ci: build different image types #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
schedule: | |
- cron: 0 8 * * 1 | |
workflow_dispatch: | |
inputs: | |
environment: | |
type: choice | |
options: | |
- testing | |
- production | |
default: testing | |
description: "Choose the environment to bake the images for" | |
push: | |
jobs: | |
testbuild: | |
name: Build for testing | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
security-events: write | |
outputs: | |
metadata: ${{ steps.build.outputs.metadata }} | |
images: ${{ steps.images.outputs.images }} | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
- name: Log in to the GitHub Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: 'arm64' | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: network=host | |
- name: Build and push | |
uses: docker/bake-action@v6 | |
id: build | |
env: | |
# Set the environment variable to the value of the input. If the input is not set, we are running via cron, | |
# so default to production. | |
#environment: ${{ github.event.inputs.environment || 'production' }} | |
environment: testing | |
registry: ghcr.io/${{ github.repository_owner }} | |
revision: ${{ github.sha }} | |
with: | |
push: true | |
- name: Generated images | |
id: images | |
run: | | |
echo "images=$(echo '${{steps.build.outputs.metadata}}' | jq -c '[ .[]."image.name" | sub(",.*";"" )]')" >> "$GITHUB_OUTPUT" | |
security: | |
name: Security checks | |
runs-on: ubuntu-latest | |
needs: | |
- testbuild | |
strategy: | |
matrix: | |
image: ${{fromJson(needs.testbuild.outputs.images)}} | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
- name: Log in to the GitHub Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Dockle | |
uses: erzz/dockle-action@v1 | |
with: | |
image: ${{ matrix.image }} | |
exit-code: '1' | |
- name: Snyk | |
uses: snyk/actions/docker@master | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: "${{ matrix.image }}" | |
args: --severity-threshold=high --file=Dockerfile | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
continue-on-error: true | |
with: | |
sarif_file: snyk.sarif | |
# TODO: no need to rebuild everything, just copy the testing images to the production registry | |
prodbuild: | |
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule' | |
name: Build for production | |
runs-on: ubuntu-latest | |
needs: | |
- security | |
permissions: | |
contents: read | |
packages: write | |
security-events: write | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
- name: Log in to the GitHub Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: 'arm64' | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: network=host | |
- name: Build and push | |
uses: docker/bake-action@v6 | |
id: build | |
env: | |
# Set the environment variable to the value of the input. If the input is not set, we are running via cron, | |
# so default to production. | |
environment: production | |
registry: ghcr.io/${{ github.repository_owner }} | |
revision: ${{ github.sha }} | |
with: | |
push: true |