Skip to content

ci: limit readme sync to certain files only #1494

ci: limit readme sync to certain files only

ci: limit readme sync to certain files only #1494

Workflow file for this run

# Copyright © Michal Čihař <[email protected]>
#
# SPDX-License-Identifier: GPL-3.0-or-later
name: Docker Image CI
on:
push:
branches-ignore:
- renovate/**
tags:
- '*'
pull_request:
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-22.04
name: Build, ${{ matrix.architecture }}
strategy:
matrix:
architecture: [linux/amd64]
env:
MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache/${{ matrix.architecture }}
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
- name: Configure Docker build
run: .github/bin/get-buildx-args
- name: Build the Docker image
run: .github/bin/docker-build
buildx:
runs-on: ubuntu-22.04
name: Build, ${{ matrix.architecture }}
strategy:
matrix:
architecture:
- linux/arm/v7
- linux/arm64
env:
MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
with:
platforms: ${{ matrix.architecture }}
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache/${{ matrix.architecture }}
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
- name: Configure Docker build
run: .github/bin/get-buildx-args
- name: Build the Docker image
run: .github/bin/docker-build
test:
runs-on: ubuntu-22.04
name: Test, ${{ matrix.architecture }}
needs: [build]
strategy:
matrix:
architecture: [linux/amd64]
env:
MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
COMPOSE_PROJECT_NAME: wl
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache/${{ matrix.architecture }}
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
- name: Build the Docker image
run: .github/bin/docker-build load
- name: List Docker images
run: docker image ls --all
- name: Test the Docker image
run: docker run --rm weblate/wlc:test version | grep "version"
anchore:
runs-on: ubuntu-22.04
name: Anchore Container Scan, ${{ matrix.architecture }}
needs:
- build
permissions:
security-events: write
strategy:
matrix:
architecture: [linux/amd64]
env:
MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache/${{ matrix.architecture }}
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
- name: Build the Docker image
run: .github/bin/docker-build load
- name: List Docker images
run: docker image ls --all
- name: Checkout the code
uses: actions/checkout@v4
- name: Anchore scan action
uses: anchore/scan-action@v3
with:
image: weblate/wlc:test
fail-build: false
severity-cutoff: high
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
- uses: actions/upload-artifact@v3
with:
name: Anchore scan SARIF
path: results.sarif
trivy:
runs-on: ubuntu-22.04
name: Trivy Container Scan, ${{ matrix.architecture }}
needs:
- build
permissions:
security-events: write
strategy:
matrix:
architecture: [linux/amd64]
env:
MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache/${{ matrix.architecture }}
key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
- name: Build the Docker image
run: .github/bin/docker-build load
- name: List Docker images
run: docker image ls --all
- name: Checkout the code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: weblate/wlc:test
format: template
template: '@/contrib/sarif.tpl'
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
- uses: actions/upload-artifact@v3
with:
name: Trivy scan SARIF
path: trivy-results.sarif
push_dockerhub:
runs-on: ubuntu-22.04
name: Publish to Docker Hub
needs:
- test
- buildx
- anchore
- trivy
if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/wlc' }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
with:
platforms: all
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-arm64
with:
path: /tmp/.buildx-cache/linux/arm64
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-arm-v7
with:
path: /tmp/.buildx-cache/linux/arm/v7
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm/v7
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-amd64
with:
path: /tmp/.buildx-cache/linux/amd64
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64
- name: DockerHub login
run: echo "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}" | docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
- name: Configure Docker build
run: .github/bin/get-buildx-args publish
- name: Publish the Docker images
run: .github/bin/docker-build publish
push_github:
runs-on: ubuntu-22.04
name: Publish to GitHub
permissions:
packages: write
needs:
- test
- buildx
- anchore
- trivy
if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/docker' }}
env:
DOCKER_IMAGE: ghcr.io/weblateorg/wlc
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/[email protected]
with:
platforms: all
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
# renovate: datasource=github-releases depName=docker/buildx
version: v0.12.0
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-arm64
with:
path: /tmp/.buildx-cache/linux/arm64
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-arm-v7
with:
path: /tmp/.buildx-cache/linux/arm/v7
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm/v7
- name: Cache Docker layers
uses: actions/cache@v3
id: cache-amd64
with:
path: /tmp/.buildx-cache/linux/amd64
key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request'}}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Docker build
run: .github/bin/get-buildx-args publish
- name: Publish the Docker images
run: .github/bin/docker-build publish