Skip to content

External config file (#31) #19

External config file (#31)

External config file (#31) #19

Workflow file for this run

name: Delivery
on:
push:
branches: [ main ]
release:
# Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
types: [ published ]
schedule:
# Run every monday on 9:00 in the morning (UTC).
- cron: '0 9 * * 0'
workflow_dispatch:
permissions:
contents: write
packages: write
security-events: write
jobs:
publish-docker-image:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check whether this event is the HEAD of main
continue-on-error: true
id: is-head-main
run: git rev-parse HEAD | grep -x ${{ github.sha }}
shell: bash
- name: Docker backend meta
id: meta-be
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}-backend
tags: |
type=semver,pattern={{major}}.{{minor}}.{{patch}}
type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
- name: Docker frontend meta
id: meta-fe
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}-frontend
tags: |
type=semver,pattern={{major}}.{{minor}}.{{patch}}
type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Backend container and export to local Docker
uses: docker/build-push-action@v5
with:
context: .
file: backend.Dockerfile
load: true
tags: local/postguard-backend:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Build Frontend container and export to local Docker
uses: docker/build-push-action@v5
with:
context: .
file: frontend.Dockerfile
load: true
tags: local/postguard-frontend:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan Backend Image
uses: anchore/scan-action@v4
id: scan-be
with:
image: local/postguard-backend:scan
only-fixed: true
fail-build: true
severity-cutoff: critical
output-format: sarif
- name: Scan Frontend Image
uses: anchore/scan-action@v4
id: scan-fe
with:
image: local/postguard-frontend:scan
only-fixed: true
fail-build: true
severity-cutoff: critical
output-format: sarif
- name: Upload Backend Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v4
if: ${{ !cancelled() }}
with:
sarif_file: ${{ steps.scan-be.outputs.sarif }}
category: backend
- name: Upload Frontend Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v4
if: ${{ !cancelled() }}
with:
sarif_file: ${{ steps.scan-fe.outputs.sarif }}
category: frontend
- name: Push backend image to GitHub Container Registry
uses: docker/build-push-action@v5
if: ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
with:
context: .
file: backend.Dockerfile
push: true
tags: ${{ steps.meta-be.outputs.tags || 'edge' }}
labels: ${{ steps.meta-be.outputs.labels }}
- name: Push frontend image to GitHub Container Registry
uses: docker/build-push-action@v5
if: ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
with:
context: .
file: frontend.Dockerfile
push: true
tags: ${{ steps.meta-fe.outputs.tags || 'edge' }}
labels: ${{ steps.meta-fe.outputs.labels }}