chore(main): release 2.0.43 (#395) #86
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #stolen from here: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners | |
| name: tag-push | |
| on: | |
| push: | |
| tags: | |
| - "*" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }}/build-harness | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: | |
| - linux/amd64 | |
| # We used to build for arm64, and we can again in the future by simply uncommenting this line in each of the "matrix" blocks | |
| # - linux/arm64/v8 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=${{ github.ref_name }} | |
| # QEMU is only required for cross-platform builds | |
| # - name: Set up QEMU | |
| # uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| no-cache: true | |
| - name: Export digest | |
| id: export-digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| echo "digest=${digest#sha256:}" >> "$GITHUB_OUTPUT" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: digest-${{ steps.export-digest.outputs.digest }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-and-push | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: digest-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=${{ github.ref_name }} | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
| scan: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - merge | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Init Docker cache | |
| id: init-docker-cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: "${{ github.workspace }}/.cache/docker" | |
| key: "docker|${{ hashFiles('.env') }}" | |
| - name: Docker save build harness | |
| if: steps.init-docker-cache.outputs.cache-hit != 'true' | |
| shell: bash -e -o pipefail {0} | |
| run: | | |
| make docker-save-build-harness | |
| - name: Docker load build harness | |
| if: steps.init-docker-cache.outputs.cache-hit == 'true' | |
| shell: bash -e -o pipefail {0} | |
| run: | | |
| make docker-load-build-harness | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=${{ github.ref_name }} | |
| - name: Build SBOM | |
| run: | | |
| make sbom IMAGE_TO_SCAN=docker:${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
| - name: Upload SBOM | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| sbom.cyclonedx.json | |
| sbom.spdx.json | |
| sbom.syft.json | |
| sbom.table.txt | |
| - name: Build Vuln Report | |
| run: | | |
| make vuln-report | |
| - name: Upload Vuln Report | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| vulns.grype.json | |
| vulns.grype.txt |