-
Notifications
You must be signed in to change notification settings - Fork 38
90 lines (81 loc) · 2.87 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Based on https://github.com/docker/build-push-action
name: "Docker"
on:
push:
branches: ["main"]
tags: ["v*"]
workflow_dispatch: # A build was manually requested
workflow_call: # Another pipeline called us
env:
GHCR_NAMESPACE: matrix-org
PLATFORMS: "linux/amd64,linux/arm64"
jobs:
slidingsync:
name: Sliding Sync image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write # To upload Trivy sarif files
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Checkout
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Containers
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build main sliding sync image
if: github.ref_name == 'main'
id: docker_build_sliding_sync
uses: docker/build-push-action@v4
with:
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
- name: Build release Sliding Sync image
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
id: docker_build_sliding_sync_release
uses: docker/build-push-action@v4
with:
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
- name: Sign the images with GitHub OIDC Token
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
env:
DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"