Skip to content
Push Heimdall Server to Docker Hub on every merge to master and tag as latest

changing back to ubuntu runner for arm build (mac runners apparently … #658

Sign in to view logs

changing back to ubuntu runner for arm build (mac runners apparently …

changing back to ubuntu runner for arm build (mac runners apparently … #658

Workflow file for this run

.github/workflows/push-server-to-docker.yml at 3f8d9d3
name: Push Heimdall Server to Docker Hub on every merge to master and tag as latest
on:
push:
branches: [master, multi-platform-build]
permissions:
contents: read
jobs:
build-amd64:
runs-on: ubuntu-24.04
steps:
- name: Checkout the Heimdall Repository
uses: actions/checkout@v5
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push amd64 image
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/amd64
tags: mitre/heimdall2:amd64-${{ github.sha }}
cache-from: type=gha,scope=amd64
cache-to: type=gha,mode=max,scope=amd64
build-arm64:
runs-on: ubuntu-24.04
steps:
- name: Checkout the Heimdall Repository
uses: actions/checkout@v5
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push arm64 image
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/arm64
tags: mitre/heimdall2:arm64-${{ github.sha }}
cache-from: type=gha,scope=arm64
cache-to: type=gha,mode=max,scope=arm64
merge-manifests:
runs-on: ubuntu-24.04
needs: [build-amd64, build-arm64]
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create and push multi-arch manifest
run: |
# Create multi-arch manifest for SHA tag
docker buildx imagetools create -t mitre/heimdall2:${{ github.sha }} \
mitre/heimdall2:amd64-${{ github.sha }} \
mitre/heimdall2:arm64-${{ github.sha }}
# Create multi-arch manifest for branch tag
docker buildx imagetools create -t mitre/heimdall2:multi-platform-build \
mitre/heimdall2:amd64-${{ github.sha }} \
mitre/heimdall2:arm64-${{ github.sha }}
- name: Get Docker SHA for Iron Bank
shell: bash
id: get-docker-sha
run: |
MAX_RETRIES=5
RETRY_DELAY=0.5 # in seconds
RETRY_COUNT=0
SUCCESS=false
while [ "$RETRY_COUNT" -lt "$MAX_RETRIES" ]; do
if docker pull mitre/heimdall2:${{ github.sha }}; then
SUCCESS=true
break
else
RETRY_COUNT="$((RETRY_COUNT + 1))"
echo "Retry $RETRY_COUNT/$MAX_RETRIES: Docker pull failed. Retrying in $RETRY_DELAY seconds..."
sleep "$RETRY_DELAY"
fi
done
if [ "$SUCCESS" = true ]; then
echo "DOCKER_SHA=$(docker inspect --format='{{index .RepoDigests 0}}' mitre/heimdall2:${{ github.sha }} | cut -d '@' -f 2)" >> $GITHUB_ENV
else
echo "Docker pull failed after $MAX_RETRIES attempts."
exit 1
fi
- name: Checkout for Iron Bank action
uses: actions/checkout@v5
- name: Upgrade Iron Bank
uses: mitre/ironbank_release_action@v1
with:
name: Heimdall
version: ${{ github.sha }}
ironbank_pat: ${{ secrets.SAF_IRONBANK_REPO1_PAT }}
ironbank_username: ${{ secrets.SAF_IRONBANK_REPO1_USERNAME }}
ironbank_project_id: 17076
ironbank_project_clone_url: repo1.dso.mil/dsop/mitre/security-automation-framework/heimdall2-mainline.git
git_commit_author_name: "Automated Heimdall Release"
git_commit_author_email: "saf@mitre.org"
update_commands: |
yq e -i '.args.HEIMDALL_VERSION=\"${{ github.sha }}\" | .tags[0]=\"${{ github.sha }}\" | .labels.\"org.opencontainers.image.version\"=\"${{ github.sha }}\" | .resources[1].tag=\"mitre/heimdall2:${{ github.sha }}\" | .resources[1].url=\"docker://docker.io/mitre/heimdall2@${{ env.DOCKER_SHA }}\"' hardening_manifest.yaml
sed -i s/HEIMDALL_VERSION=\.\*/HEIMDALL_VERSION=${{ github.sha }}/ Dockerfile