Update CODEOWNERS #2

Workflow file for this run

.github/workflows/containers.build.yaml at 06a95f2

	name: "Containers: Test-and-Build"

	on:
	workflow_call:
	workflow_dispatch:
	push:
	branches:
	- master
	paths:
	- "containers/apps/**"
	- "containers/base/**"
	- ".github/workflows/containers.build.yaml"
	# pull_request:
	# paths:
	# - "apps/**"
	# - "base/**"
	# - ".github/workflows/containers.build.yaml"

	env:
	# How long to sleep before running the tests (gives the application time to start)
	GOSS_SLEEP: 30
	# Number of times to run the goss test
	GOSS_ITERATIONS: 3

	# Detect which folders in project-root (which contain the containers) contain changes
	jobs:
	changes:
	name: Get changes
	runs-on: ubuntu-24.04
	outputs:
	matrix: '{"container": ${{ steps.reduce.outputs.containers }} }'
	containers_found: ${{ steps.reduce.outputs.containers_found }} # New output
	steps:
	- name: Checkout
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
	- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
	id: filter
	with:
	list-files: json
	filters: \|
	changed:
	- 'containers/apps/**'
	- 'containers/dev/**'
	- 'containers/base/**'
	- run: echo '${{ toJson(steps.filter.outputs) }}' > changes.json
	- id: reduce
	run: \|
	CONTAINERS=$(jq --raw-output '.changed_files \| fromjson \| .[] \|= sub("(?<filepath>/?containers/(?<first_directory>(?<root1>[/]?)[^/]+/)(?<second_directory>(?<root2>[/]?)[^/]+)(?<extra_paths>/[^/]+)*)"; "\(.second_directory)") \| unique' changes.json)

	# Set the containers output
	echo ::set-output name=containers::${CONTAINERS}

	# Check if containers were found and set the containers_found output
	if [[ "$CONTAINERS" == "[]" \|\| -z "$CONTAINERS" ]]; then
	echo "No Containers Found, Skipping"
	echo ::set-output name=containers_found::false
	else
	echo ::set-output name=containers_found::true
	echo "Containers Found: "
	echo $CONTAINERS

	fi

	hadolint:
	name: Run hadolint
	runs-on: ubuntu-24.04
	steps:
	- name: Checkout
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
	#- name: hadolint
	# uses: reviewdog/action-hadolint@73fec8b28091e5082c19df69815dd749d97b882a # v1.46.0
	# with:
	# github_token: ${{ secrets.GITHUB_TOKEN }}
	# reporter: github-pr-review
	# filter_mode: diff_context
	# hadolint_ignore: DL3007
	# fail_on_error: true
	# exclude: \|
	# /website/*
	# /cluster/*
	# /archive/*
	# /clustertool/*
	# /.github/*
	# /website/*
	# /repositories/*
	# /templates/*


