mirror of
https://github.com/crazy-max/diun.git
synced 2025-12-25 06:49:28 +01:00
305 lines
8.1 KiB
YAML
305 lines
8.1 KiB
YAML
name: build
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
tags:
|
|
- 'v*'
|
|
pull_request:
|
|
|
|
env:
|
|
DOCKERHUB_SLUG: crazymax/diun
|
|
GHCR_SLUG: ghcr.io/crazy-max/diun
|
|
DESTDIR: ./bin
|
|
DOCKER_BUILD_SUMMARY: false
|
|
SCOUT_VERSION: "1.18.2"
|
|
|
|
jobs:
|
|
prepare:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
validate-includes: ${{ steps.validate.outputs.matrix }}
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Validate matrix
|
|
id: validate
|
|
uses: docker/bake-action/subaction/matrix@v6
|
|
with:
|
|
target: validate
|
|
fields: platforms
|
|
env:
|
|
GOLANGCI_LINT_MULTIPLATFORM: 1
|
|
|
|
validate:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- prepare
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include: ${{ fromJson(needs.prepare.outputs.validate-includes) }}
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Validate
|
|
uses: docker/bake-action@v6
|
|
with:
|
|
source: .
|
|
targets: ${{ matrix.target }}
|
|
set: |
|
|
*.platform=${{ matrix.platforms }}
|
|
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Test
|
|
uses: docker/bake-action@v6
|
|
with:
|
|
source: .
|
|
targets: test
|
|
pull: true
|
|
-
|
|
name: Upload coverage
|
|
uses: codecov/codecov-action@v5
|
|
with:
|
|
directory: ${{ env.DESTDIR }}/coverage
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
|
|
govulncheck:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# same as global permission
|
|
contents: read
|
|
# required to write sarif report
|
|
security-events: write
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Run
|
|
uses: docker/bake-action@v6
|
|
with:
|
|
source: .
|
|
targets: govulncheck
|
|
env:
|
|
GOVULNCHECK_FORMAT: sarif
|
|
-
|
|
name: Upload SARIF report
|
|
if: ${{ github.ref == 'refs/heads/master' }}
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
with:
|
|
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
|
|
|
|
artifacts:
|
|
uses: docker/github-builder-experimental/.github/workflows/bake.yml@8fc70909404a502fd0eca6601b99b32fa7192b03
|
|
permissions:
|
|
contents: read # same as global permission
|
|
id-token: write # for signing attestation(s) with GitHub OIDC Token
|
|
with:
|
|
runner: amd64
|
|
target: artifact-all
|
|
output: local
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
artifact-name: diun
|
|
bake-sbom: true
|
|
|
|
artifacts-finalize:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- artifacts
|
|
steps:
|
|
-
|
|
name: Download artifacts
|
|
uses: actions/download-artifact@v6
|
|
with:
|
|
path: /tmp/buildx-output
|
|
pattern: ${{ needs.artifacts.outputs.artifact-name }}*
|
|
merge-multiple: true
|
|
-
|
|
name: Rename provenance and sbom
|
|
run: |
|
|
for pdir in /tmp/buildx-output/*/; do
|
|
(
|
|
cd "$pdir"
|
|
binname=$(find . -name 'diun_*')
|
|
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
|
|
mv "provenance.json" "${filename}.provenance.json"
|
|
mv "sbom-binary.spdx.json" "${filename}.sbom.json"
|
|
find . -name 'sbom*.json' -exec rm {} \;
|
|
if [ -f "provenance.sigstore.json" ]; then
|
|
mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json"
|
|
fi
|
|
)
|
|
done
|
|
mkdir -p "${{ env.DESTDIR }}"
|
|
mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
|
|
-
|
|
name: List artifacts
|
|
working-directory: ${{ env.DESTDIR }}
|
|
run: |
|
|
tree -nh .
|
|
-
|
|
name: Check artifacts
|
|
working-directory: ${{ env.DESTDIR }}
|
|
run: |
|
|
find . -type f -exec file -e ascii -- {} +
|
|
-
|
|
name: Upload release binaries
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: release
|
|
path: ${{ env.DESTDIR }}/*
|
|
if-no-files-found: error
|
|
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# required to create GitHub release
|
|
contents: write
|
|
needs:
|
|
- artifacts-finalize
|
|
- test
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Download release binaries
|
|
uses: actions/download-artifact@v6
|
|
with:
|
|
path: ${{ env.DESTDIR }}/artifact
|
|
name: release
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Build
|
|
uses: docker/bake-action@v6
|
|
with:
|
|
source: .
|
|
targets: release
|
|
provenance: false
|
|
-
|
|
name: List artifacts
|
|
working-directory: ${{ env.DESTDIR }}/release
|
|
run: |
|
|
tree -nh .
|
|
-
|
|
name: GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
with:
|
|
draft: true
|
|
files: |
|
|
${{ env.DESTDIR }}/release/*
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
image-prepare:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
repo-slugs: |
|
|
${{ env.DOCKERHUB_SLUG }}
|
|
${{ env.GHCR_SLUG }}
|
|
steps:
|
|
# FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
|
|
- run: echo "Exposing env vars for reusable workflow"
|
|
|
|
image:
|
|
uses: docker/github-builder-experimental/.github/workflows/bake.yml@8fc70909404a502fd0eca6601b99b32fa7192b03
|
|
permissions:
|
|
contents: read # same as global permission
|
|
id-token: write # for signing attestation(s) with GitHub OIDC Token
|
|
needs:
|
|
- image-prepare
|
|
- artifacts-finalize
|
|
- test
|
|
with:
|
|
runner: amd64
|
|
target: image-all
|
|
output: image
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
set-meta-labels: true
|
|
meta-images: |
|
|
${{ needs.image-prepare.outputs.repo-slugs }}
|
|
meta-tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=ref,event=pr
|
|
type=edge
|
|
meta-labels: |
|
|
org.opencontainers.image.title=Diun
|
|
org.opencontainers.image.description=Docker image update notifier
|
|
org.opencontainers.image.vendor=CrazyMax
|
|
bake-sbom: true
|
|
secrets:
|
|
registry-auths: |
|
|
- registry: docker.io
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
- registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
scout:
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.ref == 'refs/heads/master' }}
|
|
permissions:
|
|
# same as global permission
|
|
contents: read
|
|
# required to write sarif report
|
|
security-events: write
|
|
needs:
|
|
- image
|
|
steps:
|
|
-
|
|
name: Login to DockerHub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
-
|
|
name: Scout
|
|
id: scout
|
|
uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4
|
|
with:
|
|
version: ${{ env.SCOUT_VERSION }}
|
|
format: sarif
|
|
image: registry://${{ env.DOCKERHUB_SLUG }}:edge
|
|
-
|
|
name: Upload SARIF report
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
with:
|
|
sarif_file: ${{ steps.scout.outputs.result-file }}
|