Skip to content
tag-push

chore(main): release 1.15.4 (#179) #40

Sign in to view logs

chore(main): release 1.15.4 (#179)

chore(main): release 1.15.4 (#179) #40

Workflow file for this run

.github/workflows/tag-push.yml at a327f12
#stolen from here: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
name: tag-push
on:
push:
tags:
- "*"
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}/build-harness
jobs:
build-and-push:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64/v8
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ github.ref_name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push by digest
id: build
uses: docker/build-push-action@v5
with:
context: .
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
no-cache: true
- name: Export digest
id: export-digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
echo "digest=${digest#sha256:}" >> "$GITHUB_OUTPUT"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digest-${{ steps.export-digest.outputs.digest }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- build-and-push
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digest-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ github.ref_name }}
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
scan:
runs-on: ubuntu-latest
needs:
- merge
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Init Docker cache
id: init-docker-cache
uses: actions/cache@v4
with:
path: "${{ github.workspace }}/.cache/docker"
key: "docker|${{ hashFiles('.env') }}"
- name: Docker save build harness
if: steps.init-docker-cache.outputs.cache-hit != 'true'
shell: bash -e -o pipefail {0}
run: |
make docker-save-build-harness
- name: Docker load build harness
if: steps.init-docker-cache.outputs.cache-hit == 'true'
shell: bash -e -o pipefail {0}
run: |
make docker-load-build-harness
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ github.ref_name }}
- name: Build SBOM
run: |
make sbom IMAGE_TO_SCAN=docker:${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
- name: Upload SBOM
uses: softprops/action-gh-release@v1
with:
files: |
sbom.cyclonedx.json
sbom.spdx.json
sbom.syft.json
sbom.table.txt
- name: Build Vuln Report
run: |
make vuln-report
- name: Upload Vuln Report
uses: softprops/action-gh-release@v1
with:
files: |
vulns.grype.json
vulns.grype.txt