	build:
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	name: Build
	runs-on: ubuntu-24.04
	needs:
	- hadolint
	- changes
	if: ${{ needs.changes.outputs.containers_found == 'true' }}
	strategy:
	matrix: ${{ fromJson(needs.changes.outputs.matrix) }}
	fail-fast: false
	steps:
	- name: Checkout
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	# Define if tests and push should be run against which versions/platforms
	- name: Prepare
	id: prep
	run: \|
	# Make sure we have the latest version in the version file
	# To avoid publishing a new container version with an old tag
	bash ./.github/scripts/update-version-file.sh "${{ matrix.container }}"
	if test -f "./containers/apps/${{ matrix.container }}/VERSION"; then
	CATEGORY="apps"
	VERSION=$(cat ./containers/${CATEGORY}/${{ matrix.container }}/VERSION)
	elif test -f "./containers/apps/${{ matrix.container }}/Dockerfile"; then
	CATEGORY="apps"
	echo ::set-output name=category::${CATEGORY}
	VERSION="$(head -1 ./containers/${CATEGORY}/${{ matrix.container }}/Dockerfile \| cut -d'@' -f1 \| sed 's/^FROM.*://' )"
	VERSION=$(echo $VERSION \| sed "s/latest-//g")
	VERSION=$(echo $VERSION \| sed "s/stable-//g")
	VERSION=$(echo $VERSION \| sed "s/edge-//g")
	VERSION=$(echo $VERSION \| sed "s/build-//g")
	VERSION=$(echo $VERSION \| sed "s/cpu-//g")
	VERSION=$(echo $VERSION \| sed "s/gpu-//g")
	VERSION=$(echo $VERSION \| sed "s/release-//g")
	VERSION=$(echo $VERSION \| sed "s/release_//g")
	VERSION=$(echo $VERSION \| sed "s/version-//g")
	VERSION=$(echo $VERSION \| sed "s/version_//g")
	VERSION=$(echo $VERSION \| sed "s/apache-//g")
	VERSION=$(echo $VERSION \| sed "s/ubuntu-//g")
	VERSION=$(echo $VERSION \| sed "s/focal-//g")
	VERSION=$(echo $VERSION \| sed "s/fpm-//g")
	VERSION=$(echo $VERSION \| sed "s/vaapi-//g")
	VERSION=$(echo $VERSION \| sed "s/cuda-//g")
	VERSION=$(echo $VERSION \| sed "s/-centos7//g")
	VERSION=$(echo $VERSION \| sed "s/java[0-9]*-//g")
	VERSION="${VERSION#*V.}"
	VERSION="${VERSION#*v.}"
	VERSION="${VERSION#*v-}"
	VERSION="${VERSION#*v}"
	VERSION="${VERSION%-*}"
	if (echo "$VERSION" \| grep -Pq "^\d+\.\d+$"); then
	VERSION="${VERSION}.0"
	fi;
	else
	CATEGORY="base"
	VERSION=$(cat ./containers/${CATEGORY}/${{ matrix.container }}/VERSION) \|\| VERSION="$(head -1 ./containers/${CATEGORY}/${{ matrix.container }}/Dockerfile \| cut -d'@' -f1 \| sed 's/^FROM.*://' )"
	VERSION=$(echo $VERSION \| sed "s/latest-//g")
	VERSION=$(echo $VERSION \| sed "s/stable-//g")
	VERSION="${VERSION#*V.}"
	VERSION="${VERSION#*v.}"
	VERSION="${VERSION#*v-}"
	VERSION="${VERSION#*v}"
	VERSION="${VERSION%-*}"
	if (echo "$VERSION" \| grep -Pq "^\d+\.\d+$"); then
	VERSION="${VERSION}.0"
	fi;
	fi
	echo ::set-output name=category::${CATEGORY}
	echo ::set-output name=version::${VERSION}
	PLATFORM="linux/amd64"
	echo ::set-output name=platform::${PLATFORM}
	if test -f "./${CATEGORY}/${{ matrix.container }}/goss.yaml"; then
	echo ::set-output name=goss::true
	else
	echo ::set-output name=goss::false
	fi
	if [ "${{github.event_name}}" == "pull_request" ]; then
	echo ::set-output name=push::false
	echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache" \|\| echo ::set-output name=cache_from::""
	echo ::set-output name=cache_to::""
	else
	echo ::set-output name=push::true
	echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache"
	echo ::set-output name=cache_to::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache,mode=max"
	fi

	- name: Get Time
	id: time
	uses: nanzm/get-time-action@887e4db9af58ebae64998b7105921b816af77977 # v2.0
	with:
	timeZone: 1
	format: "YYYYMMDDHHmmss"

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
	with:
	platforms: amd64

	- uses: sigstore/cosign-installer@main

	- name: Install Syft
	uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6

	- name: Login to Quay
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
	if: github.event_name != 'pull_request'
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_TCCR_USER }}
	password: ${{ secrets.QUAY_TCCR_TOKEN }}

	- name: Login to GHCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
	if: github.event_name != 'pull_request'
	with:
	registry: ghcr.io
	username: ${{ secrets.GHCR_USERNAME }}
	password: ${{ secrets.GHCR_TOKEN }}
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
	with:
	# list of Docker images to use as base name for tags
	images: \|
	quay.io/tccr/${{ matrix.container }}
	tccr.io/tccr/${{ matrix.container }}

	# Install and configure Buildx
	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
	with:
	install: true
	version: latest
	driver-opts: image=moby/buildkit:latest

	# Install the GOSS testing framework
	- name: Set up goss/dgoss
	uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1
	if: ${{ steps.prep.outputs.goss == 'true' }}
	with:
	version: "v0.3.16"

	# Creates a local build to run tests on
	- name: Build and Load local test-container
	if: ${{ steps.prep.outputs.goss == 'true' }}
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
	with:
	build-args: \|
	VERSION=${{ steps.prep.outputs.version }}
	CONTAINER_NAME=${{ matrix.container }}
	CONTAINER_VER=${{ steps.prep.outputs.version }}
	context: .
	file: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/Dockerfile
	load: true
	tags: \|
	tccr.io/tccr/${{ matrix.container }}:test
	cache-from: ${{ steps.prep.outputs.cache_from }}
	cache-to: ${{ steps.prep.outputs.cache_to }}

	# Run GOSS tests if included with the container
	- name: Run GOSS tests
	if: ${{ steps.prep.outputs.goss == 'true' }}
	env:
	GOSS_FILE: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/goss.yaml
	run: \|
	for i in $(seq 1 ${{ env.GOSS_ITERATIONS }}); do
	echo "Running GOSS test iteration $i of ${{ env.GOSS_ITERATIONS }}..."
	dgoss run tccr.io/tccr/${{ matrix.container }}:test
	done

