chore: Update Ghost version to 5.82.6 and adjust permissions in multi… #54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Build Multiarch + Trivy | |
on: | |
push: | |
# tags: | |
# - "v*" | |
branches: | |
- "main" | |
paths: | |
- "Dockerfile" | |
- .github/workflows/multi-build.yaml | |
- "entrypoint.js" | |
pull_request: | |
branches: | |
- "main" | |
paths: | |
- "Dockerfile" | |
- .github/workflows/multi-build.yaml | |
- "entrypoint.js" | |
workflow_dispatch: | |
inputs: | |
manual-tag: | |
description: 'Manual Tag' | |
required: false | |
default: 'main' | |
type: string | |
ghost_version: | |
description: 'Ghost version' | |
required: false | |
default: '5.82.6' | |
type: string | |
permissions: | |
contents: read | |
env: | |
GHCR_IMAGE: ghcr.io/${{ github.repository }} | |
DOCKER_IMAGE: docker.io/${{ secrets.DOCKER_USER }}/${{ github.event.repository.name }} | |
jobs: | |
build: | |
permissions: write-all | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: true | |
matrix: | |
platform: | |
- linux/arm64 | |
- linux/amd64 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- | |
name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- | |
name: Checkout | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- | |
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch) | |
id: versions | |
env: | |
GITHUB_EVENT_NAME: ${{ github.event_name }} | |
run: | | |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV | |
else | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT | |
fi | |
- | |
name: Show Ghost version | |
run: | | |
echo "GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }}" | |
echo "MANUAL_TAG=${{ steps.versions.outputs.MANUAL_TAG }}" | |
- name: Docker meta default | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
labels: | # Add description label for opencontainers specs to the $DOCKER_METADATA_OUTPUT_JSON variable. | |
org.opencontainers.image.description: "${{ github.event.repository.description }}" | |
# tags: | | |
# type=raw,value=latest,enable=${{ github.event_name == 'push' || github.ref == 'refs/heads/main' || github.event.ref == 'tags/v*' }} | |
# type=raw,value=main,enable=${{ github.event_name == 'push' || github.ref == 'refs/heads/main' || github.event.ref == 'tags/v*' }} | |
# type=raw,value=${{ steps.versions.outputs.MANUAL_TAG }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
# type=raw,value=v${{ steps.versions.outputs.GHOST_VERSION }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
with: | |
platforms: amd64,arm64 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Login to GitHub Container Registry | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ secrets.GHCR_USER }} | |
password: ${{ secrets.GHCR_PASS }} | |
- | |
name: Build and push by digest | |
id: build | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
context: . | |
platforms: ${{ matrix.platform }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }} | |
outputs: type=image,name=${{ env.GHCR_IMAGE }},push-by-digest=true,name-canonical=true,push=true | |
provenance: false | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- | |
name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- | |
name: Upload digest | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: digests-${{ env.PLATFORM_PAIR }} | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 1 | |
merge: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build | |
permissions: write-all | |
if: ${{ github.event_name != 'pull_request' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- | |
name: Download digests | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
path: /tmp/digests | |
pattern: digests-* | |
merge-multiple: true | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Docker meta | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
tags: | | |
type=raw,value=latest,enable=${{ github.event_name == 'push' || github.ref == 'refs/heads/main' || github.event.ref == 'tags/v*' }} | |
type=raw,value=main,enable=${{ github.event_name == 'push' || github.ref == 'refs/heads/main' || github.event.ref == 'tags/v*' }} | |
type=raw,value=${{ github.env.MANUAL_TAG }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
type=raw,value=v${{ github.env.GHOST_VERSION }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
- | |
name: Login to GitHub Container Registry | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Create manifest list and pushs | |
if: github.event_name != 'pull_request' | |
working-directory: /tmp/digests | |
id: manifest | |
run: | | |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *) | |
- | |
name: Inspect image | |
if: github.event_name != 'pull_request' | |
id: inspect | |
run: | | |
docker buildx imagetools inspect ${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} | |
- name: Run Trivy vulnerability scanner | |
if: github.event_name != 'pull_request' | |
uses: aquasecurity/trivy-action@7088d18dcb87884bc7b5a4000d5517d758e9aa13 # master | |
continue-on-error: true | |
with: | |
image-ref: '${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }}' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scan-type: 'image' | |
github-pat: '${{ github.token }}' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: github.event_name != 'pull_request' | |
uses: github/codeql-action/upload-sarif@41857bab356c91c1decab862427445155c08ca39 # main | |
continue-on-error: true | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- | |
name: Login to Docker Hub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
continue-on-error: true | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASS }} | |
- | |
name: Push to Docker Hub | |
if: github.event_name != 'pull_request' | |
continue-on-error: true | |
run: | | |
docker buildx imagetools create \ | |
--tag ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} \ | |
--tag ${{ env.DOCKER_IMAGE }}:latest \ | |
${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} |