Bump distroless/nodejs20-debian12 from 08d0b68
to a70f4f8
(#240)
#110
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: multi-build | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- Dockerfile | |
- entrypoint.js | |
tags: | |
- v* | |
workflow_dispatch: | |
inputs: | |
manual-tag: | |
description: 'Manual Tag' | |
required: true | |
default: 'manual' | |
type: string | |
ghost_version: | |
description: 'Ghost version' | |
required: true | |
default: '5.86.2' | |
type: string | |
workflow_call: | |
env: | |
GHCR_IMAGE: ghcr.io/${{ github.repository }} | |
DOCKER_IMAGE: docker.io/${{ secrets.DOCKER_USER }}/${{ github.event.repository.name }} | |
permissions: | |
contents: read | |
jobs: | |
build: | |
permissions: | |
actions: write | |
checks: write | |
contents: write | |
deployments: none | |
id-token: write | |
issues: read | |
discussions: read | |
packages: write | |
pages: none | |
pull-requests: read | |
repository-projects: read | |
security-events: read | |
statuses: read | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: true | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
steps: | |
- | |
name: Prepare | |
id: prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- | |
name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
deb.debian.org:80 | |
gcr.io:443 | |
ghcr.io:443 | |
github.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
registry.yarnpkg.com:443 | |
storage.googleapis.com:443 | |
- | |
name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- | |
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch) | |
id: versions | |
env: | |
GITHUB_EVENT_NAME: ${{ github.event_name }} | |
run: | | |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV | |
else | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV | |
fi | |
- | |
name: Show Ghost version | |
continue-on-error: true | |
run: | | |
echo "output of step for GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }}" | |
echo "output of step for MANUAL_TAG=${{ steps.versions.outputs.MANUAL_TAG }}" | |
echo "output of env for GHOST_VERSION=\"$(echo $GHOST_VERSION)\"" | |
echo "output of env for MANUAL_TAG=\"$(echo $MANUAL_TAG)\"" | |
- name: Docker meta default | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
annotations: | | |
type=org.opencontainers.image.description,value=${{ github.event.repository.description }} | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
if: ${{ matrix.platform == 'linux/arm64' || env.PLATFORM_PAIR == 'linux-arm64' }} | |
continue-on-error: false | |
with: | |
platforms: arm64 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ secrets.GHCR_USER }} | |
password: ${{ secrets.GHCR_PASS }} | |
- | |
name: Build and push by digest | |
id: build | |
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 | |
env: | |
DOCKER_BUILDKIT: 1 | |
with: | |
context: . | |
platforms: ${{ matrix.platform }} | |
labels: ${{ steps.meta.outputs.labels }} | |
annotations: ${{ steps.meta.outputs.annotations }} | |
build-args: GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }} | |
outputs: type=image,name=${{ env.GHCR_IMAGE }},push-by-digest=true,name-canonical=true,push=true,oci-mediatypes=true | |
provenance: false | |
cache-from: type=gha,ignore-error=true | |
cache-to: type=gha,ignore-error=true | |
- | |
name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- | |
name: Upload digest | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
with: | |
name: digests-${{ env.PLATFORM_PAIR }} | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 15 | |
merge: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build | |
permissions: | |
attestations: write | |
actions: write | |
checks: write | |
contents: write | |
deployments: none | |
id-token: write | |
issues: read | |
discussions: read | |
packages: write | |
pages: none | |
pull-requests: read | |
repository-projects: read | |
security-events: read | |
statuses: read | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- | |
name: Download digests | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: /tmp/digests | |
pattern: digests-* | |
merge-multiple: true | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch) | |
id: versions | |
env: | |
GITHUB_EVENT_NAME: ${{ github.event_name }} | |
run: | | |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV | |
else | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV | |
fi | |
- | |
name: Docker meta | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
env: | |
GHOST_VERSION: "v${{ steps.versions.outputs.GHOST_VERSION }}" | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
annotations: | | |
type=org.opencontainers.image.description,value=${{ github.event.repository.description }} | |
tags: | | |
type=raw,value=main,enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=latest,enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=${{ env.GHOST_VERSION }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=${{ github.event.inputs.manual-tag }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Create manifest list and pushs | |
working-directory: /tmp/digests | |
id: manifest-annotate | |
continue-on-error: true | |
run: | | |
docker buildx imagetools create \ | |
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
--annotation='index:org.opencontainers.image.description="Ghost on Kubernetes by SREDevOps.org https://sredevops.org "' \ | |
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *) | |
- | |
name: Create manifest list and pushs | |
working-directory: /tmp/digests | |
id: manifest | |
if: steps.manifest-annotate.outcome == 'failure' | |
run: | | |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *) | |
- | |
name: Inspect image | |
id: inspect | |
continue-on-error: true | |
run: | | |
docker buildx imagetools inspect ${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} | |
- | |
name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
continue-on-error: true | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASS }} | |
- | |
name: Push to Docker Hub | |
continue-on-error: true | |
run: | | |
docker buildx imagetools create \ | |
--tag ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} \ | |
--tag ${{ env.DOCKER_IMAGE }}:latest \ | |
${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} |