Skip to content

Release

Release #44

Workflow file for this run

#
# Copyright 2021 Jens A. Koch.
# SPDX-License-Identifier: MIT
# This file is part of jakoch/cpp-devbox.
#
name: Release
on:
# You can manually run this workflow.
workflow_dispatch:
# This workflow runs on pushing a semantic versionized tag (e.g. v1.0.0).
# This workflow does not run when pushing to the main branch.
push:
#branches:
# - main
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
# This workflow runs on schedule: every Sunday at 1 am.
schedule:
- cron: "0 1 * * 0"
env:
DOCKERHUB_IMAGE: ${{ github.repository }}
GHCR_IMAGE: ghcr.io/${{ github.repository }}
jobs:
# ---------------------------------------------------------------------------------------
build:
# ---------------------------------------------------------------------------------------
name: "Build Container"
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
config:
- { platform: "linux/amd64", debian_codename: "bookworm" }
- { platform: "linux/amd64", debian_codename: "trixie" }
steps:
- name: ✂️ Free Disk Space
uses: jlumbroso/[email protected] # https://github.com/jlumbroso/free-disk-space
with:
tool-cache: true
docker-images: false
- name: 🤘 Checkout Code
uses: actions/checkout@v4 # https://github.com/actions/checkout
- name: 🔍 Run hadolint
uses: hadolint/[email protected] # https://github.com/hadolint/hadolint-action
with:
dockerfile: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile
no-fail: true
#- name: 🔒 Login to DockerHub Container Registry
# if: github.event_name != 'pull_request'
# uses: docker/login-action@v3 # https://github.com/docker/login-action
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: 🔒 Login to Github Container Registry (GHCR)
if: github.event_name != 'pull_request'
uses: docker/login-action@v3 # https://github.com/docker/login-action
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 🔽 Setup QEMU
uses: docker/setup-qemu-action@v3 # https://github.com/docker/setup-qemu-action
with:
platforms: ${{ matrix.config.platform }}
- name: 🔽 Setup Docker Buildx
uses: docker/setup-buildx-action@v3
# cpp-devbox:{debian_codename}-{{date}} # only on scheduled builds
# cpp-devbox:{debian_codename}-{{version}} # only on git tag
# cpp-devbox:{debian_codename}-{{major}}.{{minor}} # only on git tag
# cpp-devbox:{debian_codename}-{{date}}-sha-{{sha}} # only on push, not when tagging
# cpp-devbox:{debian_codename}-latest # always
- name: ✏ Setup Docker Metadata
id: metadata-base
uses: docker/metadata-action@v5 # https://github.com/docker/metadata-action
with:
images: |
${{ env.GHCR_IMAGE }}
flavor: |
latest=auto
prefix=${{ matrix.config.debian_codename }}-
tags: |
type=schedule,pattern={{ date 'YYYYMMDD' }}
type=semver,pattern={{ version }}
type=semver,pattern={{ major }}.{{ minor }}
type=raw,value={{ date 'YYYYMMDD' }}-sha-{{ sha }},enabled=${{ github.event_name == 'push' }}
type=raw,value=latest
# cpp-devbox:{debian_codename}-with-vulkansdk-{{date}} # only on scheduled builds
# cpp-devbox:{debian_codename}-with-vulkansdk-{{version}} # only on git tag
# cpp-devbox:{debian_codename}-with-vulkansdk-{{major}}.{{minor}} # only on git tag
# cpp-devbox:{debian_codename}-with-vulkansdk-{{date}}-sha-{{sha}} # only on push, not when tagging
# cpp-devbox:{debian_codename}-with-vulkansdk-latest # always
- name: ✏ Setup Docker Metadata
id: metadata-base-with-vulkansdk
uses: docker/metadata-action@v5 # https://github.com/docker/metadata-action
with:
images: |
${{ env.GHCR_IMAGE }}
flavor: |
latest=auto
prefix=${{ matrix.config.debian_codename }}-with-vulkansdk-
tags: |
type=schedule,pattern={{ date 'YYYYMMDD' }}
type=semver,pattern={{ version }}
type=semver,pattern={{ major }}.{{ minor }}
type=raw,value={{ date 'YYYYMMDD' }}-sha-{{ sha }},enabled=${{ github.event_name == 'push' }}
type=raw,value=latest
- name: ✏ Create info.json
run: |
jq -n --arg version "${{ github.ref_name }}" \
--arg commit "${{ github.sha }}" \
--arg date "$(date -u +%F)" \
'{ version: $version, commit: $commit, date: $date }' > info.json
# Build Image -> Stage: cpp-devbox-base
- name: 📦 🚀 Build and Push
id: build-base
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
with:
context: .
file: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile
target: cpp-devbox-base
platforms: ${{ matrix.config.platform }}
tags: ${{ steps.metadata-base.outputs.tags }}
labels: ${{ steps.metadata-base.outputs.labels }}
push: true
# Build Image -> Stages: cpp-devbox-base + cpp-devbox-with-vulkansdk = with-vulkansdk
- name: 📦 🚀 Build and Push
id: build-base-with-vulkansdk
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
with:
context: .
file: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile
target: cpp-devbox-with-vulkansdk
platforms: ${{ matrix.config.platform }}
tags: ${{ steps.metadata-base-with-vulkansdk.outputs.tags }}
labels: ${{ steps.metadata-base-with-vulkansdk.outputs.labels }}
push: true
#- name: 🛡️🔍 Scan Image for Vulnerabilities
# uses: aquasecurity/trivy-action@master # https://github.com/aquasecurity/trivy-action
# with:
# image-ref: '${{ env.GHCR_IMAGE }}:latest'
# format: 'sarif'
# output: 'trivy-results.sarif'
# severity: 'CRITICAL,HIGH'
# ignore-unfixed: true
# skip-dirs: gcc-13.2.0,usr/lib64
# upload fails: https://github.com/github/codeql-action/issues/2117
#- name: 🛡️🔼 Upload scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3 # https://github.com/github/codeql-action
# with:
# sarif_file: 'trivy-results.sarif'