Check Cuprate Latest Tag and Build Docker

Check Cuprate Latest Tag and Build Docker #227

Workflow file for this run

.github/workflows/docker-build.yml at 25ed0b6

	name: Check Cuprate Latest Tag and Build Docker

	on:
	schedule:
	# Run every 4 hours
	- cron: '0 /4 * *'
	# Allow manual trigger
	workflow_dispatch:
	# Run on push to main branch
	push:
	branches:
	- main

	jobs:
	check-and-build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	security-events: write # Required for GitHub CodeQL and dependency submission
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Get latest Cuprate tag
	id: get-latest-tag
	run: \|
	# Fetch the latest tag from Cuprate repository that matches the pattern
	LATEST_TAG=$(curl -s https://api.github.com/repos/cuprate/cuprate/tags \| jq -r '[.[] \| select(.name \| startswith("cuprated-"))] \| .[0].name')
	echo "Latest Cuprate tag: $LATEST_TAG"
	# Extract version number from tag (e.g., cuprated-0.0.1 -> 0.0.1)
	VERSION=${LATEST_TAG#cuprated-}
	echo "version=$VERSION" >> $GITHUB_OUTPUT
	echo "cuprate_tag=$LATEST_TAG" >> $GITHUB_OUTPUT

	# Set up QEMU for multi-architecture builds
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	with:
	platforms: 'arm64,amd64'

	# Set up Docker Buildx for multi-platform builds
	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@v3
	with:
	version: latest
	platforms: linux/amd64,linux/arm64

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Create and start build cache
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/${{ github.repository_owner }}/cuprate-docker
	tags: \|
	type=raw,value=latest
	type=raw,value=${{ steps.get-latest-tag.outputs.version }}

	- name: Build and push Docker image
	uses: docker/build-push-action@v6
	with:
	context: .
	push: true
	platforms: linux/amd64,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	build-args: \|
	CUPRATE_TAG=${{ steps.get-latest-tag.outputs.cuprate_tag }}
	# Use local cache instead of registry cache
	cache-from: type=gha
	cache-to: type=gha,mode=max
	# Enable parallel builds
	builder: ${{ steps.buildx.outputs.name }}
	provenance: false
	outputs: type=registry,push=true

	# Security Scanning with Trivy
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@0.30.0
	with:
	image-ref: ghcr.io/${{ github.repository_owner }}/cuprate-docker:${{ steps.get-latest-tag.outputs.version }}
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'

	# Upload Trivy scan results to GitHub Security tab
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'
	category: 'trivy'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check Cuprate Latest Tag and Build Docker #227

Workflow file

Check Cuprate Latest Tag and Build Docker #227

Uh oh!

Workflow file for this run