chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2025-11-20. You can view files and clone it, but cannot push or open issues or pull requests.
Files
cc598aeecf1ce7c20a9db6bb5ca69db7aeac07c3
docker-salt-master/.github/workflows/publish.yml
Carlos Álvaro f319d00adf ci: Bring back support for Linux ARMv7 platform
2020-10-20 19:58:53 +02:00

122 lines
3.5 KiB
YAML
Raw Blame History

name: Publish Docker image
on:
push:
branches:
- master
paths-ignore:
- './**/*.md'
- 'LICENSE'
release:
types:
- created
env:
GITHUB_REF_NAME: ${{ github.event.release.tag_name }}
IMAGE_NAME: cdalvaro/docker-salt-master
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
CACHE_PATH: /tmp/.buildx-docker-salt-master-cache
EXTRA_REGISTRIES: ghcr.io quay.io
jobs:
publish:
name: Publish
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: ${{ env.CACHE_PATH }}
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to Docker Container Registry
uses: docker/login-action@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}
- name: Login to Quay.io Container Registry
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Prepare metadata
id: metadata
run: |
# Tags
DOCKER_IMAGE="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
TAGS="${DOCKER_IMAGE}"
for registry in ${EXTRA_REGISTRIES}; do
TAGS="${TAGS},${registry}/${DOCKER_IMAGE}"
done
# Build args
VCS_REF="${GITHUB_SHA::8}"
CREATED_ON="$(date +"%Y-%m-%d %H:%M:%S%:z")"
echo ::set-output name=tags::${TAGS}
echo ::set-output name=vcs_ref::${VCS_REF}
echo ::set-output name=created_on::${CREATED_ON}
- name: Build
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORMS }}
build-args: |
VCS_REF=${{ steps.metadata.outputs.vcs_ref }}
BUILD_DATE=${{ steps.metadata.outputs.created_on }}
cache-from: type=local,src=${{ env.CACHE_PATH }}
cache-to: type=local,dest=${{ env.CACHE_PATH }}
push: true
tags: ${{ steps.metadata.outputs.tags }}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: publish
steps:
- name: Prepare metadata
id: metadata
run: |
IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
echo ::set-output name=image_ref::${IMAGE_REF}
- name: Import Docker images
run: docker pull ${{ steps.metadata.outputs.image_ref }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.metadata.outputs.image_ref }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
Reference in New Issue View Git Blame Copy Permalink