fix(ci): fix build #347
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
paths-ignore: | |
- 'README.md' | |
branches: | |
- master | |
- 'feature/*' | |
- 'bugfix/*' | |
tags: | |
- '*.*.*' | |
pull_request: | |
branches: | |
- master | |
schedule: | |
# weekly: at 04:13 on Monday | |
- cron: '13 4 * * 1' | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Guess next version | |
id: guessed_tag_version | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
dry_run: true | |
append_to_pre_release_tag: pre | |
- name: Extract version from tag | |
env: | |
VERSION_TAG: ${{ steps.guessed_tag_version.outputs.new_tag }} | |
run: echo "DOCKER_TAG=$(echo $VERSION_TAG | sed -e "s/^v//" -e "s/-.*$//")" >> $GITHUB_ENV | |
- name: Build, squash and push | |
run: | | |
echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
# fetch template-dockerfiles | |
set -x | |
curl -fLo /usr/local/bin/td https://github.com/tgagor/template-dockerfiles/releases/latest/download/td-linux-amd64 | |
chmod +x /usr/local/bin/td | |
td --config build.yaml --tag ${DOCKER_TAG}-${{ github.sha }} --push | |
security-scan: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
strategy: | |
matrix: | |
tag: | |
- stream9 | |
- stream10 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Fetch image | |
run: | | |
echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
docker pull ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} | |
format: template | |
template: '@/contrib/sarif.tpl' | |
# don't fail | |
exit-code: 0 | |
output: trivy-results.sarif | |
severity: CRITICAL,HIGH,MEDIUM | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: github.ref == 'refs/heads/master' | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
release: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
- security-scan | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Bump version and push tag | |
if: github.ref == 'refs/heads/master' | |
id: tag_version | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract version from tag on master | |
if: github.ref == 'refs/heads/master' | |
env: | |
VERSION_TAG: ${{ steps.tag_version.outputs.new_tag }} | |
run: echo "DOCKER_TAG=${VERSION_TAG#v}" >> $GITHUB_ENV | |
- name: Use branch name as version not on master | |
if: github.ref != 'refs/heads/master' | |
run: echo "DOCKER_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Fetch and tag images | |
run: | | |
echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
docker pull ghcr.io/tgagor/centos:stream9-${{ github.sha }} | |
docker pull ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:stream9 | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:9 | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream9 | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:stream | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:${DOCKER_TAG} | |
docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:latest | |
docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:stream10 | |
docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:stream10-development | |
docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:10 | |
docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream10 | |
docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream10-development | |
- name: Push images | |
if: github.ref == 'refs/heads/master' | |
run: | | |
echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin | |
docker push tgagor/centos:${DOCKER_TAG}-stream9 | |
docker push tgagor/centos:stream9 | |
docker push tgagor/centos:9 | |
docker push tgagor/centos:stream | |
docker push tgagor/centos:${DOCKER_TAG} | |
docker push tgagor/centos:latest | |
docker push tgagor/centos:${DOCKER_TAG}-stream10 | |
docker push tgagor/centos:${DOCKER_TAG}-stream10-development | |
docker push tgagor/centos:stream10 | |
docker push tgagor/centos:stream10-development | |
docker push tgagor/centos:10 | |
- name: Update README | |
if: github.ref == 'refs/heads/master' && !contains(github.event.commits[0].message, 'auto-update README') | |
run: | | |
curl -fsSLo /usr/local/bin/tpl https://github.com/schneidexe/tpl/releases/download/v0.6.1/tpl-linux-amd64 | |
chmod +x /usr/local/bin/tpl | |
export DOCKER_TAG=${DOCKER_TAG} | |
tpl -t README-TEMPLATE.md | tee README.md | |
if [[ "$(git status --porcelain)" != "" ]]; then | |
git config user.name "GitHub Action" | |
git config user.email "[email protected]" | |
git add . | |
git commit -m "docs(readme): auto-update README.md" | |
git push | |
fi | |
- name: Create normal GitHub release | |
if: github.ref == 'refs/heads/master' && github.event_name != 'schedule' | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
body: ${{ steps.tag_version.outputs.changelog }} | |
- name: Get current date | |
if: github.event_name == 'schedule' | |
id: date | |
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Create a weekly GitHub release | |
if: github.event_name == 'schedule' | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
body: | | |
Weekly rebuild on ${{ steps.date.outputs.date }} |