oqs-demos/.github/workflow-templates/template.yml at main · open-quantum-safe/oqs-demos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Template Workflow for a New Demo
# This template sets up a reusable workflow for adding a new demo to the repository.

# To use this workflow:
# 1. Replace all instances of `<demo_name>` with the name of your demo.
# 2. Add the demo to the `build.yml` workflow for inclusion in the build matrix.
# 3. Ensure the necessary Dockerfile and demo-specific files are in place.
# 4. Customize the steps (build, scan, test, push) as needed for your demo.


name: <demo_name>

on:
  # Trigger the workflow when code changes related to the demo are pushed to the `main` branch
  push:
    branches: [ 'main' ]
    paths: ['.github/workflows/<demo_name>.yml', '<demo_name>/**']

  # Trigger the workflow when a pull request targeting the `main` branch includes changes for the demo
  pull_request:
    branches: [ 'main' ]
    paths: ['.github/workflows/<demo_name>.yml', '<demo_name>/**']

  # Allow this workflow to be called by other workflows (e.g., `build.yml`)
  workflow_call:
    inputs:
      build_main:
        description: "Build using liboqs and oqsprovider main branches"
        required: false
        default: false
        type: boolean
      release_tag:
        description: "Which Docker tag to push to"
        required: false
        type: string

  # Allow manual triggering of this workflow from the GitHub Actions UI
  workflow_dispatch:
    inputs:
      build_main:
        description: "Build using liboqs and oqsprovider main branches"
        required: false
        default: false
        type: boolean
      release_tag:
        description: "Which Docker tag to push to"
        required: false
        type: string

env:
  build-args: |
    LIBOQS_TAG=main
    OQSPROVIDER_TAG=main

  push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request'  && inputs.build_main != 'true' }}

jobs:
  build:
    # Here we define a matrix to run the build on multiple architectures (x86_64 and arm64) to ensure compatibility across platforms.
    strategy:
      fail-fast: false
      matrix:
        include:
          - arch: x86_64
            runner: ubuntu-latest
          - arch: arm64
            runner: ubuntu-24.04-arm

    runs-on: ${{ matrix.runner }}

    steps:
      - uses: actions/checkout@v4

      # Log in to Docker Hub is required for scanning and pushing Docker images
      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build the Docker image
        uses: docker/build-push-action@v6
        with:
          load: true
          context: <demo_name>
          build-args: |
            MAKE_DEFINES=-j4
            ${{ (inputs.build_main == 'true') && env.build-args || null }}
          tags: <demo_name>

      # Scan the Docker image for vulnerabilities (restricted to x86_64 architecture) to avoid redundancy,
      # as scanning on multiple architectures produces identical results.
      - name: Scan Docker Image
        if: matrix.arch == 'x86_64' && env.push == 'true'
        uses: docker/[email protected]
        with:
          image: oqs-<demo_name>
          command: cves,recommendations
          sarif-file: <demo_name>-scan-results.sarif

      - name: Upload Scan Results
        if: matrix.arch == 'x86_64' && env.push == 'true'
        uses: actions/[email protected]
        with:
          name: <demo_name>-scan-results
          path: <demo_name>-scan-results.sarif

      # Run tests for the demo (add your specific test logic here)
      - name: Test <demo_name>
        run: |
          echo "Add test logic here"

      - name: Push Docker image to registries
        if: env.push == 'true'
        uses: docker/build-push-action@v6
        with:
          push: true
          context: <demo_name>
          build-args: |
            MAKE_DEFINES=-j4
            ${{ (inputs.build_main == 'true') && env.build-args || null }}
          tags: |
            ghcr.io/${{ github.repository_owner }}/<demo_name>:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }}
            openquantumsafe/<demo_name>:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }}

  push:
    if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request'  && inputs.build_main != 'true' }}
    needs: build
    uses: ./.github/workflows/push-manifest.yml
    secrets: inherit
    with:
      image_name: <demo_name>
      release_tag: ${{ inputs.release_tag || 'latest' }}