-
Notifications
You must be signed in to change notification settings - Fork 6
178 lines (157 loc) · 5.55 KB
/
docker-build-publish.yml
File metadata and controls
178 lines (157 loc) · 5.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Docker Build & Publish
#
# This workflow builds and publishes multi-architecture Docker images:
# - Builds for amd64 and arm64 (Raspberry Pi support)
# - Scans images for vulnerabilities using Trivy
# - Publishes to GitHub Container Registry (ghcr.io)
# - Creates both versioned tags and 'latest' tag
#
# Runs on:
# - Push to main branch (publishes latest)
# - Version tags (v*.*.* - publishes versioned release)
# - Pull requests to main (build and test only, no publish)
# - Manual trigger via workflow_dispatch
#
# Image published to: ghcr.io/chiefgyk3d/stream-daemon
name: Docker Build & Publish
on:
push:
branches: [ main ]
tags:
- 'v*.*.*'
pull_request:
branches: [ main ]
workflow_dispatch:
env:
REGISTRY: ghcr.io
# Convert repository name to lowercase for Docker compatibility
IMAGE_NAME: ${{ github.repository }}
jobs:
build-test:
name: Build and Test Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write # Required for uploading SARIF results
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set lowercase image name
id: image-name
run: echo "value=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ steps.image-name.outputs.value }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
type=raw,value=latest,enable={{is_default_branch}}
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: .
file: ./Docker/Dockerfile
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
no-cache: true
- name: Test Docker image
run: |
# Test that the image runs without errors (quick startup test)
# Use the first tag from the list (should be the branch/PR tag)
IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
echo "Testing image: $IMAGE_TAG"
docker run --rm "$IMAGE_TAG" python -c "import stream_daemon; print('Import successful')"
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
continue-on-error: true # Don't fail the build if Trivy has issues
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('trivy-results.sarif') != ''
with:
sarif_file: 'trivy-results.sarif'
- name: Push Docker image
if: github.event_name != 'pull_request'
uses: docker/build-push-action@v6
with:
context: .
file: ./Docker/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
no-cache: true
docker-hub-publish:
name: Publish to Docker Hub
runs-on: ubuntu-latest
needs: build-test
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Check Docker Hub credentials
id: check-credentials
run: |
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
echo "skip=true" >> $GITHUB_OUTPUT
echo "⚠️ Docker Hub credentials not configured - skipping Docker Hub publish"
else
echo "skip=false" >> $GITHUB_OUTPUT
echo "✅ Docker Hub credentials found"
fi
- name: Log in to Docker Hub
if: steps.check-credentials.outputs.skip != 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata for Docker Hub
if: steps.check-credentials.outputs.skip != 'true'
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ secrets.DOCKERHUB_USERNAME }}/stream-daemon
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push to Docker Hub
if: steps.check-credentials.outputs.skip != 'true'
uses: docker/build-push-action@v6
with:
context: .
file: ./Docker/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64