-
Notifications
You must be signed in to change notification settings - Fork 1
138 lines (127 loc) · 5.24 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Docker CI
on:
schedule:
- cron: '0 10 * * *'
push:
branches:
- master
paths-ignore:
- '.github/**'
- 'test/**'
- '!.github/workflows/docker.yml'
tags:
- '*.*.*'
pull_request:
branches:
- master
paths-ignore:
- '.github/**'
- 'test/**'
- '!.github/workflows/docker.yml'
workflow_dispatch:
jobs:
docker:
if: github.event_name != 'push' || !contains(github.event.head_commit.message, '[ci skip]')
name: Build Docker image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
submodules: true
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=myrotvorets/psb-api-identigraf-decoder
VERSION=noop
if [ "${{ github.event_name }}" = "schedule" ]; then
VERSION=nightly
elif [[ $GITHUB_REF == refs/tags/* ]]; then
VERSION=${GITHUB_REF#refs/tags/}
elif [[ $GITHUB_REF == refs/heads/* ]]; then
VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
if [ "${{ github.event.repository.default_branch }}" = "$VERSION" ]; then
VERSION=edge
fi
elif [[ $GITHUB_REF == refs/pull/* ]]; then
VERSION=pr-${{ github.event.number }}
fi
TAGS="${DOCKER_IMAGE}:${VERSION}"
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
MINOR=${VERSION%.*}
MAJOR=${MINOR%.*}
TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
elif [ "${{ github.event_name }}" = "push" ]; then
TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
fi
echo ::set-output name=image::${DOCKER_IMAGE}
echo ::set-output name=primaryTag::${DOCKER_IMAGE}:${VERSION}
echo ::set-output name=version::${VERSION}
echo ::set-output name=tags::${TAGS}
echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
if \
[ "${{ github.event_name }}" != "pull_request" ] || \
([ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.event.pull_request.base.repo.full_name }}" ] && [ "${{ github.event.sender.login }}" != "dependabot[bot]" ]) \
then
echo ::set-output name=secrets::yes
else
echo ::set-output name=secrets::
fi
- name: Update .npmrc
run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > .npmrc.local
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Build and push
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
load: true
pull: true
push: false
tags: ${{ steps.prep.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
file: ./Dockerfile
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.version=${{ steps.prep.outputs.version }}
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
- name: Determine security scan parameters
id: scanparams
run: |
if [ "${{ steps.prep.outputs.secrets }}" == "yes" ]; then
echo ::set-output name=format::template
echo ::set-output name=template::@/contrib/sarif.tpl
echo ::set-output name=output::trivy-results.sarif
else
echo ::set-output name=format::table
echo ::set-output name=template::
echo ::set-output name=output::
fi
- name: Security Scan
uses: aquasecurity/trivy-action@master
id: scan
with:
image-ref: ${{ steps.prep.outputs.primaryTag }}
format: ${{ steps.scanparams.outputs.format }}
template: ${{ steps.scanparams.outputs.template }}
output: ${{ steps.scanparams.outputs.output }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
with:
sarif_file: trivy-results.sarif
if: steps.scanparams.outputs.output != ''
- name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_LOGIN }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Push the image
run: docker push --all-tags "${{ steps.prep.outputs.image }}"
if: github.event_name != 'pull_request'