forked from hauptmedia/docker-mailcatcher
-
Notifications
You must be signed in to change notification settings - Fork 3
141 lines (137 loc) · 4.53 KB
/
docker-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Docker
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
on:
push:
branches: [ master ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
paths:
- .github/workflows/*.yml
- VERSION
- Dockerfile
pull_request:
branches: [ master ]
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
DOCKER_REPO: ghcr.io/${{ github.repository }}
DOCKER_REPO_DEV: ghcr.io/${{ github.repository }}-dev
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- platform: "linux/amd64"
scan: true
needs_qemu: false
- platform: "linux/arm64"
scan: false
needs_qemu: true
services:
registry:
image: registry:2
ports:
- 5000:5000
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
actions: read
security-events: write
steps:
- name: Lowercase Image name
run: |
echo "IMAGE=${IMAGE_NAME@L}" >>${GITHUB_ENV}
- name: Checkout
uses: actions/checkout@v4
- name: Set version
id: version
run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT
- name: Set repo
id: repo
run: |
if [[ $GITHUB_REF == "refs/heads/master" || $GITHUB_REF == refs/tags/* ]]; then
echo "repo=${DOCKER_REPO@L}" >> $GITHUB_OUTPUT
else
echo "repo=${DOCKER_REPO_DEV@L}" >> $GITHUB_OUTPUT
fi
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ steps.repo.outputs.repo }}
tags: |
type=semver,pattern={{version}},value=${{ steps.version.outputs.version }}
- name: Set up QEMU
if: matrix.needs_qemu
uses: docker/setup-qemu-action@v3
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Build image without push to registry ${{ matrix.platform }}
uses: docker/build-push-action@v5
if: matrix.scan
with:
context: .
file: ./Dockerfile
platforms: ${{ matrix.platform }}
push: true
tags: localhost:5000/${{env.IMAGE}}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VCS_REF=$(git rev-parse --short HEAD)
VERSION=${{ steps.version.outputs.version }}
- name: Scan image
id: scan
uses: anchore/scan-action@v3
if: matrix.scan
with:
image: localhost:5000/${{env.IMAGE}}:latest
fail-build: true
severity-cutoff: critical
output-format: sarif
add-cpes-if-none: true
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v3
if: matrix.scan && always()
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image ${{ matrix.platform }}
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: ${{ matrix.platform }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VCS_REF=$(git rev-parse --short HEAD)
VERSION=${{ steps.version.outputs.version }}