Fixup Docker file #176
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and publish container image | |
| on: | |
| push: | |
| tags: | |
| - 'cr*' | |
| branches: | |
| - 'master' | |
| - 'dev' | |
| pull_request: | |
| branches: | |
| - 'master' | |
| - 'dev' | |
| jobs: | |
| build-and-push-image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 # Shallow clone for faster checkout | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| buildkitd-flags: --debug | |
| driver-opts: | | |
| image=moby/buildkit:v0.12.0 | |
| network=host | |
| - name: Get tag | |
| id: tag | |
| run: | | |
| if [[ $GITHUB_REF == refs/tags/* ]]; then | |
| echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Log in to the Container registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Cache Docker layers | |
| - name: Cache Docker layers | |
| uses: actions/cache@v3 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| # Build amd64 and arm64 in parallel | |
| - name: Build and push amd64 | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }}-amd64 | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| build-args: | | |
| BUILDKIT_INLINE_CACHE=1 | |
| - name: Build and push arm64 | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }}-arm64 | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| build-args: | | |
| BUILDKIT_INLINE_CACHE=1 | |
| # Create and push a multi-arch manifest | |
| - name: Create and push manifest | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| docker buildx imagetools create -t ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }} \ | |
| ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }}-amd64 \ | |
| ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }}-arm64 | |
| # Move cache | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
| - name: Run Trivy vulnerability scanner in parallel | |
| uses: aquasecurity/trivy-action@master | |
| if: github.event_name != 'pull_request' | |
| with: | |
| image-ref: ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.tag }}-amd64 | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: github.event_name != 'pull_request' && always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |