diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d3e1aa..8472f15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,7 +5,6 @@ on: push: branches: - main - - stable/* tags: - '*' pull_request: @@ -57,7 +56,6 @@ jobs: - name: Run tests run: | - python src/manage.py compilemessages python src/manage.py collectstatic --noinput --link coverage run src/manage.py test src env: @@ -107,12 +105,77 @@ jobs: docker: needs: tests - name: Build (and push) Docker image + name: Build Docker image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set tag + - uses: actions/checkout@v4 + - name: Determine tag/commit hash + id: vars + run: | + # Strip git ref prefix from version + VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') + # Strip "v" prefix from tag name (if present at all) + [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') + # Use Docker `latest` tag convention + [ "$VERSION" == "main" ] && VERSION=latest + echo "tag=${VERSION}" >> $GITHUB_OUTPUT + echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT + - name: Build the Docker image + run: | + docker build \ + --tag $IMAGE_NAME:${{ steps.vars.outputs.tag }} \ + --build-arg COMMIT_HASH=${{ steps.vars.outputs.git_hash }} \ + --build-arg RELEASE=${{ steps.vars.outputs.tag }} \ + . + - run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }} + - name: Store image artifact + uses: actions/upload-artifact@v3 + with: + name: docker-image + path: image.tar + retention-days: 1 + + # image_scan: + # runs-on: ubuntu-latest + # name: Scan docker image + # needs: + # - docker + + # steps: + # - name: Download built image + # uses: actions/download-artifact@v3 + # with: + # name: docker-image + # - name: Scan image with Trivy + # uses: aquasecurity/trivy-action@master + # with: + # input: /github/workspace/image.tar # from download-artifact + # format: 'sarif' + # output: 'trivy-results-docker.sarif' + # ignore-unfixed: true + # - name: Upload results to GH Security tab + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: 'trivy-results-docker.sarif' + + publish: + needs: + - tests + - docker + + name: Push Docker image + runs-on: ubuntu-latest + if: github.event_name == 'push' # exclude PRs + + steps: + - uses: actions/checkout@v4 + - name: Download built image + uses: actions/download-artifact@v3 + with: + name: docker-image + + - name: Determine tag/commit hash id: vars run: | # Strip git ref prefix from version @@ -122,21 +185,16 @@ jobs: [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') # Use Docker `latest` tag convention - [ "$VERSION" == "develop" ] && VERSION=latest + [ "$VERSION" == "main" ] && VERSION=latest - echo ::set-output name=tag::${VERSION} + echo "tag=${VERSION}" >> $GITHUB_OUTPUT - - name: Build the Docker image - env: - RELEASE_VERSION: ${{ steps.vars.outputs.tag }} - run: docker build . --tag $IMAGE_NAME:$RELEASE_VERSION + - name: Load image + run: | + docker image load -i image.tar - name: Log into registry - if: github.event_name == 'push' # exclude PRs run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - name: Push the Docker image - if: github.event_name == 'push' # exclude PRs - env: - RELEASE_VERSION: ${{ steps.vars.outputs.tag }} - run: docker push $IMAGE_NAME:$RELEASE_VERSION + run: docker push $IMAGE_NAME:${{ steps.vars.outputs.tag }}