ci: Improve Docker build

Bring in sync with WeblateOrg/docker (annotations, conditions, syntax)

.github/bin/docker-build

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Copyright © Michal Čihař <[email protected]>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+eval "docker buildx build $(.github/bin/get-buildx-args "$@" | sed 's/$/ /' | tr -d \\n)"

.github/bin/get-buildx-args

@@ -15,6 +15,11 @@ else
     done
 fi
 
+# Expose annotations
+if [ "$1" != "load" ] ; then
+    sed -n "s/^LABEL \(org.opencontainers.image.*\)/--annotation index:\1/p" Dockerfile
+fi
+
 # Write to local cache unless publishing (not compatible with push)
 if [ "$1" != "publish" ] ; then
     echo --cache-to "type=local,dest=/tmp/.buildx-cache/$MATRIX_ARCHITECTURE,mode=max"
@@ -35,18 +40,24 @@ else
         # Publishing bleeding edge image
         echo --output "type=image,push=true"
         echo --tag "${DOCKER_IMAGE:-weblate/wlc}:bleeding"
+        echo --tag "${DOCKER_IMAGE:-weblate/wlc}:bleeding-$(date -I)-$(git rev-parse --short HEAD)"
     elif [ "$1" = "publish" ] ; then
         # Publishing normal image
         echo --output "type=image,push=true"
 
         # Generate tags
         case "$GITHUB_REF" in
             refs/tags/[0-9]*)
-                echo --tag "${DOCKER_IMAGE:-weblate/wlc}:${GITHUB_REF#refs/tags/}"
+                RELEASE="${GITHUB_REF#refs/tags/}"
+                MINOR="${RELEASE%.*.*}"
+                MAJOR="${MINOR%.*}"
+                echo --tag "${DOCKER_IMAGE:-weblate/wlc}:$RELEASE"
+                echo --tag "${DOCKER_IMAGE:-weblate/wlc}:$MAJOR"
                 echo --tag "${DOCKER_IMAGE:-weblate/wlc}:latest"
                 ;;
             refs/heads/main)
                 echo --tag "${DOCKER_IMAGE:-weblate/wlc}:edge"
+                echo --tag "${DOCKER_IMAGE:-weblate/wlc}:edge-$(date -I)-${GITHUB_SHA}"
                 ;;
         esac
     else

.github/workflows/dockerimage.yml

@@ -12,6 +12,9 @@ on:
     - '*'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
@@ -22,9 +25,12 @@ jobs:
     env:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - uses: actions/checkout@v4
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache
@@ -34,24 +40,29 @@ jobs:
     - name: Configure Docker build
       run: .github/bin/get-buildx-args
     - name: Build the Docker image
-      run: docker buildx build $(.github/bin/get-buildx-args)
+      run: .github/bin/docker-build
 
   buildx:
     runs-on: ubuntu-22.04
     name: Build, ${{ matrix.architecture }}
     strategy:
       matrix:
-        architecture: [linux/arm/v7, linux/arm64]
+        architecture:
+        - linux/arm/v7
+        - linux/arm64
     env:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - uses: actions/checkout@v4
     - name: Set up QEMU
       uses: docker/[email protected]
       with:
         platforms: ${{ matrix.architecture }}
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache
@@ -61,7 +72,7 @@ jobs:
     - name: Configure Docker build
       run: .github/bin/get-buildx-args
     - name: Build the Docker image
-      run: docker buildx build $(.github/bin/get-buildx-args)
+      run: .github/bin/docker-build
 
   test:
     runs-on: ubuntu-22.04
@@ -74,17 +85,20 @@ jobs:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
       COMPOSE_PROJECT_NAME: wl
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - uses: actions/checkout@v4
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache
       with:
         path: /tmp/.buildx-cache/${{ matrix.architecture }}
         key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
     - name: Build the Docker image
-      run: docker buildx build $(.github/bin/get-buildx-args load)
+      run: .github/bin/docker-build load
     - name: List Docker images
       run: docker image ls --all
     - name: Test the Docker image
@@ -93,34 +107,39 @@ jobs:
   anchore:
     runs-on: ubuntu-22.04
     name: Anchore Container Scan, ${{ matrix.architecture }}
-    needs: [build]
+    needs:
+    - build
+    permissions:
+      security-events: write
     strategy:
       matrix:
         architecture: [linux/amd64]
     env:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - uses: actions/checkout@v4
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache
       with:
         path: /tmp/.buildx-cache/${{ matrix.architecture }}
         key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
     - name: Build the Docker image
-      run: docker buildx build $(.github/bin/get-buildx-args load)
+      run: .github/bin/docker-build load
     - name: List Docker images
       run: docker image ls --all
     - name: Checkout the code
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@v4
     - name: Anchore scan action
       uses: anchore/scan-action@v3
       with:
         image: weblate/wlc:test
         fail-build: false
-        acs-report-enable: true
         severity-cutoff: high
     - name: Upload Anchore Scan Report
       uses: github/codeql-action/upload-sarif@v2
@@ -134,28 +153,34 @@ jobs:
   trivy:
     runs-on: ubuntu-22.04
     name: Trivy Container Scan, ${{ matrix.architecture }}
-    needs: [build]
+    needs:
+    - build
+    permissions:
+      security-events: write
     strategy:
       matrix:
         architecture: [linux/amd64]
     env:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - uses: actions/checkout@v4
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache
       with:
         path: /tmp/.buildx-cache/${{ matrix.architecture }}
         key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }}
     - name: Build the Docker image
-      run: docker buildx build $(.github/bin/get-buildx-args load)
+      run: .github/bin/docker-build load
     - name: List Docker images
       run: docker image ls --all
     - name: Checkout the code
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@v4
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/[email protected]
       with:
@@ -177,17 +202,24 @@ jobs:
   push_dockerhub:
     runs-on: ubuntu-22.04
     name: Publish to Docker Hub
-    needs: [test, anchore, trivy, buildx]
-    if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}
+    needs:
+    - test
+    - buildx
+    - anchore
+    - trivy
+    if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/wlc' }}
     steps:
     - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@v4
     - name: Set up QEMU
       uses: docker/[email protected]
       with:
         platforms: all
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache-arm64
@@ -211,24 +243,33 @@ jobs:
     - name: Configure Docker build
       run: .github/bin/get-buildx-args publish
     - name: Publish the Docker images
-      run: docker buildx build $(.github/bin/get-buildx-args publish)
+      run: .github/bin/docker-build publish
 
   push_github:
     runs-on: ubuntu-22.04
     name: Publish to GitHub
-    needs: [test, anchore, trivy, buildx]
-    if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}
+    permissions:
+      packages: write
+    needs:
+    - test
+    - buildx
+    - anchore
+    - trivy
+    if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/docker' }}
     env:
       DOCKER_IMAGE: ghcr.io/weblateorg/wlc
     steps:
     - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@v4
     - name: Set up QEMU
       uses: docker/[email protected]
       with:
         platforms: all
     - name: Set up Docker Buildx
       uses: docker/[email protected]
+      with:
+        # renovate: datasource=github-releases depName=docker/buildx
+        version: v0.12.0
     - name: Cache Docker layers
       uses: actions/cache@v3
       id: cache-arm64
@@ -257,4 +298,4 @@ jobs:
     - name: Configure Docker build
       run: .github/bin/get-buildx-args publish
     - name: Publish the Docker images
-      run: docker buildx build $(.github/bin/get-buildx-args publish)
+      run: .github/bin/docker-build publish