-
-
Notifications
You must be signed in to change notification settings - Fork 97
159 lines (142 loc) · 5.88 KB
/
Copy pathdocker-multiplatform.yml
File metadata and controls
159 lines (142 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Build Multi-Platform Docker Images
on:
push:
branches: [ main, develop ]
tags: [ 'v*' ]
pull_request:
branches: [ main ]
workflow_dispatch:
inputs:
platforms:
description: 'Target platforms (comma-separated)'
required: false
default: 'linux/amd64,linux/arm64'
type: string
push_to_registry:
description: 'Push to Docker Hub'
required: false
default: true
type: boolean
env:
REGISTRY: docker.io
IMAGE_NAME: certmate
# Default to read-only. The build job authenticates to Docker Hub via the
# DOCKERHUB_TOKEN secret, not the workflow GITHUB_TOKEN, so no write
# permission on the repo is needed for the push. If we ever add SLSA
# attestation here (Phase 2), `id-token: write` lands at the job level.
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
with:
version: latest
- name: Log in to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Compute image namespace
id: ns
# GitHub Actions doesn't pass secrets.* to workflows triggered by
# fork-originated PRs. With the previous template the build job was
# constructing a malformed tag like `docker.io//certmate:pr-122`
# (note the double slash) and exiting before any test-correctness
# signal could land. Fall back to the repo owner so the tag is
# always well-formed; push is still disabled for PRs separately.
run: |
OWNER="${{ secrets.DOCKERHUB_USER }}"
if [ -z "$OWNER" ]; then OWNER="${{ github.repository_owner }}"; fi
echo "namespace=$OWNER" >> "$GITHUB_OUTPUT"
- name: Extract metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ${{ env.REGISTRY }}/${{ steps.ns.outputs.namespace }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
flavor: |
latest=auto
- name: Determine platforms
id: platforms
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "platforms=${{ github.event.inputs.platforms }}" >> $GITHUB_OUTPUT
else
echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT
fi
- name: Determine push setting
id: should_push
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "push=false" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "push=${{ github.event.inputs.push_to_registry }}" >> $GITHUB_OUTPUT
else
echo "push=true" >> $GITHUB_OUTPUT
fi
- name: Build and push Docker image
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
platforms: ${{ steps.platforms.outputs.platforms }}
push: ${{ steps.should_push.outputs.push }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
REQUIREMENTS_FILE=requirements.txt
- name: Update Docker Hub description
if: github.ref == 'refs/heads/main' && steps.should_push.outputs.push == 'true'
continue-on-error: true # Don't fail build if description update fails
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 (was v3)
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: ${{ secrets.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }}
readme-filepath: ./README.dockerhub.md
short-description: 'SSL Certificate Management System - 22 DNS providers, Multi-CA support, Enterprise-ready'
- name: Image digest
if: steps.should_push.outputs.push == 'true'
run: echo ${{ steps.build.outputs.digest }}
security-scan:
runs-on: ubuntu-latest
needs: build
if: github.event_name != 'pull_request'
# Job-level permission override: the workflow default is read-all
# (set at the top of this file in v2.6.2), but the Trivy SARIF
# upload step needs to write into the Security > Code scanning
# tab. Granting it here keeps every other step read-only.
permissions:
security-events: write
contents: read
steps:
- name: Run Trivy vulnerability scanner
# Pinned to v0.36.0 (was @master — never pin to a mutable branch
# in CI; upstream HEAD changes silently bring new behaviour or
# become an attack surface if compromised).
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3
if: always()
with:
sarif_file: 'trivy-results.sarif'