Skip to content

Merge pull request #78 from miljodir/dependabot/npm_and_yarn/web/ejs-… #157

Merge pull request #78 from miljodir/dependabot/npm_and_yarn/web/ejs-…

Merge pull request #78 from miljodir/dependabot/npm_and_yarn/web/ejs-… #157

name: Push web to GHCR
on:
workflow_dispatch:
push:
branches:
- master
paths:
- web/**
- "!*.md"
pull_request:
branches:
- master
paths:
- web/**
- "!*.md"
env:
REGISTRY: ghcr.io
REPO_NAME: ${{ github.repository }}
IMAGE_SUFFIX: "/web" # change to suit your image name
BUILD_CONTEXT: "./web" # change me to fit your image path
DOCKERFILE_PATH: "default" # change me if needed
ARTIFACT: dummyweb
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate required output vars
id: env
shell: pwsh
run: |
$env:tag = (Get-Date -Format dd-MM-yyyy) + "." + ${{ github.run_number }}
Write-Host "::set-output name=tag::$($env:tag)"
if ("${{ env.DOCKERFILE_PATH }}" -eq "default")
{
$env:dockerfilePath = "${{ env.BUILD_CONTEXT}}/Dockerfile"
}
else
{
$env:dockerfilePath = "${{ env.DOCKERFILE_PATH }}"
}
Write-Host "::set-output name=DOCKERFILE_PATH::$($env:dockerfilePath)"
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.REPO_NAME }}${{ env.IMAGE_SUFFIX }}
tags: |
type=sha,format=long
type=raw,value=${{ steps.env.outputs.tag }}
type=raw,value=latest
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v6
with:
context: ${{ env.BUILD_CONTEXT }}
file: ${{ steps.env.outputs.DOCKERFILE_PATH }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
#outputs: type=docker,dest=/tmp/web.tar
#- run: docker load -i /tmp/web.tar
# - name: Container image scan
# if: github.event_name == 'pull_request'
# env:
# # See https://github.com/Azure/container-scan/issues/146
# DOCKLE_HOST: "unix:///var/run/docker.sock"
# id: scan
# uses: Azure/[email protected]
# with:
# image-name: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}${{ env.IMAGE_SUFFIX }}:${{ steps.env.outputs.tag }}
# severity-threshold: "CRITICAL"
# - name: Run hadolint
# uses: hadolint/[email protected]
# with:
# dockerfile: ${{ steps.env.outputs.DOCKERFILE_PATH }}
# format: sarif
# output-file: hadolint-results.sarif
# no-fail: true
# - name: Upload analysis results to GitHub
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: hadolint-results.sarif
# - uses: actions/setup-dotnet@v3
# with:
# dotnet-version: |
# 6.0.x
# # Run Dockerfile and Docker image analyzers
# - name: Run Microsoft Security DevOps Analysis
# uses: microsoft/security-devops-action@preview
# env:
# #terrascan_SkipRules: ""
# GDN_TRIVY_ACTION: "image"
# GDN_TRIVY_IMAGEPATH: /tmp/web.tar
# id: msdo
# # Upload alerts to the Security tab
# - name: Upload alerts to Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.msdo.outputs.sarifFile }}
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
# - name: Install cosign
# if: github.event_name != 'pull_request'
# uses: sigstore/[email protected]
# - name: Sign the images with GitHub OIDC Token
# if: ${{ github.event_name != 'pull_request' }}
# env:
# DIGEST: ${{ steps.build-and-push.outputs.digest }}
# TAGS: ${{ steps.meta.outputs.tags }}
# run: cosign sign --yes "${TAGS}@${DIGEST}"