Release #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Copyright 2021 Jens A. Koch. | |
| # SPDX-License-Identifier: MIT | |
| # This file is part of jakoch/cpp-devbox. | |
| # | |
| name: Release | |
| on: | |
| # You can manually run this workflow. | |
| workflow_dispatch: | |
| # This workflow runs on pushing a semantic versionized tag (e.g. v1.0.0). | |
| # This workflow does not run when pushing to the main branch. | |
| push: | |
| #branches: | |
| # - main | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+' | |
| # This workflow runs on schedule: every Sunday at 1 am. | |
| schedule: | |
| - cron: "0 1 * * 0" | |
| env: | |
| DOCKERHUB_IMAGE: ${{ github.repository }} | |
| GHCR_IMAGE: ghcr.io/${{ github.repository }} | |
| jobs: | |
| # --------------------------------------------------------------------------------------- | |
| build: | |
| # --------------------------------------------------------------------------------------- | |
| name: "Build Container" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| config: | |
| - { platform: "linux/amd64", debian_codename: "bookworm" } | |
| - { platform: "linux/amd64", debian_codename: "trixie" } | |
| steps: | |
| - name: ✂️ Free Disk Space | |
| uses: jlumbroso/free-disk-space@v1.3.0 # https://github.com/jlumbroso/free-disk-space | |
| with: | |
| tool-cache: true | |
| docker-images: false | |
| - name: 🤘 Checkout Code | |
| uses: actions/checkout@v4 # https://github.com/actions/checkout | |
| - name: 🔍 Run hadolint | |
| uses: hadolint/hadolint-action@v3.1.0 # https://github.com/hadolint/hadolint-action | |
| with: | |
| dockerfile: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile | |
| no-fail: true | |
| #- name: 🔒 Login to DockerHub Container Registry | |
| # if: github.event_name != 'pull_request' | |
| # uses: docker/login-action@v3 # https://github.com/docker/login-action | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: 🔒 Login to Github Container Registry (GHCR) | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 # https://github.com/docker/login-action | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: 🔽 Setup QEMU | |
| uses: docker/setup-qemu-action@v3 # https://github.com/docker/setup-qemu-action | |
| with: | |
| platforms: ${{ matrix.config.platform }} | |
| - name: 🔽 Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # cpp-devbox:{debian_codename}-nightly-{{date}} # only on scheduled builds | |
| # cpp-devbox:{debian_codename}-{{ version }} # only on git tag | |
| # cpp-devbox:{debian_codename}-{{ major }}.{{ minor }} # only on git tag | |
| # cpp-devbox:{debian_codename}-{{date}}-sha-{{sha}} # only on push, not when tagging | |
| # cpp-devbox:{debian_codename}-latest # always | |
| - name: ✏ Setup Docker Metadata | |
| id: metadata-base | |
| uses: docker/metadata-action@v5 # https://github.com/docker/metadata-action | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE }} | |
| flavor: | | |
| latest=auto | |
| prefix=${{ matrix.config.debian_codename }}- | |
| tags: | | |
| type=schedule,pattern=nightly-{{ date 'YYYYMMDD' }},enabled=${{ github.event_name == 'schedule' }} | |
| type=semver,pattern={{ version }} | |
| type=semver,pattern={{ major }}.{{ minor }} | |
| type=raw,value={{ date 'YYYYMMDD' }}-sha-{{ sha }},enabled=${{ github.event_name == 'push' }} | |
| type=raw,value=latest | |
| # cpp-devbox:{debian_codename}-with-vulkansdk-nightly-{{date}} # only on scheduled builds | |
| # cpp-devbox:{debian_codename}-with-vulkansdk-{{ version }} # only on git tag | |
| # cpp-devbox:{debian_codename}-with-vulkansdk-{{ major }}.{{ minor }} # only on git tag | |
| # cpp-devbox:{debian_codename}-with-vulkansdk-{{date}}-sha-{{sha}} # only on push, not when tagging | |
| # cpp-devbox:{debian_codename}-with-vulkansdk-latest # always | |
| - name: ✏ Setup Docker Metadata | |
| id: metadata-base-with-vulkansdk | |
| uses: docker/metadata-action@v5 # https://github.com/docker/metadata-action | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE }} | |
| flavor: | | |
| latest=auto | |
| prefix=${{ matrix.config.debian_codename }}-with-vulkansdk- | |
| tags: | | |
| type=schedule,pattern=nightly-{{ date 'YYYYMMDD' }},enabled=${{ github.event_name == 'schedule' }} | |
| type=semver,pattern={{ version }} | |
| type=semver,pattern={{ major }}.{{ minor }} | |
| type=raw,value={{ date 'YYYYMMDD' }}-sha-{{ sha }},enabled=${{ github.event_name == 'push' }} | |
| type=raw,value=latest | |
| - name: ✏ Create info.json | |
| run: | | |
| jq -n --arg version "${{ github.ref_name }}" \ | |
| --arg commit "${{ github.sha }}" \ | |
| --arg date "$(date -u +%F)" \ | |
| '{ version: $version, commit: $commit, date: $date }' > info.json | |
| # Build Image -> Stage: cpp-devbox-base | |
| - name: 📦 🚀 Build and Push | |
| id: build-base | |
| uses: docker/build-push-action@v5 # https://github.com/docker/build-push-action | |
| with: | |
| context: . | |
| file: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile | |
| target: cpp-devbox-base | |
| platforms: ${{ matrix.config.platform }} | |
| tags: ${{ steps.metadata-base.outputs.tags }} | |
| labels: ${{ steps.metadata-base.outputs.labels }} | |
| push: true | |
| # Build Image -> Stages: cpp-devbox-base + cpp-devbox-with-vulkansdk = with-vulkansdk | |
| - name: 📦 🚀 Build and Push | |
| id: build-base-with-vulkansdk | |
| uses: docker/build-push-action@v5 # https://github.com/docker/build-push-action | |
| with: | |
| context: . | |
| file: .devcontainer/debian/${{ matrix.config.debian_codename }}/Dockerfile | |
| target: cpp-devbox-with-vulkansdk | |
| platforms: ${{ matrix.config.platform }} | |
| tags: ${{ steps.metadata-base-with-vulkansdk.outputs.tags }} | |
| labels: ${{ steps.metadata-base-with-vulkansdk.outputs.labels }} | |
| push: true | |
| #- name: 🛡️🔍 Scan Image for Vulnerabilities | |
| # uses: aquasecurity/trivy-action@master # https://github.com/aquasecurity/trivy-action | |
| # with: | |
| # image-ref: '${{ env.GHCR_IMAGE }}:latest' | |
| # format: 'sarif' | |
| # output: 'trivy-results.sarif' | |
| # severity: 'CRITICAL,HIGH' | |
| # ignore-unfixed: true | |
| # skip-dirs: gcc-13.2.0,usr/lib64 | |
| # upload fails: https://github.com/github/codeql-action/issues/2117 | |
| #- name: 🛡️🔼 Upload scan results to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@v3 # https://github.com/github/codeql-action | |
| # with: | |
| # sarif_file: 'trivy-results.sarif' |