build #446
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| paths-ignore: | |
| - README.md | |
| branches: | |
| - master | |
| - "feature/*" | |
| - "bugfix/*" | |
| tags: | |
| - "*.*.*" | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| # weekly: at 04:13 on Monday | |
| - cron: "13 4 * * 1" | |
| jobs: | |
| build: | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Setup Template Dockerfiles | |
| uses: tgagor/[email protected] | |
| - name: Build | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| td --config build-ghcr.yaml \ | |
| --build \ | |
| --squash \ | |
| --tag ${{ github.sha }} \ | |
| --delete | |
| - name: Build, squash and push | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
| td --config build-ghcr.yaml \ | |
| --build \ | |
| --squash \ | |
| --push \ | |
| --tag ${{ github.sha }} \ | |
| --delete | |
| - name: Bump version and push tag | |
| if: github.ref == 'refs/heads/master' | |
| id: tag_version | |
| uses: mathieudutour/[email protected] | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract version from tag on master | |
| if: github.ref == 'refs/heads/master' | |
| env: | |
| VERSION_TAG: ${{ steps.tag_version.outputs.new_tag }} | |
| run: echo "DOCKER_TAG=${VERSION_TAG#v}" >> $GITHUB_ENV | |
| - name: Use branch name as version not on master | |
| if: github.ref != 'refs/heads/master' | |
| run: echo "DOCKER_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| - name: Rebuild for Docker Hub and Push | |
| if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' | |
| run: | | |
| echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin | |
| td --config build-hub.yaml \ | |
| --build \ | |
| --squash \ | |
| --push \ | |
| --tag ${{ steps.tag_version.outputs.new_tag }} \ | |
| --delete | |
| - name: Update README | |
| if: github.ref == 'refs/heads/master' && !contains(github.event.commits[0].message, 'auto-update README') | |
| run: | | |
| curl -fsSLo /usr/local/bin/tpl https://github.com/schneidexe/tpl/releases/download/v0.6.1/tpl-linux-amd64 | |
| chmod +x /usr/local/bin/tpl | |
| export DOCKER_TAG=${DOCKER_TAG} | |
| tpl -t README-TEMPLATE.md | tee README.md | |
| if [[ "$(git status --porcelain)" != "" ]]; then | |
| git config user.name "GitHub Action" | |
| git config user.email "[email protected]" | |
| git add . | |
| git commit -m "docs(readme): auto-update README.md" | |
| git push | |
| fi | |
| - name: Create normal GitHub release | |
| if: github.ref == 'refs/heads/master' && (github.event_name != 'schedule' || github.actor == 'dependabot[bot]') | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
| release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
| body: ${{ steps.tag_version.outputs.changelog }} | |
| - name: Get current date | |
| if: github.event_name == 'schedule' && github.actor != 'dependabot[bot]' | |
| id: date | |
| run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
| - name: Create a weekly GitHub release | |
| if: github.event_name == 'schedule' && github.actor != 'dependabot[bot]' | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
| release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
| body: | | |
| Weekly rebuild on ${{ steps.date.outputs.date }} | |
| security-scan: | |
| permissions: | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| if: github.ref == 'refs/heads/master' || github.event_name == 'schedule' | |
| strategy: | |
| matrix: | |
| tag: | |
| - stream9 | |
| - stream10 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Fetch image | |
| run: | | |
| echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
| set -x | |
| docker pull ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} | |
| format: template | |
| template: "@/contrib/sarif.tpl" | |
| # don't fail | |
| exit-code: 0 | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH,MEDIUM | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: github.ref == 'refs/heads/master' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| dependabot: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} | |
| steps: | |
| - id: metadata | |
| uses: dependabot/fetch-metadata@v2 | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| - env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh pr review --approve "$PR_URL" | |
| gh pr merge --squash --auto "$PR_URL" |