mirrors/diun
1
0
Fork 0
mirror of https://github.com/crazy-max/diun.git synced 2025-12-21 13:23:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2878c49f26faa09a782d2e65ed3dd2c23c75caa8
diun/.github/workflows/build.yml
CrazyMax 2878c49f26 govulncheck to report known vulnerabilities
2025-08-03 21:09:26 +02:00

361 lines
10 KiB
YAML
Raw Blame History

name: build
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
on:
push:
branches:
- 'master'
tags:
- 'v*'
pull_request:
env:
DOCKERHUB_SLUG: crazymax/diun
GHCR_SLUG: ghcr.io/crazy-max/diun
DESTDIR: ./bin
DOCKER_BUILD_SUMMARY: false
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
validate-includes: ${{ steps.validate.outputs.includes }}
artifact-platforms: ${{ steps.artifact.outputs.platforms }}
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Validate matrix
id: validate
uses: actions/github-script@v7
env:
GOLANGCI_LINT_MULTIPLATFORM: 1
with:
script: |
let def = {};
await core.group(`Parsing definition`, async () => {
const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', 'validate', '--print'], {
ignoreReturnCode: true
});
if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) {
throw new Error(res.stderr);
}
def = JSON.parse(resPrint.stdout.trim());
});
await core.group(`Generating matrix`, async () => {
const includes = [];
for (const targetName of Object.keys(def.target)) {
const target = def.target[targetName];
if (target.platforms && target.platforms.length > 0) {
target.platforms.forEach(platform => {
includes.push({
target: targetName,
platform: platform
});
});
} else {
includes.push({
target: targetName
});
}
}
core.info(JSON.stringify(includes, null, 2));
core.setOutput('includes', JSON.stringify(includes));
});
-
name: Artifact matrix
id: artifact
uses: actions/github-script@v7
with:
script: |
const targetName = 'artifact-all';
let def = {};
await core.group(`Parsing definition`, async () => {
const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', targetName, '--print'], {
ignoreReturnCode: true
});
if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) {
throw new Error(res.stderr);
}
def = JSON.parse(resPrint.stdout.trim());
});
await core.group(`Generating matrix`, async () => {
const platforms = def.target?.[targetName]?.platforms ?? [];
if (platforms.length === 0) {
throw new Error(`No platforms found for ${targetName} target`);
}
core.info(JSON.stringify(platforms, null, 2));
core.setOutput('platforms', JSON.stringify(platforms));
});
validate:
runs-on: ubuntu-latest
needs:
- prepare
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.prepare.outputs.validate-includes) }}
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Validate
uses: docker/bake-action@v6
with:
source: .
targets: ${{ matrix.target }}
set: |
*.platform=${{ matrix.platform }}
test:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Test
uses: docker/bake-action@v6
with:
source: .
targets: test
pull: true
-
name: Upload coverage
uses: codecov/codecov-action@v5
with:
directory: ${{ env.DESTDIR }}/coverage
token: ${{ secrets.CODECOV_TOKEN }}
govulncheck:
runs-on: ubuntu-latest
permissions:
# same as global permission
contents: read
# required to write sarif report
security-events: write
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Run
uses: docker/bake-action@v6
with:
source: .
targets: govulncheck
env:
GOVULNCHECK_FORMAT: sarif
-
name: Upload SARIF report
if: ${{ github.ref == 'refs/heads/master' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
artifact:
runs-on: ubuntu-latest
needs:
- prepare
- validate
strategy:
fail-fast: false
matrix:
platform: ${{ fromJson(needs.prepare.outputs.artifact-platforms) }}
steps:
-
name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build
uses: docker/bake-action@v6
with:
source: .
targets: artifact
provenance: mode=max
sbom: true
pull: true
set: |
*.platform=${{ matrix.platform }}
-
name: Rename provenance and sbom
working-directory: ${{ env.DESTDIR }}/artifact
run: |
binname=$(find . -name 'diun_*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binary.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
-
name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: diun-${{ env.PLATFORM_PAIR }}
path: ${{ env.DESTDIR }}
if-no-files-found: error
release:
runs-on: ubuntu-latest
permissions:
# required to create GitHub release
contents: write
needs:
- artifact
- test
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Download artifacts
uses: actions/download-artifact@v4
with:
path: ${{ env.DESTDIR }}
pattern: diun-*
merge-multiple: true
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build
uses: docker/bake-action@v6
with:
source: .
targets: release
provenance: false
-
name: GitHub Release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
files: |
${{ env.DESTDIR }}/release/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
image:
runs-on: ubuntu-latest
permissions:
# same as global permissions
contents: read
# required to push to GHCR
packages: write
needs:
- artifact
- test
steps:
-
name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_SLUG }}
${{ env.GHCR_SLUG }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=ref,event=pr
type=edge
labels: |
org.opencontainers.image.title=Diun
org.opencontainers.image.description=Docker image update notifier
org.opencontainers.image.vendor=CrazyMax
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
-
name: Login to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build
uses: docker/bake-action@v6
with:
source: .
files: |
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: image-all
provenance: mode=max
sbom: true
pull: true
push: ${{ github.event_name != 'pull_request' }}
-
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
-
name: Inspect image
if: github.event_name != 'pull_request'
run: |
docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
Reference in New Issue View Git Blame Copy Permalink