fix(ci): fix usage of .dockerignore in Docker image builds #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "New changes validation" | |
| on: | |
| pull_request: # yamllint disable-line rule:empty-values | |
| permissions: | |
| contents: "read" | |
| packages: "read" | |
| env: | |
| REGISTRY: "ghcr.io" | |
| jobs: | |
| find-changed-files: | |
| runs-on: "ubuntu-latest" | |
| outputs: | |
| is_yaml_changed: "${{ steps.filter.outputs.yaml }}" | |
| is_dockerfile_linter_image_changed: "${{ steps.filter.outputs.dockerfile-linter-image }}" | |
| is_markdown_changed: "${{ steps.filter.outputs.markdown }}" | |
| permissions: | |
| pull-requests: "read" | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| with: | |
| fetch-depth: 1 | |
| - name: "Find changed files" | |
| uses: "dorny/paths-filter@v3" | |
| id: "filter" | |
| with: | |
| filters: | | |
| yaml: | |
| - "**/*.yaml" | |
| - "**/*.yml" | |
| dockerfile-linter-image: | |
| - "**/Dockerfile" | |
| - "**/.dockerignore" | |
| markdown: | |
| - "**/*.md" | |
| validate-dockerfile-linter-image: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_dockerfile_linter_image_changed == 'true' }}" | |
| # NOTE: building and running Docker image of Dockerfile linter take around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Set up Docker Buildx" | |
| uses: "docker/setup-buildx-action@v3" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: "Build Dockerfile linter Docker image" | |
| uses: "docker/build-push-action@v6" | |
| with: | |
| # NOTE: setup of `context` is needed to force builder to use the `.dockerignore` file. | |
| context: "." | |
| push: false | |
| load: true | |
| # NOTE: using another name to don't allow docker to download image from the internet in the next step. | |
| tags: "local/dockerfile-linter-pr:latest" | |
| - name: "Run local Dockerfile linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo local/dockerfile-linter-pr:latest" | |
| - name: "Run Trivy vulnerability scanner" | |
| uses: "aquasecurity/[email protected]" | |
| env: | |
| # NOTE: this is needed because sometimes GHCR hits the rate limit, and AWS will be used instead. | |
| TRIVY_DB_REPOSITORY: "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db" | |
| with: | |
| image-ref: "local/dockerfile-linter-pr:latest" | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH,MEDIUM,LOW" | |
| scanners: "vuln,secret,misconfig" | |
| validate-yaml-changes: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_yaml_changed == 'true' }}" | |
| # NOTE: validating YAML changes takes around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: "Run YAML linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo | |
| ${{ env.REGISTRY }}/articola-tools/yaml-linter:latest" | |
| validate-markdown-changes: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_markdown_changed == 'true' }}" | |
| # NOTE: validating Markdown changes takes around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: "Run Dockerfile linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo | |
| ${{ env.REGISTRY }}/articola-tools/markdown-linter:latest" |