-
Notifications
You must be signed in to change notification settings - Fork 0
156 lines (128 loc) · 4.93 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Build and Test Docker Images
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
schedule:
- cron: '20 03 * * *' # 3:20am everyday
jobs:
build_and_push_docker_images:
runs-on: ubuntu-latest
continue-on-error: true
strategy:
fail-fast: false
matrix:
containerdistro: [ alpine, min, debian, ubuntu, centos ]
arches: [ linux/amd64, linux/arm64 ]
patchsets: [ vanilla, highload, redis ]
exclude:
- containerdistro: debian
arches: linux/arm64
- containerdistro: ubuntu
arches: linux/arm64
- containerdistro: centos
arches: linux/arm64
permissions:
contents: read
packages: write
security-events: write
name: Docker Images
steps:
# SETUP
- name: Check out the repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
submodules: recursive
# PREPARE
- name: Get patches
run: |
chmod u+x scripts/*
./scripts/get-patches.sh
./scripts/apply-patches.sh ${{ matrix.patchsets }}
./scripts/fix-git-compile.sh
- name: Generate tags
id: generate-tags
shell: bash
run: |
alias_tags=()
while IFS= read -r line; do
alias_tags+=("$line")
done < <(./scripts/generate-tags.sh ${{ matrix.containerdistro }} ${{ matrix.patchsets }} ${{ matrix.arches }})
echo "Generated tags:"
for TAG in "${alias_tags[@]}"; do
echo "$TAG"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# - name: Get the last (and most specific) tag
# id: specific-tag
# run: |
# echo "super_specific_tag=$(echo ${{ steps.generate-tags.outputs.alias_tags }} | awk '{print $NF}')" >> $GITHUB_OUTPUT
- name: Install packages for testing
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static podman
- name: Cache Shards
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: ${{ github.workspace }}/shardscache
key: shards-${{ hashFiles('invidious/shard.lock') }}
# Ensure shardscache exists
- run: mkdir -p ${{ github.workspace }}/shardscache
# BUILD
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
image: invidious
tags: ${{ steps.generate-tags.outputs.alias_tags }}
containerfiles: Dockerfile.${{ matrix.containerdistro }}
platforms: ${{ matrix.arches }}
extra-args: |
--volume=${{ github.workspace }}/shardscache:/invidious/lib
--cache-from=ghcr.io/${{ github.repository_owner }}/invidious
context: invidious
# TEST
- name: Test image
if: matrix.arches == 'linux/amd64'
run: ./scripts/test-image.sh ${{ steps.build-image.outputs.image }}
# PUSH
- name: Push To GHCR
if: github.event_name != 'pull_request'
id: push-to-ghcr
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
with:
username: ${{ github.actor }}
password: ${{ github.token }}
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: ghcr.io/${{ github.repository_owner }}
# SIGN
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
if: github.event_name != 'pull_request'
- name: Sign GHCR Image
if: github.event_name != 'pull_request'
run: |
cosign login ghcr.io -u ${{ github.actor }} -p ${{ github.token }}
cosign sign -y --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository_owner }}/${{ steps.build-image.outputs.image }}@${{ steps.push-to-ghcr.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
# SCAN
- name: Run Trivy vulnerability scanner
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/${{ steps.build-image.outputs.image }}@${{ steps.push-to-ghcr.outputs.digest }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3
with:
sarif_file: 'trivy-results.sarif'
# PRINT
- name: Print image URLs
if: github.event_name != 'pull_request'
run: |
echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}"