Release #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| # You can manually run this workflow. | |
| workflow_dispatch: | |
| # This workflow runs on pushing a semantic versionized tag (e.g. v1.0.0). | |
| push: | |
| #branches: | |
| # - main | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+' | |
| jobs: | |
| # --------------------------------------------------------------------------------------- | |
| release: | |
| # --------------------------------------------------------------------------------------- | |
| name: "Publish Container on GHCR" | |
| runs-on: ubuntu-latest | |
| steps: | |
| # temporary workaround for an error in free disk space action | |
| # https://github.com/jlumbroso/free-disk-space/issues/14 | |
| - name: Update Package List | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get remove -y '^dotnet-.*' | |
| - name: ✂️ Free Disk Space | |
| uses: jlumbroso/free-disk-space@main # https://github.com/jlumbroso/free-disk-space | |
| with: | |
| tool-cache: true | |
| docker-images: false | |
| - name: 🤘 Checkout Code | |
| uses: actions/checkout@v3 # https://github.com/actions/checkout | |
| - name: 🔒 Login to Container Registry | |
| uses: docker/login-action@v2 # https://github.com/docker/login-action | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: hadolint/hadolint-action@v3.1.0 # https://github.com/hadolint/hadolint-action | |
| with: | |
| dockerfile: .devcontainer/Dockerfile | |
| no-fail: true | |
| - name: 📝 Versionize | |
| run: | | |
| if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then | |
| echo "Releasing from tag: $GITHUB_REF_NAME" | |
| echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV | |
| else | |
| echo "Releasing from branch: $GITHUB_REF_NAME" | |
| TIMESTAMP=$(TZ=UTC date +%Y%m%d) | |
| SHORT_HASH=$(echo ${{ github.sha }} | head -c7) | |
| echo "TAG=$TIMESTAMP-$SHORT_HASH" >> $GITHUB_ENV | |
| fi | |
| echo "Container Version: $TAG" | |
| - name: 🙏 Build Image -> cpp-devbox-base | |
| run: | | |
| docker build --no-cache --progress=plain --target cpp-devbox-base -t ghcr.io/${{ github.repository }}:$TAG .devcontainer/ | |
| - name: 📦 🚀 Push Image to registry (cpp-devbox-base) | |
| run: | | |
| docker push ghcr.io/${{ github.repository }}:$TAG | |
| docker tag ghcr.io/${{ github.repository }}:$TAG ghcr.io/${{ github.repository }}:latest | |
| docker push ghcr.io/${{ github.repository }}:latest | |
| - name: 🙏 Build Image -> cpp-devbox-base + cpp-devbox-with-vulkansdk = with-vulkansdk | |
| run: | | |
| docker build --no-cache --progress=plain -t ghcr.io/${{ github.repository }}:with-vulkansdk-$TAG .devcontainer/ | |
| - name: 📦 🚀 Push Image to registry (with-vulkansdk) | |
| run: | | |
| docker push ghcr.io/${{ github.repository }}:with-vulkansdk-$TAG | |
| docker tag ghcr.io/${{ github.repository }}:with-vulkansdk-$TAG ghcr.io/${{ github.repository }}:with-vulkansdk-latest | |
| docker push ghcr.io/${{ github.repository }}:with-vulkansdk-latest | |
| - name: 🛡️🔍 Scan Image for Vulnerabilities | |
| uses: aquasecurity/trivy-action@master # https://github.com/aquasecurity/trivy-action | |
| with: | |
| image-ref: 'ghcr.io/${{ github.repository }}:latest' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| - name: 🛡️🔼 Upload scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 # https://github.com/github/codeql-action | |
| with: | |
| sarif_file: 'trivy-results.sarif' |