ci(deps): bump docker/login-action from 4.1.0 to 4.2.0 (#25) #779
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com) | |
| # SPDX-FileContributor: Sebastian Thomschke | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-ext | |
| # | |
| # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions | |
| name: Build | |
| on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows | |
| schedule: | |
| # https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows | |
| - cron: '0 17 * * 3' | |
| push: | |
| branches-ignore: # build all branches except: | |
| - 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR) | |
| tags-ignore: # don't build tags | |
| - '**' | |
| paths-ignore: | |
| - '**/*.md' | |
| - '.editorconfig' | |
| - '.git*' | |
| - '.github/*.yml' | |
| - '.github/workflows/stale.yml' | |
| pull_request: | |
| paths-ignore: | |
| - '**/*.md' | |
| - '.editorconfig' | |
| - '.git*' | |
| - '.github/*.yml' | |
| - '.github/workflows/stale.yml' | |
| workflow_dispatch: | |
| # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| DOCKER_REPO_NAME: gitea-ext | |
| DOCKER_IMAGE_TAG: latest | |
| TRIVY_CACHE_DIR: ~/.trivy/cache | |
| permissions: # added using https://github.com/step-security/secure-repo | |
| contents: read | |
| jobs: | |
| ########################################################### | |
| build: | |
| ########################################################### | |
| runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images | |
| timeout-minutes: 20 | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: "Show: GitHub context" | |
| env: | |
| GITHUB_CONTEXT: ${{ toJSON(github) }} | |
| run: echo $GITHUB_CONTEXT | |
| - name: "Show: environment variables" | |
| run: env | sort | |
| - name: Git Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run the sh-checker | |
| uses: luizm/action-sh-checker@883217215b11c1fabbf00eb1a9a041f62d74c744 # master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SHFMT_OPTS: --simplify --keep-padding | |
| with: | |
| sh_checker_comment: true | |
| sh_checker_checkbashisms_enable: true | |
| sh_checker_shfmt_disable: true | |
| - name: Check Dockerfile | |
| uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| with: | |
| dockerfile: image/Dockerfile | |
| - name: Cache trivy cache | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ env.TRIVY_CACHE_DIR }} | |
| # https://github.com/actions/cache/issues/342#issuecomment-673371329 | |
| key: ${{ runner.os }}-trivy-${{ github.run_id }} | |
| restore-keys: | | |
| ${{ runner.os }}-trivy- | |
| - name: Configure fast APT repository mirror | |
| uses: vegardit/fast-apt-mirror.sh@806c59276adfff2df420124ad5e4587f018c358a # v1 | |
| - name: Install dos2unix | |
| run: sudo apt-get install --no-install-recommends -y dos2unix | |
| - name: "Determine if docker images shall be published" | |
| id: docker_push_actions | |
| run: | | |
| # ACT -> https://nektosact.com/usage/index.html#skipping-steps | |
| set -x | |
| if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then | |
| echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV" | |
| echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT | |
| if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then | |
| echo "DOCKER_PUSH=true" >> "$GITHUB_ENV" | |
| fi | |
| fi | |
| - name: Login to docker.io | |
| if: ${{ env.DOCKER_PUSH }} | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
| password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
| - name: Login to ghcr.io | |
| if: ${{ env.DOCKER_PUSH_GHCR }} | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build ${{ env.DOCKER_REPO_NAME }}:${{ env.DOCKER_IMAGE_TAG }} | |
| env: | |
| DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }} | |
| TRIVY_GITHUB_TOKEN: ${{ github.token }} | |
| run: bash build-image.sh | |
| outputs: | |
| DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }} | |
| ########################################################### | |
| delete-untagged-images: | |
| ########################################################### | |
| runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images | |
| timeout-minutes: 5 | |
| needs: [build] | |
| if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }} | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Delete untagged images | |
| uses: dataaxiom/ghcr-cleanup-action@f092b48ba3b604b2a83690dc4b2bbb3392e1045f # v1.2.1 | |
| with: | |
| package: ${{ env.DOCKER_REPO_NAME }} | |
| delete-untagged: true | |
| delete-partial-images: true | |
| delete-ghost-images: true | |
| delete-orphaned-images: true | |
| validate: true |