fritzbox_exporter/.github/workflows/container.yml at 47dc5e135fde1e2df76e8f617a5bf1cf5c73b34d · sberk42/fritzbox_exporter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: Container

on:
  push:
    # Publish `main` as Docker `latest` image.
    branches:
      - main
      - master

    # Publish `v1.2.3` tags as releases.
    tags:
      - '**' # All tags kick off a new container build Save history ad 5.0.x etc

  # Run tests for any PRs.
  pull_request:

env:
  BUILD_PLATFORM: |
    linux/arm/v6
    linux/arm/v7
    linux/arm64
    linux/amd64
  # Enable Docker Buildkit
  DOCKER_BUILDKIT: 1
  IMAGE_NAME: fritzbox_exporter

jobs:
  lint:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Lint Dockerfile
        uses: hadolint/hadolint-action@v3.0.0
        with:
          dockerfile: Dockerfile

  prepare:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    needs: lint
    # Map a step output to a job output
    outputs:
      DOCKER_REPOSITORY: ${{ steps.tag_image.outputs.DOCKER_REPOSITORY }}
      DOCKER_TAG: ${{ steps.tag_image.outputs.DOCKER_TAG }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Tag Image
        id: tag_image
        run: |
          DOCKER_REPOSITORY=ghcr.io/${{ github.repository }}

          # Change all uppercase to lowercase
          DOCKER_REPOSITORY=$(echo $DOCKER_REPOSITORY | tr '[A-Z]' '[a-z]')

          DOCKER_TAG=${{ github.ref_name }}

          # Use Docker `latest` tag convention
          [ "$DOCKER_TAG" == "master" ] && DOCKER_TAG=latest
          [ "$DOCKER_TAG" == "main" ] && DOCKER_TAG=latest

          echo DOCKER_REPOSITORY=$DOCKER_REPOSITORY
          echo DOCKER_TAG=$DOCKER_TAG
          echo "DOCKER_REPOSITORY=${DOCKER_REPOSITORY}" >> $GITHUB_OUTPUT
          echo "DOCKER_TAG=${DOCKER_TAG}" >> $GITHUB_OUTPUT

  # Build and push image to GitHub Packages.
  # See also https://docs.docker.com/docker-hub/builds/
  build:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    needs: [prepare]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Image and Export
        uses: docker/build-push-action@v6
        with:
          build-args: REPO=${{ github.repository }}
          context: .
          cache-from: |
            type=gha,scope=build-${{ github.ref_name }}
            type=gha,scope=build-main
          cache-to: type=gha,mode=max,scope=build-${{ github.ref_name }}
          file: Dockerfile
          platforms: ${{ env.BUILD_PLATFORM }}
          outputs: type=oci,dest=/tmp/image.tar
          target: runtime-image

      - name: Upload image artifact
        uses: actions/upload-artifact@v4
        with:
          name: docker-image
          path: /tmp/image.tar
          retention-days: 1

  # Load artifact and push to registry
  push:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    needs: [prepare, build]

    steps:
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp

      - name: Install skopeo
        run: |
          sudo apt-get update
          sudo apt-get install -y skopeo

      - name: Log into registry
        run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u ${{ github.actor }} --password-stdin

      - name: Push OCI image to registry
        run: |
          skopeo copy --all \
            oci-archive:/tmp/image.tar \
            docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }}
          skopeo copy --all \
            oci-archive:/tmp/image.tar \
            docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}
          skopeo copy --all \
            oci-archive:/tmp/image.tar \
            docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}/fritzbox_exporter:${{ needs.prepare.outputs.DOCKER_TAG }}
          skopeo copy --all \
            oci-archive:/tmp/image.tar \
            docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}/fritzbox_exporter:${{ github.sha }}

      - name: Inspect image
        if: success()
        run: |
          docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }}
          docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}

  test:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    needs: [prepare, push]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}"
          format: 'sarif'
          output: 'trivy-results.sarif'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'MEDIUM,HIGH,CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'