Skip to content

Workflow file for this run

name: Continuous Delivery
on:
push:
branches:
- main # shoud be removed
schedule:
- cron: '0 0 1 * *' # monthly build
workflow_dispatch:
env:
IMAGE_REPOSITORY_DIR: "ghcr.io/${{ github.repository_owner }}"
DOCKER_CONTENT_TRUST: 0
# CIS-DI-0005 recommends enable DOCKER_CONTENT_TRUST,
# but I disabled it becase Set up QEMU(docker/setup-qemu-action@v3It) raises
# # /usr/bin/docker pull tonistiigi/binfmt:latest
# # Error: remote trust data does not exist for docker.io/tonistiigi/binfmt: notary.docker.io does not have trust data for docker.io/tonistiigi/binfmt
jobs:
generate-jobs:
name: Generate Jobs
runs-on: ubuntu-22.04
outputs:
strategy: ${{ steps.generate-jobs.outputs.strategy }}
steps:
- uses: actions/checkout@v4
- uses: tj-actions/changed-files@v44
id: changed-files
- name: Changed Directories
run: |
echo ${{ steps.changed-files.outputs.all_changed_files }} \
| xargs --verbose --no-run-if-empty --max-args=1 dirname \
| sort -u \
| tee changed-dirs.lst
- name: Extract Target strategy.json
run: |
if grep -q '^\.github' changed-dirs.lst ; then
ls */*/strategy.json
else
grep -Ev '^\.(github|vscode)' changed-dirs.lst \
| awk '{ print $0 "/strategy.json" }' \
| xargs --no-run-if-empty ls \
|| true
fi \
| tee target-strategy.lst
- name: Generate Jobs
id: generate-jobs
shell: bash
run: |
xargs -t cat < target-strategy.lst \
| bash .github/generate-strategy.sh ${IMAGE_REPOSITORY_DIR}/ \
| { echo -n "strategy=" ; jq -c . ; } \
| tee -a $GITHUB_OUTPUT
build:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.imgname }}-${{ matrix.tags[0] }}
cancel-in-progress: true
needs: generate-jobs
if: ${{ needs.generate-jobs.outputs.strategy != '[]' }}
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
name: ${{ matrix.name }} ${{ matrix.tags[0] }}
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ join(matrix.platforms) }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the GitHub Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and load
uses: docker/build-push-action@v5
with:
context: ${{ matrix.dir }}
file: ${{ matrix.filesProcessed.dockerfile }}
push: false
load: true
tags: ${{ join(matrix.tagsProcessed) }}
build-args: ${{ matrix.buildArgsProcessed }}
- name: Setup dockle
env:
dockleignore: ${{ matrix.filesProcessed.dockleignore }}
run: |
cp $dockleignore .
- name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: "${{ matrix.tagsProcessed[0] }}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key
- name: Build and push
uses: docker/build-push-action@v5
with:
context: ${{ matrix.dir }}
file: ${{ matrix.filesProcessed.dockerfile }}
platforms: ${{ join(matrix.platforms) }}
push: true
tags: ${{ join(matrix.tagsProcessed) }}
build-args: ${{ matrix.buildArgsProcessed }}