Skip to content
This repository has been archived by the owner on Jul 3, 2024. It is now read-only.

CD

CD #759

Workflow file for this run

name: CD
on:
push:
branches: [master]
schedule:
- cron: '30 3 * * *'
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force container rebuild'
required: true
type: choice
options: [yes, no]
permissions:
packages: write
contents: read
jobs:
CentOS:
name: CentOS
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
matrix:
version: [ '7' ]
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check for rebuild
id: update_check
continue-on-error: true
run : |
# [update-check]
echo -e "::group::\033[34mChecking for packages updates…\033[0m"
if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
else
if ! docker pull ${{github.repository}}:${{matrix.version}} ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
if ! docker run --rm ${{github.repository}}:${{ matrix.version }} yum check-update ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: packages update)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
fi
echo "::endgroup::"
echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"
docker pull centos:${{matrix.version}}
orig_dig=$(docker inspect "centos:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
our_dig=$(docker inspect "${{github.repository}}:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
echo ""
echo "Original: ${orig_dig}"
echo "Our: ${our_dig}"
if [[ "$orig_dig" != "$our_dig" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
echo "::endgroup::"
- name: Checkout
if: ${{ steps.update_check.outputs.build == 'true' }}
uses: actions/checkout@v4
- name: Set build context
if: ${{ steps.update_check.outputs.build == 'true' }}
id: build_context
run: |
echo "dockerfile=centos${{matrix.version}}.docker" >> $GITHUB_OUTPUT
- name: Rebuild and push image
if: ${{ steps.update_check.outputs.build == 'true' }}
uses: docker/build-push-action@v5
with:
context: .
file: ${{ steps.build_context.outputs.dockerfile }}
push: true
tags: |
ghcr.io/${{github.repository}}:${{matrix.version}}
${{github.repository}}:${{matrix.version}}
- name: Show info about images
uses: essentialkaos/docker-info-action@v1
with:
image: ${{github.repository}}:${{matrix.version}}
- name: Scan final image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{github.repository}}:${{matrix.version}}'
format: 'table'
ignore-unfixed: true
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
scanners: 'vuln'