name: build concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read on: push: branches: - 'master' tags: - 'v*' pull_request: env: DOCKERHUB_SLUG: crazymax/diun GHCR_SLUG: ghcr.io/crazy-max/diun DESTDIR: ./bin DOCKER_BUILD_SUMMARY: false SCOUT_VERSION: "1.18.2" jobs: prepare: runs-on: ubuntu-latest outputs: validate-includes: ${{ steps.validate.outputs.matrix }} steps: - name: Checkout uses: actions/checkout@v6 - name: Validate matrix id: validate uses: docker/bake-action/subaction/matrix@v6 with: target: validate fields: platforms env: GOLANGCI_LINT_MULTIPLATFORM: 1 validate: runs-on: ubuntu-latest needs: - prepare strategy: fail-fast: false matrix: include: ${{ fromJson(needs.prepare.outputs.validate-includes) }} steps: - name: Checkout uses: actions/checkout@v6 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Validate uses: docker/bake-action@v6 with: source: . targets: ${{ matrix.target }} set: | *.platform=${{ matrix.platforms }} test: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v6 with: fetch-depth: 0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Test uses: docker/bake-action@v6 with: source: . targets: test pull: true - name: Upload coverage uses: codecov/codecov-action@v5 with: directory: ${{ env.DESTDIR }}/coverage token: ${{ secrets.CODECOV_TOKEN }} govulncheck: runs-on: ubuntu-latest permissions: # same as global permission contents: read # required to write sarif report security-events: write steps: - name: Checkout uses: actions/checkout@v6 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Run uses: docker/bake-action@v6 with: source: . targets: govulncheck env: GOVULNCHECK_FORMAT: sarif - name: Upload SARIF report if: ${{ github.ref == 'refs/heads/master' }} uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out artifacts: uses: docker/github-builder-experimental/.github/workflows/bake.yml@8fc70909404a502fd0eca6601b99b32fa7192b03 permissions: contents: read # same as global permission id-token: write # for signing attestation(s) with GitHub OIDC Token with: runner: amd64 target: artifact-all output: local push: ${{ github.event_name != 'pull_request' }} artifact-name: diun bake-sbom: true artifacts-finalize: runs-on: ubuntu-latest needs: - artifacts steps: - name: Download artifacts uses: actions/download-artifact@v6 with: path: /tmp/buildx-output pattern: ${{ needs.artifacts.outputs.artifact-name }}* merge-multiple: true - name: Rename provenance and sbom run: | for pdir in /tmp/buildx-output/*/; do ( cd "$pdir" binname=$(find . -name 'diun_*') filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') mv "provenance.json" "${filename}.provenance.json" mv "sbom-binary.spdx.json" "${filename}.sbom.json" find . -name 'sbom*.json' -exec rm {} \; if [ -f "provenance.sigstore.json" ]; then mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json" fi ) done mkdir -p "${{ env.DESTDIR }}" mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/" - name: List artifacts working-directory: ${{ env.DESTDIR }} run: | tree -nh . - name: Check artifacts working-directory: ${{ env.DESTDIR }} run: | find . -type f -exec file -e ascii -- {} + - name: Upload release binaries uses: actions/upload-artifact@v5 with: name: release path: ${{ env.DESTDIR }}/* if-no-files-found: error release: runs-on: ubuntu-latest permissions: # required to create GitHub release contents: write needs: - artifacts-finalize - test steps: - name: Checkout uses: actions/checkout@v6 - name: Download release binaries uses: actions/download-artifact@v6 with: path: ${{ env.DESTDIR }}/artifact name: release - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build uses: docker/bake-action@v6 with: source: . targets: release provenance: false - name: List artifacts working-directory: ${{ env.DESTDIR }}/release run: | tree -nh . - name: GitHub Release uses: softprops/action-gh-release@v2 if: startsWith(github.ref, 'refs/tags/') with: draft: true files: | ${{ env.DESTDIR }}/release/* env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} image-prepare: runs-on: ubuntu-latest outputs: repo-slugs: | ${{ env.DOCKERHUB_SLUG }} ${{ env.GHCR_SLUG }} steps: # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 - run: echo "Exposing env vars for reusable workflow" image: uses: docker/github-builder-experimental/.github/workflows/bake.yml@8fc70909404a502fd0eca6601b99b32fa7192b03 permissions: contents: read # same as global permission id-token: write # for signing attestation(s) with GitHub OIDC Token needs: - image-prepare - artifacts-finalize - test with: runner: amd64 target: image-all output: image push: ${{ github.event_name != 'pull_request' }} set-meta-labels: true meta-images: | ${{ needs.image-prepare.outputs.repo-slugs }} meta-tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=ref,event=pr type=edge meta-labels: | org.opencontainers.image.title=Diun org.opencontainers.image.description=Docker image update notifier org.opencontainers.image.vendor=CrazyMax bake-sbom: true secrets: registry-auths: | - registry: docker.io username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} scout: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/master' }} permissions: # same as global permission contents: read # required to write sarif report security-events: write needs: - image steps: - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Scout id: scout uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 with: version: ${{ env.SCOUT_VERSION }} format: sarif image: registry://${{ env.DOCKERHUB_SLUG }}:edge - name: Upload SARIF report uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ${{ steps.scout.outputs.result-file }}