-
Notifications
You must be signed in to change notification settings - Fork 122
86 lines (84 loc) · 3.92 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: publish grocy container images
on:
release:
types: [published]
jobs:
build_and_push_latest:
runs-on: ubuntu-latest
permissions:
security-events: write # permit upload of sarif output from the workflow
env:
GROCY_IMAGE_TAG: ${{ github.event.release.tag_name }}
steps:
- uses: actions/checkout@v3
# Enable Ubuntu (jammy) repository packages, to ensure that a recent version of 'buildah' is available
- run: echo "deb http://archive.ubuntu.com/ubuntu/ jammy main universe" | sudo tee -a /etc/apt/sources.list
- run: echo "deb http://archive.ubuntu.com/ubuntu/ jammy-security main universe" | sudo tee -a /etc/apt/sources.list
- run: sudo apt-get update
- run: sudo apt-get install -y buildah qemu-user-static
# Determine the grocy application version to bundle based on the image tag to publish
- run: echo "GROCY_VERSION=${{ env.GROCY_IMAGE_TAG }}" | sed -e "s/-[0-9a-f]*$//" >> $GITHUB_ENV
# Build multi-architecture container manifests
- id: build-grocy-backend
uses: redhat-actions/buildah-build@v2.12
with:
image: backend
tags: ${{ env.GROCY_IMAGE_TAG }} ${{ env.GROCY_VERSION }}
platforms: linux/amd64, linux/arm64/v8
containerfiles: Containerfile-backend
build-args: |
GROCY_VERSION=${{ env.GROCY_VERSION }}
labels: |
org.opencontainers.image.documentation=https://grocy.info/
org.opencontainers.image.source=https://github.com/grocy/grocy-docker/
org.opencontainers.image.version=${{ env.GROCY_IMAGE_TAG }}
org.opencontainers.image.licenses=MIT
- id: build-grocy-frontend
uses: redhat-actions/buildah-build@v2.12
with:
image: frontend
tags: ${{ env.GROCY_IMAGE_TAG }} ${{ env.GROCY_VERSION }}
platforms: linux/amd64, linux/arm64/v8
containerfiles: Containerfile-frontend
build-args: |
GROCY_VERSION=${{ env.GROCY_VERSION }}
labels: |
org.opencontainers.image.documentation=https://grocy.info/
org.opencontainers.image.source=https://github.com/grocy/grocy-docker/
org.opencontainers.image.version=${{ env.GROCY_IMAGE_TAG }}
org.opencontainers.image.licenses=MIT
# Publish the container manifests
- uses: redhat-actions/push-to-registry@v2.7
with:
image: ${{ steps.build-grocy-backend.outputs.image }}
tags: ${{ steps.build-grocy-backend.outputs.tags }}
registry: docker.io/grocy
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: redhat-actions/push-to-registry@v2.7
with:
image: ${{ steps.build-grocy-frontend.outputs.image }}
tags: ${{ steps.build-grocy-frontend.outputs.tags }}
registry: docker.io/grocy
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# Perform vulnerability scanning
## Note: please move this to *before* the container publish steps after confirming a way to use anchore/scan-action with locally-built OCI images
- id: scan-grocy-backend
uses: anchore/scan-action@v3
with:
image: docker.io/grocy/${{ steps.build-grocy-backend.outputs.image-with-tag }}
fail-build: false # TODO: remove this when scan-action steps are moved to before container publish
- uses: github/codeql-action/upload-sarif@v2
with:
category: scan-grocy-backend
sarif_file: ${{ steps.scan-grocy-backend.outputs.sarif }}
- id: scan-grocy-frontend
uses: anchore/scan-action@v3
with:
image: docker.io/grocy/${{ steps.build-grocy-frontend.outputs.image-with-tag }}
fail-build: false # TODO: remove this when scan-action steps are moved to before container publish
- uses: github/codeql-action/upload-sarif@v2
with:
category: scan-grocy-frontend
sarif_file: ${{ steps.scan-grocy-frontend.outputs.sarif }}