-
Notifications
You must be signed in to change notification settings - Fork 4
148 lines (127 loc) · 4.51 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: build
on:
push:
paths-ignore:
- 'README.md'
branches:
- master
- 'feature/*'
- 'bugfix/*'
tags:
- '*.*.*'
pull_request:
branches:
- master
schedule:
# weekly: at 04:13 on Monday
- cron: '13 4 * * 1'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Template Dockerfiles
run: |
curl -fLo /usr/local/bin/td https://github.com/tgagor/template-dockerfiles/releases/latest/download/td-linux-amd64
chmod +x /usr/local/bin/td
- name: Build, squash and push
run: |
echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
td --config build-ghcr.yaml \
--build \
--squash \
--push \
--tag ${{ github.sha }} \
--delete
- name: Bump version and push tag
if: github.ref == 'refs/heads/master'
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from tag on master
if: github.ref == 'refs/heads/master'
env:
VERSION_TAG: ${{ steps.tag_version.outputs.new_tag }}
run: echo "DOCKER_TAG=${VERSION_TAG#v}" >> $GITHUB_ENV
- name: Use branch name as version not on master
if: github.ref != 'refs/heads/master'
run: echo "DOCKER_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
- name: Rebuild for Docker Hub and Push
if: github.ref == 'refs/heads/master'
run: |
echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin
td --config build-hub.yaml \
--build \
--squash \
--push \
--tag ${{ github.sha }} \
--delete
- name: Update README
if: github.ref == 'refs/heads/master' && !contains(github.event.commits[0].message, 'auto-update README')
run: |
curl -fsSLo /usr/local/bin/tpl https://github.com/schneidexe/tpl/releases/download/v0.6.1/tpl-linux-amd64
chmod +x /usr/local/bin/tpl
export DOCKER_TAG=${DOCKER_TAG}
tpl -t README-TEMPLATE.md | tee README.md
if [[ "$(git status --porcelain)" != "" ]]; then
git config user.name "GitHub Action"
git config user.email "[email protected]"
git add .
git commit -m "docs(readme): auto-update README.md"
git push
fi
- name: Create normal GitHub release
if: github.ref == 'refs/heads/master' && github.event_name != 'schedule'
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag_version.outputs.new_tag }}
release_name: Release ${{ steps.tag_version.outputs.new_tag }}
body: ${{ steps.tag_version.outputs.changelog }}
- name: Get current date
if: github.event_name == 'schedule'
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Create a weekly GitHub release
if: github.event_name == 'schedule'
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag_version.outputs.new_tag }}
release_name: Release ${{ steps.tag_version.outputs.new_tag }}
body: |
Weekly rebuild on ${{ steps.date.outputs.date }}
security-scan:
runs-on: ubuntu-latest
needs:
- build
strategy:
matrix:
tag:
- stream9
- stream10
steps:
- uses: actions/checkout@v4
- name: Fetch image
run: |
echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
set -x
docker pull ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }}
format: template
template: '@/contrib/sarif.tpl'
# don't fail
exit-code: 0
output: trivy-results.sarif
severity: CRITICAL,HIGH,MEDIUM
- name: Upload Trivy scan results to GitHub Security tab
if: github.ref == 'refs/heads/master'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif