$TODAYS_DATE-$SHORTHASH"
IMAGE_ID="ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME"
# Change all uppercase to lowercase
IMAGE_ID=$(echo "$IMAGE_ID" | tr '[:upper:]' '[:lower:]')
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/*" ]] && VERSION="${VERSION//^v//}"
# Do not use the `latest` tag at all, tag with date + git short hash if there is no git tag
[ "$VERSION" == "main" ] && VERSION=$DOCKER_TAG
echo IMAGE_ID="$IMAGE_ID"
echo VERSION="$VERSION"
docker tag "$IMAGE_NAME" "$IMAGE_ID:$VERSION"
docker push "$IMAGE_ID:$VERSION"