From 6f1c1932c00d79c921ea579dd4cca5d8f7c04d09 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sun, 11 Sep 2022 13:53:58 +0200 Subject: [PATCH] refactor workflow --- .github/workflows/build.yml | 85 ++++++++++++++++++++++++------------- 1 file changed, 56 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 201eed1..b383ebd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,49 +3,76 @@ name: build on: workflow_dispatch: push: - branches: [ main ] + branches: + - main + # Ignore Markdown files + paths-ignore: + - '**.md' schedule: # Build the image regularly (each Friday) - cron: '13 21 * * 5' +env: + REGISTRY: ghcr.io + IMAGE_NAME: wonderfall/synapse + jobs: build: name: Build, scan & push - runs-on: "ubuntu-20.04" + runs-on: "ubuntu-latest" + permissions: + contents: read + packages: write + id-token: write + steps: - name: Checkout code uses: actions/checkout@v2 - - name: Build an image from Dockerfile + - name: Extract version for tags run: | - docker build \ - -t ghcr.io/wonderfall/synapse \ - -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6) \ - -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4) \ - . + echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV + echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4)" >> $GITHUB_ENV - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main with: - image-ref: 'ghcr.io/wonderfall/synapse' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - vuln-type: "os" + cosign-release: 'v1.11.0' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 with: - sarif_file: 'trivy-results.sarif' + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker login - run: >- - echo "${{ secrets.GITHUB_TOKEN }}" - | docker login -u "${{ github.actor }}" --password-stdin ghcr.io - - - name: Push image to GitHub - run: | - docker push ghcr.io/wonderfall/synapse - docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6) - docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4) + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + latest + ${{ env.FULL_VERSION }} + ${{ env.MAJOR_VERSION }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v3 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + run: cosign sign ${TAGS} + env: + COSIGN_EXPERIMENTAL: "true" + TAGS: ${{ steps.meta.outputs.tags }}