Docker #409
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| merge_group: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: [ "main" ] | |
| release: | |
| types: [ published ] | |
| permissions: read-all | |
| jobs: | |
| lint: | |
| name: Lint Dockerfile | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| build: | |
| name: Build and publish | |
| runs-on: ubuntu-24.04-arm | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| id: meta | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=schedule | |
| type=semver,pattern={{raw}} | |
| type=semver,pattern=v{{major}}.{{minor}} | |
| type=semver,pattern=v{{major}} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| # on.schedule: nightly | |
| # on.push:tag: latest (auto), v1.2.3, v.1,2, v.1 | |
| # on.push.branch: branchName | |
| # on.pull_request: pr-number (won't be pushed) | |
| - uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| files: | | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| cwd://${{ steps.meta.outputs.bake-file-annotations }} | |
| ./docker-bake.hcl | |
| sbom: true | |
| provenance: true | |
| set: | | |
| *.cache-from=type=gha | |
| *.cache-to=type=gha,mode=max | |
| - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 | |
| id: scan | |
| if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| with: | |
| image: "ghcr.io/bsstudio/bss-web-file-api:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}" | |
| cache-db: true | |
| severity-cutoff: 'high' | |
| fail-build: false | |
| - uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} |