Docker Image Release #67
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Docker Image Release | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
push: | |
branches: | |
- main | |
env: | |
DOCKER_REPO_NAME: rogerrum | |
DOCKER_IMAGE_NAME: docker-nomie6-oss | |
jobs: | |
# Get list of versions | |
get-latest-version: | |
name: Get Latest Release Version for nomie6-oss | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get Latest Release Version | |
id: get_nomie_version | |
run: | | |
# Fetch the latest stable release (exclude beta versions) | |
echo "version=$(curl -s -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/open-nomie/nomie6-oss/releases | jq -cMr '([.[]|select(all(.tag_name; contains("beta")|not))])|.[:1]|.[].tag_name')" >> "${GITHUB_OUTPUT}" | |
- name: Output Versions | |
run: | | |
# Output the versions for further use | |
echo "Latest Release: ${{ steps.get_nomie_version.outputs.version }}" | |
outputs: | |
nomie: ${{ steps.get_nomie_version.outputs.version }} | |
check-image-version: | |
needs: get-latest-version | |
name: Check if Image Version Exists | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check if image exists | |
id: check_image | |
run: | | |
if docker pull rogerrum/docker-nomie6-oss:${{ needs.get-latest-version.outputs.nomie }}; then | |
echo "Image version already exists. Skipping build." | |
echo "skip_build=true" >> "${GITHUB_OUTPUT}" | |
else | |
echo "Image version does not exist. Proceeding with the build." | |
echo "skip_build=false" >> "${GITHUB_OUTPUT}" | |
fi | |
continue-on-error: true # Allow failure as we want to proceed with the build even if the image doesn't exist | |
- name: Output | |
run: | | |
echo "Skip Build: ${{ steps.check_image.outputs.skip_build }}" | |
outputs: | |
skip: ${{ steps.check_image.outputs.skip_build }} | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- check-image-version | |
- get-latest-version | |
if: ${{ needs.check-image-version.outputs.skip == 'false' }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker login - docker hub | |
uses: azure/docker-login@v2 | |
with: | |
username: ${{ secrets.USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Docker login - ghcr | |
uses: azure/docker-login@v2 | |
with: | |
login-server: ghcr.io | |
username: ${{ secrets.USERNAME }} | |
password: ${{ secrets.PASSWORD }} | |
- name: Set up Qemu | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Output platforms | |
run: | | |
echo "Platforms: ${{ steps.buildx.outputs.platforms }}" | |
- name: Build and push with latest tag | |
uses: docker/build-push-action@v6 | |
with: | |
push: true | |
pull: true | |
platforms: linux/arm64,linux/amd64 | |
build-args: | | |
BRANCH=${{ needs.get-latest-version.outputs.nomie }} | |
tags: | | |
rogerrum/docker-nomie6-oss:${{ needs.get-latest-version.outputs.nomie }} | |
rogerrum/docker-nomie6-oss:latest | |
ghcr.io/rogerrum/docker-nomie6-oss:latest | |
ghcr.io/rogerrum/docker-nomie6-oss:${{ needs.get-latest-version.outputs.nomie }} | |
- name: Docker Hub Description | |
if: github.event_name != 'pull_request' | |
uses: peter-evans/dockerhub-description@v4 | |
with: | |
username: ${{ secrets.USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
repository: rogerrum/docker-nomie6-oss | |
# Trivy test | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
id: trivy | |
with: | |
image-ref: 'ghcr.io/rogerrum/docker-nomie6-oss:${{ needs.get-latest-version.outputs.nomie }}' | |
format: 'sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
output: results.sarif | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: 'results.sarif' |