feat: v2.7.0 - OIDC/SSO authentication (close #191) #419
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Multi-Platform Docker Images | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| tags: [ 'v*' ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| inputs: | |
| platforms: | |
| description: 'Target platforms (comma-separated)' | |
| required: false | |
| default: 'linux/amd64,linux/arm64' | |
| type: string | |
| push_to_registry: | |
| description: 'Push to Docker Hub' | |
| required: false | |
| default: true | |
| type: boolean | |
| env: | |
| REGISTRY: docker.io | |
| IMAGE_NAME: certmate | |
| # Default to read-only. The build job authenticates to Docker Hub via the | |
| # DOCKERHUB_TOKEN secret, not the workflow GITHUB_TOKEN, so no write | |
| # permission on the repo is needed for the push. If we ever add SLSA | |
| # attestation here (Phase 2), `id-token: write` lands at the job level. | |
| permissions: read-all | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| with: | |
| version: latest | |
| - name: Log in to Docker Hub | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Compute image namespace | |
| id: ns | |
| # GitHub Actions doesn't pass secrets.* to workflows triggered by | |
| # fork-originated PRs. With the previous template the build job was | |
| # constructing a malformed tag like `docker.io//certmate:pr-122` | |
| # (note the double slash) and exiting before any test-correctness | |
| # signal could land. Fall back to the repo owner so the tag is | |
| # always well-formed; push is still disabled for PRs separately. | |
| run: | | |
| OWNER="${{ secrets.DOCKERHUB_USER }}" | |
| if [ -z "$OWNER" ]; then OWNER="${{ github.repository_owner }}"; fi | |
| echo "namespace=$OWNER" >> "$GITHUB_OUTPUT" | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ steps.ns.outputs.namespace }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=semver,pattern=v{{version}} | |
| type=semver,pattern=v{{major}}.{{minor}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| flavor: | | |
| latest=auto | |
| - name: Determine platforms | |
| id: platforms | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "platforms=${{ github.event.inputs.platforms }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Determine push setting | |
| id: should_push | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "push=false" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "push=${{ github.event.inputs.push_to_registry }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "push=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
| with: | |
| context: . | |
| platforms: ${{ steps.platforms.outputs.platforms }} | |
| push: ${{ steps.should_push.outputs.push }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| REQUIREMENTS_FILE=requirements.txt | |
| - name: Update Docker Hub description | |
| if: github.ref == 'refs/heads/main' && steps.should_push.outputs.push == 'true' | |
| continue-on-error: true # Don't fail build if description update fails | |
| uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 (was v3) | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| repository: ${{ secrets.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }} | |
| readme-filepath: ./README.dockerhub.md | |
| short-description: 'SSL Certificate Management System - 22 DNS providers, Multi-CA support, Enterprise-ready' | |
| - name: Image digest | |
| if: steps.should_push.outputs.push == 'true' | |
| run: echo ${{ steps.build.outputs.digest }} | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.event_name != 'pull_request' | |
| # Job-level permission override: the workflow default is read-all | |
| # (set at the top of this file in v2.6.2), but the Trivy SARIF | |
| # upload step needs to write into the Security > Code scanning | |
| # tab. Granting it here keeps every other step read-only. | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Run Trivy vulnerability scanner | |
| # Pinned to v0.36.0 (was @master — never pin to a mutable branch | |
| # in CI; upstream HEAD changes silently bring new behaviour or | |
| # become an attack surface if compromised). | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }}:latest | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |