Bump actions/download-artifact from 2 to 4.1.7 in /.github/workflows #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker multi-arch build and push | |
| on: | |
| push: | |
| # Publish `main` as Docker `latest` image. | |
| branches: | |
| - main | |
| # Publish `v1.2.3` tags as releases. | |
| tags: | |
| - v* | |
| pull_request: | |
| env: | |
| IMAGE_NAME: ubuntools | |
| jobs: | |
| build: | |
| name: Build Docker image (${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE_TAG: ghcr.io/${{ github.repository_owner }}/ubuntools | |
| strategy: | |
| matrix: | |
| arch: [linux/amd64, linux/arm64] | |
| steps: | |
| - name: Checkout current repo | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: "recursive" | |
| - name: Get version | |
| run: | | |
| # Get latest commit short hash | |
| HASH_VERSION=$(git rev-parse --short HEAD) | |
| # Strip git ref prefix from version | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| # Strip "v" prefix from tag name | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| # Use Docker `latest` tag convention | |
| [ "$VERSION" == "main" ] || [ "$VERSION" == "master" ] && VERSION=latest | |
| # Convert IMAGE_TAG, HASH_VERSION and VERSION to lowercase (repository name must be lowercase) | |
| IMAGE_TAG=$(echo "$IMAGE_TAG" | awk '{print tolower($0)}') | |
| HASH_VERSION=$(echo "$HASH_VERSION" | awk '{print tolower($0)}') | |
| VERSION=$(echo "$VERSION" | awk '{print tolower($0)}') | |
| ARCH=${{ matrix.arch }} | |
| SAFE_ARCH=${ARCH///} # linux/amd64 -> linuxamd64 | |
| # Store variable for future use | |
| echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV | |
| echo "HASH_VERSION=$HASH_VERSION" >> $GITHUB_ENV | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| echo "SAFE_ARCH=$SAFE_ARCH" >> $GITHUB_ENV | |
| # Print debug info | |
| echo "hash version: $HASH_VERSION" | |
| echo "version: $VERSION" | |
| echo "safe arch: $SAFE_ARCH" | |
| # Save env to file | |
| cat $GITHUB_ENV > github.env | |
| - name: Upload environment info as artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: github_env | |
| path: github.env | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| with: | |
| platforms: 'arm64,amd64' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| id: buildx | |
| with: | |
| install: true | |
| - name: Inspect builder | |
| run: | | |
| echo "Name: ${{ steps.buildx.outputs.name }}" | |
| echo "Endpoint: ${{ steps.buildx.outputs.endpoint }}" | |
| echo "Status: ${{ steps.buildx.outputs.status }}" | |
| echo "Flags: ${{ steps.buildx.outputs.flags }}" | |
| echo "Platforms: ${{ steps.buildx.outputs.platforms }}" | |
| - name: Cache Docker layers | |
| uses: actions/cache@v2 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ env.SAFE_ARCH }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx-${{ env.SAFE_ARCH }}- | |
| - name: Login to ghcr registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Build image | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,mode=max,dest=/tmp/.buildx-cache | |
| platforms: ${{ matrix.arch }} | |
| push: false | |
| load: true | |
| tags: | | |
| ${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} | |
| - name: Run Trivy vulnerability scanner and dump results | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }}" | |
| format: "table" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Run Trivy vulnerability scanner (for sarif) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }}" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| # - name: Run Trivy vulnerability scanner (fail build if any) | |
| # uses: aquasecurity/trivy-action@master | |
| # with: | |
| # image-ref: "${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }}" | |
| # exit-code: "1" | |
| # vuln-type: "os,library" | |
| # severity: "CRITICAL,HIGH" | |
| # format: "sarif" | |
| # output: "trivy-results.sarif" | |
| - name: Tag and push image | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: | | |
| docker tag ${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} | |
| docker tag ${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-${{ env.SAFE_ARCH }} | |
| docker push ${{ env.IMAGE_TAG}}:${{ env.HASH_VERSION}}-${{ env.SAFE_ARCH }} | |
| docker push ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-${{ env.SAFE_ARCH }} | |
| - name: Save image as tar archive | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: | | |
| docker save ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} -o ${{ env.SAFE_ARCH }}.tar | |
| - name: Save image as tar archive (pull request) | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| docker save ${{ env.IMAGE_NAME }}:${{ env.HASH_VERSION }}-${{ env.SAFE_ARCH }} -o ${{ env.SAFE_ARCH }}.tar | |
| - name: Upload image as artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: image_${{ env.SAFE_ARCH }} | |
| path: ${{ env.SAFE_ARCH }}.tar | |
| push-manifest: | |
| name: Create and push multi-arch Docker manifest | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| DOCKER_CLI_EXPERIMENTAL: enabled | |
| needs: build | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/[email protected] | |
| - name: Load environment info and built images | |
| run: | | |
| cat github_env/github.env > $GITHUB_ENV | |
| docker load --input image_linuxamd64/linuxamd64.tar | |
| docker load --input image_linuxarm64/linuxarm64.tar | |
| - name: Login to ghcr registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Create and push manifest | |
| run: | | |
| # -- Push to ghcr.io | |
| docker manifest create ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }} \ | |
| --amend ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-linuxamd64 \ | |
| --amend ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-linuxarm64 | |
| docker manifest push ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }} | |
| # Tag images as VERSION (like 'latest') | |
| docker tag ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-linuxamd64 ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-linuxamd64 | |
| docker tag ${{ env.IMAGE_TAG }}:${{ env.HASH_VERSION }}-linuxarm64 ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-linuxarm64 | |
| docker manifest create ${{ env.IMAGE_TAG }}:${{ env.VERSION }} \ | |
| --amend ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-linuxamd64 \ | |
| --amend ${{ env.IMAGE_TAG }}:${{ env.VERSION }}-linuxarm64 | |
| docker manifest push ${{ env.IMAGE_TAG }}:${{ env.VERSION }} |