name: build concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read on: push: branches: - 'master' tags: - 'v*' pull_request: env: DOCKERHUB_SLUG: crazymax/diun GHCR_SLUG: ghcr.io/crazy-max/diun DESTDIR: ./bin DOCKER_BUILD_SUMMARY: false SCOUT_VERSION: "1.18.2" jobs: prepare: runs-on: ubuntu-latest outputs: validate-includes: ${{ steps.validate.outputs.matrix }} artifact-includes: ${{ steps.artifact.outputs.matrix }} steps: - name: Checkout uses: actions/checkout@v5 - name: Validate matrix id: validate uses: docker/bake-action/subaction/matrix@v6 with: target: validate fields: platforms env: GOLANGCI_LINT_MULTIPLATFORM: 1 - name: Artifact matrix id: artifact uses: docker/bake-action/subaction/matrix@v6 with: target: artifact-all fields: platforms validate: runs-on: ubuntu-latest needs: - prepare strategy: fail-fast: false matrix: include: ${{ fromJson(needs.prepare.outputs.validate-includes) }} steps: - name: Checkout uses: actions/checkout@v5 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Validate uses: docker/bake-action@v6 with: source: . targets: ${{ matrix.target }} set: | *.platform=${{ matrix.platforms }} test: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Test uses: docker/bake-action@v6 with: source: . targets: test pull: true - name: Upload coverage uses: codecov/codecov-action@v5 with: directory: ${{ env.DESTDIR }}/coverage token: ${{ secrets.CODECOV_TOKEN }} govulncheck: runs-on: ubuntu-latest permissions: # same as global permission contents: read # required to write sarif report security-events: write steps: - name: Checkout uses: actions/checkout@v5 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Run uses: docker/bake-action@v6 with: source: . targets: govulncheck env: GOVULNCHECK_FORMAT: sarif - name: Upload SARIF report if: ${{ github.ref == 'refs/heads/master' }} uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out artifact: runs-on: ubuntu-latest needs: - prepare - validate strategy: fail-fast: false matrix: include: ${{ fromJson(needs.prepare.outputs.artifact-includes) }} steps: - name: Prepare run: | platform=${{ matrix.platforms }} echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build uses: docker/bake-action@v6 with: source: . targets: artifact provenance: mode=max sbom: true pull: true set: | *.platform=${{ matrix.platforms }} - name: Rename provenance and sbom working-directory: ${{ env.DESTDIR }}/artifact run: | binname=$(find . -name 'diun_*') filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') mv "provenance.json" "${filename}.provenance.json" mv "sbom-binary.spdx.json" "${filename}.sbom.json" find . -name 'sbom*.json' -exec rm {} \; - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Upload artifact uses: actions/upload-artifact@v4 with: name: diun-${{ env.PLATFORM_PAIR }} path: ${{ env.DESTDIR }} if-no-files-found: error release: runs-on: ubuntu-latest permissions: # required to create GitHub release contents: write needs: - artifact - test steps: - name: Checkout uses: actions/checkout@v5 - name: Download artifacts uses: actions/download-artifact@v6 with: path: ${{ env.DESTDIR }} pattern: diun-* merge-multiple: true - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build uses: docker/bake-action@v6 with: source: . targets: release provenance: false - name: GitHub Release uses: softprops/action-gh-release@v2 if: startsWith(github.ref, 'refs/tags/') with: draft: true files: | ${{ env.DESTDIR }}/release/* env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} image: runs-on: ubuntu-latest permissions: # same as global permissions contents: read # required to push to GHCR packages: write needs: - artifact - test steps: - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: | ${{ env.DOCKERHUB_SLUG }} ${{ env.GHCR_SLUG }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=ref,event=pr type=edge labels: | org.opencontainers.image.title=Diun org.opencontainers.image.description=Docker image update notifier org.opencontainers.image.vendor=CrazyMax - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to GHCR if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build uses: docker/bake-action@v6 with: source: . files: | ./docker-bake.hcl ${{ steps.meta.outputs.bake-file }} targets: image-all provenance: mode=max sbom: true pull: true push: ${{ github.event_name != 'pull_request' }} - name: Check manifest if: github.event_name != 'pull_request' run: | docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} - name: Inspect image if: github.event_name != 'pull_request' run: | docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} scout: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/master' }} permissions: # same as global permission contents: read # required to write sarif report security-events: write needs: - image steps: - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Scout id: scout uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 with: version: ${{ env.SCOUT_VERSION }} format: sarif image: registry://${{ env.DOCKERHUB_SLUG }}:edge - name: Upload SARIF report uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scout.outputs.result-file }}