From 10754b5584e676549fb49ff84cd0eb20d088137d Mon Sep 17 00:00:00 2001 From: e7d Date: Fri, 29 Mar 2024 12:22:13 +0100 Subject: [PATCH] feat(): GitHub actions improvments - use docker-metadata-action for tags - use docker-scout for security checks --- .github/workflows/docker-image.yml | 70 +++++++++++++++++++----------- 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 7825dda..b0fa1d6 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -10,8 +10,15 @@ on: branches: - "main" +permissions: + contents: read + pull-requests: write + +env: + PLATFORMS: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x + jobs: - docker: + build: runs-on: ubuntu-latest steps: - name: Checkout @@ -25,35 +32,48 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and export + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ vars.DOCKERHUB_IMAGE }} + labels: | + org.opencontainers.image.title=docker-diskmark + org.opencontainers.image.description=A disk benchmarking tool for Docker + org.opencontainers.image.revision=${{ env.SHA }} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=edge,branch=$repo.default_branch + type=sha,prefix=,suffix=,format=short + - name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x - cache-from: type=registry,ref=${{ vars.DOCKERHUB_IMAGE }}:buildcache - cache-to: type=registry,ref=${{ vars.DOCKERHUB_IMAGE }}:buildcache,mode=max + platforms: ${{ env.PLATFORMS }} + cache-from: type=gha + cache-to: type=gha push: true - tags: ${{ vars.DOCKERHUB_IMAGE }}:${{ github.sha }} - - name: Push semver tags - if: github.ref_type == 'tag' - run: | - GITHUB_REF=${{ github.ref }} - GITHUB_TAG=${GITHUB_REF#refs/tags/} - TAGS="" - if [ "${GITHUB_TAG}" != *-* ]; then # if not a pre-release - TAGS+=" --tag ${{ vars.DOCKERHUB_IMAGE }}:${GITHUB_TAG%%.*}" # major version tag (e.g. 1) - TAGS+=" --tag ${{ vars.DOCKERHUB_IMAGE }}:${GITHUB_TAG%.*}" # major.minor version tag (e.g. 1.2) - fi - TAGS+=" --tag ${{ vars.DOCKERHUB_IMAGE }}:${GITHUB_TAG}" # full version tag (e.g. 1.2.3-rc.4) - docker buildx imagetools create ${TAGS} ${{ vars.DOCKERHUB_IMAGE }}:${{ github.sha }} - - name: Push "latest" tag - if: github.ref == 'refs/heads/main' - run: | - docker buildx imagetools create \ - --tag ${{ vars.DOCKERHUB_IMAGE }}:latest \ - ${{ vars.DOCKERHUB_IMAGE }}:${{ github.sha }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + - name: Docker Scout + id: docker-scout + if: ${{ github.event_name == 'pull_request' }} + uses: docker/scout-action@v1 + with: + command: cves,recommendations,compare + image: ${{ steps.meta.outputs.tags }} + to: ${{ vars.DOCKERHUB_IMAGE }}:latest + ignore-base: true + ignore-unchanged: true + only-fixed: true + # only-severities: critical,high + write-comment: true + github-token: ${{ secrets.GITHUB_TOKEN }} - name: Update repo description - if: github.ref == 'refs/heads/main' + if: ${{ github.ref == 'refs/heads/main' }} uses: peter-evans/dockerhub-description@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }}