cryptify/.github/workflows/delivery.yml at c47f84ea1829431392da664b0536f223ec4f12af · encryption4all/cryptify · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Delivery

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  release:
    types: [published]
  workflow_dispatch:

permissions:
  contents: read
  packages: write
  security-events: write

jobs:
  build-amd64:
    runs-on: ubuntu-latest
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Select build profile
        id: config
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
            echo "profile=release" >> "$GITHUB_OUTPUT"
          else
            echo "profile=edge" >> "$GITHUB_OUTPUT"
          fi

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push (linux/amd64)
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: true
          provenance: false
          tags: ghcr.io/${{ github.repository }}:build-${{ github.run_id }}-amd64
          build-args: CARGO_PROFILE=${{ steps.config.outputs.profile }}
          cache-from: type=gha,scope=build-amd64
          cache-to: type=gha,mode=max,scope=build-amd64

      - name: Scan image
        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
        id: scan
        with:
          image: ghcr.io/${{ github.repository }}:build-${{ github.run_id }}-amd64
          only-fixed: true
          fail-build: true
          severity-cutoff: critical
          output-format: sarif

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4
        if: ${{ !cancelled() }}
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

  build-arm64:
    runs-on: ubuntu-24.04-arm
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Select build profile
        id: config
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
            echo "profile=release" >> "$GITHUB_OUTPUT"
          else
            echo "profile=edge" >> "$GITHUB_OUTPUT"
          fi

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push (linux/arm64)
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/arm64
          push: true
          provenance: false
          tags: ghcr.io/${{ github.repository }}:build-${{ github.run_id }}-arm64
          build-args: CARGO_PROFILE=${{ steps.config.outputs.profile }}
          cache-from: type=gha,scope=build-arm64
          cache-to: type=gha,mode=max,scope=build-arm64

  merge:
    runs-on: ubuntu-latest
    needs: [build-amd64, build-arm64]
    steps:
      # No checkout needed: docker/metadata-action reads from the GitHub Actions context.
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=semver,pattern={{version}},event=tag
            type=semver,pattern={{major}}.{{minor}},event=tag
            type=edge,enable=${{ github.event_name != 'release' }}
            type=ref,event=pr
            type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Combine the two platform-specific images into a single multi-arch manifest.
      # DOCKER_METADATA_OUTPUT_JSON is set automatically by docker/metadata-action.
      - name: Create and push multi-arch manifest
        run: |
          docker buildx imagetools create \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            "ghcr.io/${{ github.repository }}@${{ needs.build-amd64.outputs.digest }}" \
            "ghcr.io/${{ github.repository }}@${{ needs.build-arm64.outputs.digest }}"