diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml new file mode 100644 index 0000000000..c04651241c --- /dev/null +++ b/.github/workflows/docker-build-publish.yml @@ -0,0 +1,107 @@ +name: Docker Build & Publish + +on: + push: + branches: + - "**" + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" + pull_request: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + MAINTAINER: CelestiaOrg + DESCRIPTION: CelestiaOrg repository ${{ github.repository }} + +jobs: + docker-security: + runs-on: "ubuntu-latest" + steps: + - name: Checkout + uses: "actions/checkout@v3" + + - name: Build and Push + uses: docker/build-push-action@v3 + with: + push: false + platforms: linux/amd64 + # we're building the container before the scan, use the local tag for + # refer to it later + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local + + - name: Run Trivy vulnerability scanner + # source: https://github.com/aquasecurity/trivy-action + # https://github.com/marketplace/actions/aqua-security-trivy + uses: aquasecurity/trivy-action@master + with: + # here we use the local tag that we've built before + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local' + format: 'table' + #exit-code: '1' # uncomment to stop the CI if the scanner fails + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + docker-build: + runs-on: "ubuntu-latest" + # wait until the security scanner will be done + needs: docker-security + permissions: + contents: write + packages: write + + steps: + - name: Checkout + uses: "actions/checkout@v3" + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Add SHORT_SHA to ENV + run: echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV + + - name: Extract Docker Metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # yamllint disable + labels: | + maintainer=${{ env.MAINTAINER }} + commitUrl=https://github.com/${{ github.repository }}/commit/${{ github.sha }} + dockerPull=docker pull ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.SHORT_SHA }} + org.opencontainers.image.description=${{ env.DESCRIPTION }} + tags: | + # output minimal (short sha) + type=raw,value={{sha}} + # output v0.2.1 + type=semver,pattern=v{{version}} + # pull request event + type=ref,enable=true,prefix=pr-,suffix=,event=pr + # yamllint enable + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + # We always build the image but we only push if we are on the `main` + # branch or a versioned `v*` branch + - name: Build and PushDocker Image + uses: docker/build-push-action@v3 + with: + platforms: linux/amd64,linux/arm64 + # yamllint disable + # The following line, is execute as an if statement, only push when + # the branch is main or starts with v* + push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }} + # yamllint enable + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile