Skip to content

Bump distroless/nodejs20-debian12 from 08d0b68 to a70f4f8 (#240) #110

Bump distroless/nodejs20-debian12 from 08d0b68 to a70f4f8 (#240)

Bump distroless/nodejs20-debian12 from 08d0b68 to a70f4f8 (#240) #110

Workflow file for this run

name: multi-build
on:
push:
branches:
- main
paths:
- Dockerfile
- entrypoint.js
tags:
- v*
workflow_dispatch:
inputs:
manual-tag:
description: 'Manual Tag'
required: true
default: 'manual'
type: string
ghost_version:
description: 'Ghost version'
required: true
default: '5.86.2'
type: string
workflow_call:
env:
GHCR_IMAGE: ghcr.io/${{ github.repository }}
DOCKER_IMAGE: docker.io/${{ secrets.DOCKER_USER }}/${{ github.event.repository.name }}
permissions:
contents: read
jobs:
build:
permissions:
actions: write
checks: write
contents: write
deployments: none
id-token: write
issues: read
discussions: read
packages: write
pages: none
pull-requests: read
repository-projects: read
security-events: read
statuses: read
runs-on: ubuntu-22.04
strategy:
fail-fast: true
matrix:
platform:
- linux/amd64
- linux/arm64
steps:
-
name: Prepare
id: prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
deb.debian.org:80
gcr.io:443
ghcr.io:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
registry.npmjs.org:443
registry.yarnpkg.com:443
storage.googleapis.com:443
-
name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch)
id: versions
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
run: |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV
else
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV
fi
-
name: Show Ghost version
continue-on-error: true
run: |
echo "output of step for GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }}"
echo "output of step for MANUAL_TAG=${{ steps.versions.outputs.MANUAL_TAG }}"
echo "output of env for GHOST_VERSION=\"$(echo $GHOST_VERSION)\""
echo "output of env for MANUAL_TAG=\"$(echo $MANUAL_TAG)\""
- name: Docker meta default
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.GHCR_IMAGE }}
annotations: |
type=org.opencontainers.image.description,value=${{ github.event.repository.description }}
-
name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
if: ${{ matrix.platform == 'linux/arm64' || env.PLATFORM_PAIR == 'linux-arm64' }}
continue-on-error: false
with:
platforms: arm64
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
with:
driver-opts: |
network=host
-
name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USER }}
password: ${{ secrets.GHCR_PASS }}
-
name: Build and push by digest
id: build
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
env:
DOCKER_BUILDKIT: 1
with:
context: .
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
build-args: GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }}
outputs: type=image,name=${{ env.GHCR_IMAGE }},push-by-digest=true,name-canonical=true,push=true,oci-mediatypes=true
provenance: false
cache-from: type=gha,ignore-error=true
cache-to: type=gha,ignore-error=true
-
name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
-
name: Upload digest
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 15
merge:
runs-on: ubuntu-22.04
needs:
- build
permissions:
attestations: write
actions: write
checks: write
contents: write
deployments: none
id-token: write
issues: read
discussions: read
packages: write
pages: none
pull-requests: read
repository-projects: read
security-events: read
statuses: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
-
name: Download digests
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
with:
driver-opts: |
network=host
-
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch)
id: versions
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
run: |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV
else
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV
fi
-
name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
env:
GHOST_VERSION: "v${{ steps.versions.outputs.GHOST_VERSION }}"
with:
images: ${{ env.GHCR_IMAGE }}
annotations: |
type=org.opencontainers.image.description,value=${{ github.event.repository.description }}
tags: |
type=raw,value=main,enable=${{ github.event_name != 'workflow_dispatch' }}
type=raw,value=latest,enable=${{ github.event_name != 'workflow_dispatch' }}
type=raw,value=${{ env.GHOST_VERSION }},enable=${{ github.event_name != 'workflow_dispatch' }}
type=raw,value=${{ github.event.inputs.manual-tag }},enable=${{ github.event_name == 'workflow_dispatch' }}
-
name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Create manifest list and pushs
working-directory: /tmp/digests
id: manifest-annotate
continue-on-error: true
run: |
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
--annotation='index:org.opencontainers.image.description="Ghost on Kubernetes by SREDevOps.org https://sredevops.org "' \
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *)
-
name: Create manifest list and pushs
working-directory: /tmp/digests
id: manifest
if: steps.manifest-annotate.outcome == 'failure'
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *)
-
name: Inspect image
id: inspect
continue-on-error: true
run: |
docker buildx imagetools inspect ${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }}
-
name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
continue-on-error: true
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}
-
name: Push to Docker Hub
continue-on-error: true
run: |
docker buildx imagetools create \
--tag ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} \
--tag ${{ env.DOCKER_IMAGE }}:latest \
${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }}