This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Run precommit and conditionally build container | |
on: | |
push: | |
branches: | |
- '*' | |
tags: | |
- 'v[0-9]+\.[0-9]+\.[0-9]+' | |
pull_request: | |
branches: | |
- '*' | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_PATH: ghcr.io/${{ github.repository }} | |
TARFILE_NAME: image.tar | |
jobs: | |
tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Static Analysis | |
uses: pre-commit/[email protected] | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: ${{ env.IMAGE_PATH }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} # major.minor.patch | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Check that build works, save for scanning, but don't push yet | |
uses: docker/[email protected] | |
with: | |
context: . | |
push: false | |
outputs: type=tar,dest=${{ env.TARFILE_NAME }} | |
meta_json: ${{ steps.meta.outputs.json }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Upload tarball for use by Trivy job | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.TARFILE_NAME }} | |
path: ${{ env.TARFILE_NAME }} | |
outputs: | |
meta_json: ${{ steps.meta.outputs.json }} | |
tarfile_artifact: ${{ env.TARFILE_NAME }} | |
trivy-scan: | |
needs: tests | |
uses: "./.github/workflows/trivy.yml" | |
with: | |
SOURCE_TYPE: tar | |
IMAGE_NAME: image-name | |
TARFILE_NAME: ${{ needs.tests.outputs.tarfile_artifact }} | |
EXIT_CODE: 1 | |
push-image: | |
if: ${{ github.event_name == 'push' }} | |
needs: [tests, trivy-scan] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
strategy: | |
matrix: | |
value: ${{ fromJSON(needs.tests.outputs.meta_json).tags }} | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Build and push Docker image | |
uses: docker/[email protected] | |
with: | |
context: . | |
push: true | |
tags: ${{ matrix.value }} | |
- name: Push Docker image | |
run: docker push ${{ matrix.value }} | |
... |