chore(deps): update pre-commit hook astral-sh/ruff-pre-commit to v0.4.7 #1701
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright © Michal Čihař <[email protected]> | |
| # | |
| # SPDX-License-Identifier: GPL-3.0-or-later | |
| name: Docker Image CI | |
| on: | |
| push: | |
| branches-ignore: | |
| - renovate/** | |
| tags: | |
| - '*' | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| name: Build, ${{ matrix.architecture }} | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args | |
| - name: Build the Docker image | |
| run: .github/bin/docker-build | |
| buildx: | |
| runs-on: ubuntu-22.04 | |
| name: Build, ${{ matrix.architecture }} | |
| strategy: | |
| matrix: | |
| architecture: | |
| - linux/arm/v7 | |
| - linux/arm64 | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: ${{ matrix.architecture }} | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args | |
| - name: Build the Docker image | |
| run: .github/bin/docker-build | |
| test: | |
| runs-on: ubuntu-22.04 | |
| name: Test, ${{ matrix.architecture }} | |
| needs: [build] | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| COMPOSE_PROJECT_NAME: wl | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: .github/bin/docker-build load | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Test the Docker image | |
| run: docker run --rm weblate/wlc:test version | grep "version" | |
| anchore: | |
| runs-on: ubuntu-22.04 | |
| name: Anchore Container Scan, ${{ matrix.architecture }} | |
| needs: | |
| - build | |
| permissions: | |
| security-events: write | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: .github/bin/docker-build load | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Anchore scan action | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: weblate/wlc:test | |
| fail-build: false | |
| severity-cutoff: high | |
| - name: Upload Anchore Scan Report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: results.sarif | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: Anchore scan SARIF | |
| path: results.sarif | |
| trivy: | |
| runs-on: ubuntu-22.04 | |
| name: Trivy Container Scan, ${{ matrix.architecture }} | |
| needs: | |
| - build | |
| permissions: | |
| security-events: write | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: .github/bin/docker-build load | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: weblate/wlc:test | |
| format: template | |
| template: '@/contrib/sarif.tpl' | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: Trivy scan SARIF | |
| path: trivy-results.sarif | |
| push_dockerhub: | |
| runs-on: ubuntu-22.04 | |
| name: Publish to Docker Hub | |
| needs: | |
| - test | |
| - buildx | |
| - anchore | |
| - trivy | |
| if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/wlc' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm-v7 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm/v7 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm/v7 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-amd64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/amd64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64 | |
| - name: DockerHub login | |
| run: echo "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}" | docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args publish | |
| - name: Publish the Docker images | |
| run: .github/bin/docker-build publish | |
| push_github: | |
| runs-on: ubuntu-22.04 | |
| name: Publish to GitHub | |
| permissions: | |
| packages: write | |
| needs: | |
| - test | |
| - buildx | |
| - anchore | |
| - trivy | |
| if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/wlc' }} | |
| env: | |
| DOCKER_IMAGE: ghcr.io/weblateorg/wlc | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| # renovate: datasource=github-releases depName=docker/buildx | |
| version: v0.14.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm-v7 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm/v7 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm/v7 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-amd64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/amd64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64 | |
| - name: Login to GitHub Container Registry | |
| if: ${{ github.event_name != 'pull_request'}} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args publish | |
| - name: Publish the Docker images | |
| run: .github/bin/docker-build publish |