Merge pull request #308 from cybozu/update-20240913 #587
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: main | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - 'main' | |
| env: | |
| go-version: 1.21 | |
| jobs: | |
| build: | |
| name: Build images | |
| strategy: | |
| matrix: | |
| ubuntu-version: ["20.04", "22.04"] | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| working-directory: ${{ matrix.ubuntu-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: linux/amd64,linux/arm64/v8 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| version: v0.11.2 | |
| - name: Login to container registry | |
| if: github.event_name != 'pull_request' | |
| run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup golang | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.go-version }} | |
| - name: Install container-tag-exists | |
| run: go install github.com/Hsn723/container-tag-exists@latest | |
| - name: Build and push ubuntu-minimal image if needed | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| TAG_MINIMAL=$(cat TAG_MINIMAL) | |
| for repo in quay.io ghcr.io; do | |
| c="$(container-tag-exists ${repo}/cybozu/ubuntu-minimal $TAG_MINIMAL 2>&1)" | |
| if [ "$c" = "" ]; then | |
| echo | |
| echo "building ubuntu-minimal ..." | |
| docker buildx build \ | |
| --platform linux/amd64,linux/arm64/v8 \ | |
| --push \ | |
| -t ${repo}/cybozu/ubuntu-minimal:$TAG_MINIMAL \ | |
| --build-arg TAG_MINIMAL=$TAG_MINIMAL \ | |
| ubuntu-minimal | |
| fi | |
| done | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract targets | |
| run: | | |
| TAG=$(cat TAG) | |
| for repo in quay.io ghcr.io; do | |
| for image in ubuntu ubuntu-dev ubuntu-debug; do | |
| c="$(container-tag-exists ${repo}/cybozu/$image $TAG 2>&1)" | |
| if [ "$c" = "" ]; then | |
| echo "build ${repo}/cybozu/$image:$TAG" | |
| echo ${repo}/cybozu/$image >> BUILDS | |
| fi | |
| done | |
| done | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push images | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| if [ ! -f BUILDS ]; then | |
| echo "nothing to build." | |
| exit 0 | |
| fi | |
| TAG_MINIMAL=$(cat TAG_MINIMAL) | |
| TAG=$(cat TAG) | |
| BRANCH=$(cat BRANCH) | |
| for d in $(cat BUILDS); do | |
| echo | |
| echo "building $d ..." | |
| dir=$(echo ${d} | awk -F'/' '{print $3}') | |
| docker buildx build \ | |
| --platform linux/amd64,linux/arm64/v8 \ | |
| --push \ | |
| -t ${d}:$TAG \ | |
| -t ${d}:$BRANCH \ | |
| --build-arg TAG_MINIMAL=$TAG_MINIMAL \ | |
| --build-arg TAG=$TAG \ | |
| ${dir} | |
| done | |
| - name: Install Trivy | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Scan images | |
| if: github.event_name != 'pull_request' | |
| env: | |
| YAMORY_ACCESS_TOKEN: ${{ secrets.YAMORY_ACCESS_TOKEN }} | |
| run: | | |
| if [ ! -f BUILDS ]; then | |
| echo "nothing to scan." | |
| exit 0 | |
| fi | |
| TAG=$(cat TAG) | |
| BRANCH=$(cat BRANCH) | |
| for d in $(cat BUILDS); do | |
| echo | |
| echo "scanning $d:$TAG ..." | |
| YAMORY_IMAGE_IDENTIFIER="${d}:$BRANCH" YAMORY_IMAGE_NAME="${d}:$TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)" | |
| done |