Skip to content

Merge pull request #48 from sberk42/dependabot/go_modules/golang.org/… #56

Merge pull request #48 from sberk42/dependabot/go_modules/golang.org/…

Merge pull request #48 from sberk42/dependabot/go_modules/golang.org/… #56

Workflow file for this run

name: Container
on:
push:
# Publish `main` as Docker `latest` image.
branches:
- main
- master
# Publish `v1.2.3` tags as releases.
tags:
- '**' # All tags kick off a new container build Save history ad 5.0.x etc
# Run tests for any PRs.
pull_request:
env:
BUILD_PLATFORM: |
linux/arm/v6
linux/arm/v7
linux/arm64
linux/amd64
# Enable Docker Buildkit
DOCKER_BUILDKIT: 1
IMAGE_NAME: fritzbox_exporter
jobs:
lint:
runs-on: ubuntu-latest
if: github.event_name == 'push'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Lint Dockerfile
uses: hadolint/hadolint-action@v3.0.0
with:
dockerfile: Dockerfile
prepare:
runs-on: ubuntu-latest
if: github.event_name == 'push'
needs: lint
# Map a step output to a job output
outputs:
DOCKER_REPOSITORY: ${{ steps.tag_image.outputs.DOCKER_REPOSITORY }}
DOCKER_TAG: ${{ steps.tag_image.outputs.DOCKER_TAG }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Tag Image
id: tag_image
run: |
DOCKER_REPOSITORY=ghcr.io/${{ github.repository }}
# Change all uppercase to lowercase
DOCKER_REPOSITORY=$(echo $DOCKER_REPOSITORY | tr '[A-Z]' '[a-z]')
DOCKER_TAG=${{ github.ref_name }}
# Use Docker `latest` tag convention
[ "$DOCKER_TAG" == "master" ] && DOCKER_TAG=latest
[ "$DOCKER_TAG" == "main" ] && DOCKER_TAG=latest
echo DOCKER_REPOSITORY=$DOCKER_REPOSITORY
echo DOCKER_TAG=$DOCKER_TAG
echo "DOCKER_REPOSITORY=${DOCKER_REPOSITORY}" >> $GITHUB_OUTPUT
echo "DOCKER_TAG=${DOCKER_TAG}" >> $GITHUB_OUTPUT
# Build and push image to GitHub Packages.
# See also https://docs.docker.com/docker-hub/builds/
build:
runs-on: ubuntu-latest
if: github.event_name == 'push'
needs: [prepare]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Build Image
uses: docker/build-push-action@v5
with:
build-args: REPO=${{ github.repository }}
context: .
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
platforms: ${{ env.BUILD_PLATFORM }}
push: false
# Build and push image to GitHub Packages.
# See also https://docs.docker.com/docker-hub/builds/
push:
runs-on: ubuntu-latest
if: github.event_name == 'push'
needs: [prepare, build]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Log into registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Build Runtime Image and Push
uses: docker/build-push-action@v5
with:
build-args: REPO=${{ github.repository }}
context: .
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
platforms: ${{ env.BUILD_PLATFORM }}
push: true
tags: |
${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }}
${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}
target: runtime-image
- name: Inspect image
if: success()
run: |
docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }}
docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}
test:
runs-on: ubuntu-latest
if: github.event_name == 'push'
needs: [prepare, push]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}"
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'