shellhub/.github/workflows/docker-publish.yml at 1f382b2a6f53fdac13c9c07e05fd05e31d296571 · shellhub-io/shellhub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: docker-publish

on:
  push:
    tags:
      - v*

permissions:
  contents: write
  packages: write
  id-token: write

jobs:
  build:
    name: Build and publish '${{ matrix.project }}' to Docker Registry

    strategy:
      fail-fast: true
      matrix:
        project: [api, ssh, gateway, ui, ui-react, cli]

    runs-on: ubuntu-24.04

    steps:
      - name: Checkout source code
        uses: actions/checkout@v6

      - name: Get release version
        id: get_version
        run: echo "RELEASE_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV

      - name: Login to Docker Hub
        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build and publish '${{ matrix.project }}' to Docker Registry
        uses: docker/build-push-action@v7
        with:
          tags: shellhubio/${{ matrix.project }}:latest,shellhubio/${{ matrix.project }}:${{ env.RELEASE_VERSION }}
          push: true
          file: ${{ matrix.project }}/Dockerfile

      - name: Generate SBOM for '${{ matrix.project }}' image
        uses: anchore/sbom-action@v0
        with:
          image: shellhubio/${{ matrix.project }}:${{ env.RELEASE_VERSION }}
          format: cyclonedx-json
          output-file: sbom-${{ matrix.project }}-${{ env.RELEASE_VERSION }}.cdx.json
          artifact-name: ""

      - name: Generate SBOM for '${{ matrix.project }}' source
        uses: anchore/sbom-action@v0
        with:
          path: ${{ matrix.project }}
          format: cyclonedx-json
          output-file: sbom-${{ matrix.project }}-source-${{ env.RELEASE_VERSION }}.cdx.json
          artifact-name: ""

      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v7
        with:
          name: sbom-${{ matrix.project }}
          path: sbom-${{ matrix.project }}-*.cdx.json

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Attach SBOM to '${{ matrix.project }}' image
        run: |
          cosign attach sbom \
            --sbom sbom-${{ matrix.project }}-${{ env.RELEASE_VERSION }}.cdx.json \
            --type cyclonedx \
            shellhubio/${{ matrix.project }}:${{ env.RELEASE_VERSION }}

  publish-enterprise:
    name: Build and publish 'api-enterprise' to Docker Registry

    runs-on: ubuntu-24.04

    steps:
      - name: Checkout shellhub source
        uses: actions/checkout@v6
        with:
          path: shellhub

      - name: Generate cloud repo token
        id: cloud-token
        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.CLOUD_DISPATCH_APP_ID }}
          private-key: ${{ secrets.CLOUD_DISPATCH_APP_PRIVATE_KEY }}
          owner: shellhub-io
          repositories: cloud

      - name: Checkout cloud source
        uses: actions/checkout@v6
        with:
          repository: shellhub-io/cloud
          token: ${{ steps.cloud-token.outputs.token }}
          ref: ${{ github.ref_name }}
          path: cloud

      - name: Get release version
        run: echo "RELEASE_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV

      - name: Login to Docker Registry
        uses: docker/login-action@v4
        with:
          registry: registry.infra.ossystems.io
          username: ${{ secrets.PORTUS_USERNAME }}
          password: ${{ secrets.PORTUS_TOKEN }}

      - name: Build and publish 'api-enterprise' to Docker Registry
        uses: docker/build-push-action@v7
        with:
          tags: registry.infra.ossystems.io/shellhub/api-enterprise:latest,registry.infra.ossystems.io/shellhub/api-enterprise:${{ env.RELEASE_VERSION }}
          push: true
          context: shellhub
          file: shellhub/api/Dockerfile
          build-args: EDITION=enterprise
          build-contexts: cloud-src=./cloud

      - name: Generate SBOM for api-enterprise image
        uses: anchore/sbom-action@v0
        with:
          image: registry.infra.ossystems.io/shellhub/api-enterprise:${{ env.RELEASE_VERSION }}
          format: cyclonedx-json
          output-file: sbom-api-enterprise-${{ env.RELEASE_VERSION }}.cdx.json
          artifact-name: ""

      - name: Upload SBOM artifact
        uses: actions/upload-artifact@v7
        with:
          name: sbom-api-enterprise
          path: sbom-api-enterprise-*.cdx.json

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Attach SBOM to api-enterprise image
        run: |
          cosign attach sbom \
            --sbom sbom-api-enterprise-${{ env.RELEASE_VERSION }}.cdx.json \
            --type cyclonedx \
            registry.infra.ossystems.io/shellhub/api-enterprise:${{ env.RELEASE_VERSION }}

  release-sboms:
    name: Attach SBOMs to GitHub Release
    needs: [build, publish-enterprise]
    runs-on: ubuntu-24.04

    steps:
      - name: Download all SBOM artifacts
        uses: actions/download-artifact@v8
        with:
          pattern: sbom-*
          merge-multiple: true

      - name: Attach SBOMs to release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          draft: true
          files: sbom-*.cdx.json