	# Push if not a PR, otherwise just test the build process for all requested platforms
	- name: Build and Push
	id: push
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
	with:
	build-args: \|
	VERSION=${{ steps.prep.outputs.version }}
	CONTAINER_NAME=${{ matrix.container }}
	CONTAINER_VER=${{ steps.prep.outputs.version }}
	context: .
	platforms: ${{ steps.prep.outputs.platform }}
	file: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/Dockerfile
	push: ${{ steps.prep.outputs.push }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: ${{ steps.prep.outputs.cache_from }}
	cache-to: ${{ steps.prep.outputs.cache_to }}
	tags: \|
	quay.io/tccr/${{ matrix.container }}:latest
	quay.io/tccr/${{ matrix.container }}:v${{ steps.prep.outputs.version }}
	quay.io/tccr/${{ matrix.container }}:build${{ steps.time.outputs.time }}

	- name: Set quay to Public
	if: github.event_name != 'pull_request'
	run: \|
	curl -X POST -H "Content-Type: application/json" -d '{"visibility": "public"}' -H "Authorization: Bearer ${{ secrets.QUAY_TCCR_API_TOKEN }}" "https://quay.io/api/v1/repository/tccr/${{ matrix.container }}/changevisibility"

	- name: Sign the images
	if: github.event_name != 'pull_request'
	run: \|
	cosign sign quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} -y -a "repo=${{ github.repository }}" -a "workflow=${{ github.workflow }}" -a "ref=${{ github.sha }}"

	- name: Verify the pushed tags
	if: github.event_name != 'pull_request'
	run: \|
	cosign verify quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/public/.github/workflows/containers.build.yaml@refs/heads/master

	- name: Generate SBOM
	if: github.event_name != 'pull_request'
	run: \|
	syft "quay.io/tccr/${{ matrix.container }}:v${{ steps.prep.outputs.version }}@${{ steps.push.outputs.digest }}" -o spdx-json=${{ matrix.container }}-sbom-spdx.json

	- name: Attach SBOM to image
	if: github.event_name != 'pull_request'
	run: \|
	cosign attest --predicate ${{ matrix.container }}-sbom-spdx.json --type spdx "quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }}" -y

	- name: Verify SBOM attestation
	if: github.event_name != 'pull_request'
	run: \|
	cosign verify-attestation quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --type https://spdx.dev/Document --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/containers/.github/workflows/containers.build.yaml@refs/heads/master \| jq '.payload \|= @base64d \| .payload \| fromjson'

	- name: Generate provenance
	id: gen-prov
	if: github.event_name != 'pull_request'
	run: \|
	wget https://github.com/slsa-framework/slsa-github-generator/releases/download/v1.5.0/slsa-generator-container-linux-amd64
	chmod +x slsa-generator-container-linux-amd64
	# Generate a predicate only.
	./slsa-generator-container-linux-amd64 generate --predicate="${{ matrix.container }}-predicate.json"
	env:
	UNTRUSTED_IMAGE: "quay.io/tccr/${{ matrix.container }}"
	UNTRUSTED_DIGEST: "${{ steps.push.outputs.digest }}"
	GITHUB_CONTEXT: "${{ toJSON(github) }}"

	- name: Sign provenance
	id: sign-prov
	if: github.event_name != 'pull_request'
	run: \|
	cosign attest --predicate="${{ matrix.container }}-predicate.json" \
	--type slsaprovenance \
	--yes \
	"quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }}"
	env:
	COSIGN_EXPERIMENTAL: 1

	- name: Verify provenance attestation
	if: github.event_name != 'pull_request'
	id: verf-prov
	run: \|
	cosign verify-attestation quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --type slsaprovenance --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/containers/.github/workflows/containers.build.yaml@refs/heads/master \| jq '.payload \|= @base64d \| .payload \| fromjson'
	env:
	COSIGN_EXPERIMENTAL: 1


	# Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
	container-build-complete:
	needs: [changes, hadolint, build]
	if: ${{ always() }}
	name: Container Build Completed
	runs-on: ubuntu-latest
	steps:
	- name: Check Results
	run: \|
	if [[ "${{ needs.changes.outputs.containers_found }}" == 'true' && ( "${{ needs.hadolint.result }}" != "success" \|\| \
	"${{ needs.build.result }}" != "success") ]]; then
	echo "One or more jobs failed!"
	exit 1
	else
	echo "Container Build and Tests Completed Successfully"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update CODEOWNERS #2

Workflow file

Update CODEOWNERS #2

Jobs

Run details

Workflow file for this run