Skip to content

chore(deps): bump nrkno/github-workflow-docker-build-push #315

chore(deps): bump nrkno/github-workflow-docker-build-push

chore(deps): bump nrkno/github-workflow-docker-build-push #315

Workflow file for this run

name: NodeJS Build and Push
on:
push:
branches:
- '**'
tags:
- 'v**'
workflow_dispatch:
jobs:
lint:
name: Linter
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: 18.x
- name: Prepare environment
run: yarn
- name: Run linter
run: yarn lint
build-and-test:
name: Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: 18.x
- name: Prepare environment
run: yarn
- name: Build
run: yarn build
- name: Run tests
run: yarn test
validate-prod-dependencies:
name: Validate production dependencies
runs-on: ubuntu-latest
continue-on-error: true
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: 18.x
- name: Prepare Environment
run: yarn
- name: Validate production dependencies
run: |
if ! git log --format=oneline -n 1 | grep -q "\[ignore-audit\]"; then
yarn validate:dependencies
else
echo "Skipping audit"
fi
trivy-scanning:
uses: nrkno/github-workflow-docker-build-push/.github/workflows/[email protected]
with:
runs-on: "['ubuntu-latest']"
registry-url: ghcr.io
name: nrkno/sofie-monitor
# Don't actually push any images, this is just for trivy scanning for now
push: false
trivy-severity: "CRITICAL"
trivy-summary-enabled: true
trivy-sbom-enabled: true
secrets:
registry-username: ${{ github.repository_owner }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
dockerhub-release:
name: Make docker release
runs-on: ubuntu-latest
needs: [lint, build-and-test, validate-prod-dependencies, trivy-scanning]
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Determine if images should be published to DockerHub
id: dockerhub
run: |
# check if a release branch, or master, or a tag
if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/master" || "${{ github.ref }}" == "refs/tags/*" ]]
then
DOCKERHUB_PUBLISH="1"
else
DOCKERHUB_PUBLISH="0"
fi
# debug output
echo "dockerhub-publish $DOCKERHUB_PUBLISH"
echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT
- name: Check if push to GHCR is enabled
id: check-ghcr
env:
GHCR_ENABLED: ${{ secrets.GHCR_ENABLED }}
run: |
echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}"
echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT
- name: Check if there is access to repo secrets (needed for build and push)
if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true'
id: check-build-and-push
env:
SECRET_ACCESS: ${{ secrets.DOCKERHUB_IMAGE }}
run: |
echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
- name: Get the Docker tag for GHCR
id: ghcr-tag
if: steps.check-build-and-push.outputs.enable == 'true'
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}
- name: Get the Docker tag for DockerHub
id: dockerhub-tag
if: steps.check-build-and-push.outputs.enable == 'true'
uses: docker/metadata-action@v5
with:
images: |
${{ secrets.DOCKERHUB_IMAGE }}server-core
tags: |
type=schedule
type=ref,event=branch
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}
- name: Set up Docker Buildx
if: steps.check-build-and-push.outputs.enable == 'true'
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push to GHCR
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
uses: docker/build-push-action@v6
with:
context: .
push: true
provenance: false
labels: ${{ steps.ghcr-tag.outputs.labels }}
tags: "${{ steps.ghcr-tag.outputs.tags }}"
- name: Build and push to DockerHub
if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
uses: docker/build-push-action@v6
with:
context: .
push: true
provenance: false
labels: ${{ steps.dockerhub-tag.outputs.labels }}
tags: "${{ steps.dockerhub-tag.outputs.tags }}"