fix: docker/Dockerfile to reduce vulnerabilities #59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker image | |
permissions: | |
contents: read | |
packages: write | |
on: | |
push: | |
jobs: | |
untagged-cleanup: | |
name: Cleanup not tagged refs | |
environment: | |
name: "github-registry" | |
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
steps: | |
- name: Delete not tagged refs | |
uses: bots-house/ghcr-delete-image-action@v1.1.0 | |
with: | |
owner: wdes | |
name: mail-autodiscover-autoconfig/mail-autodiscover-autoconfig | |
token: ${{ secrets.GITHUB_TOKEN }} | |
# Keep latest N untagged images | |
untagged-keep-latest: 6 | |
build-binaries: | |
name: Build multi arch binaries (${{ matrix.arch }}-${{ matrix.variant }}) for ${{ matrix.os }} | |
environment: | |
name: "github-registry" | |
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
include: | |
- { os: linux, arch: x86_64, variant: gnu } | |
- { os: linux, arch: x86_64, variant: musl } | |
- { os: linux, arch: aarch64, variant: gnu } | |
- { os: linux, arch: aarch64, variant: musl } | |
- { os: linux, arch: riscv64gc, variant: gnu } | |
# Toolchain not found | |
#- { os: linux, arch: riscv64gc, variant: musl } | |
# Toolchain not found | |
#- { os: linux, arch: riscv32gc, variant: gnu } | |
# Toolchain not found | |
#- { os: linux, arch: riscv32gc, variant: musl } | |
- { os: linux, arch: arm, variant: gnueabi } | |
- { os: linux, arch: arm, variant: gnueabihf } | |
- { os: linux, arch: arm, variant: musleabi } | |
- { os: linux, arch: arm, variant: musleabihf } | |
- { os: linux, arch: armv7, variant: gnueabi } | |
- { os: linux, arch: armv7, variant: gnueabihf } | |
- { os: linux, arch: armv7, variant: musleabi } | |
- { os: linux, arch: armv7, variant: musleabihf } | |
- { os: linux, arch: s390x, variant: gnu } | |
- { os: linux, arch: armv5te, variant: gnueabi } | |
- { os: linux, arch: armv5te, variant: musleabi } | |
- { os: linux, arch: i586, variant: gnu } | |
- { os: linux, arch: i586, variant: musl } | |
- { os: linux, arch: i686, variant: gnu } | |
- { os: linux, arch: powerpc, variant: gnu } | |
- { os: linux, arch: powerpc64, variant: gnu } | |
- { os: linux, arch: powerpc64le, variant: gnu } | |
- { os: linux, arch: sparc64, variant: gnu } | |
steps: | |
- name: Cache cargo registry | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cargo/registry | |
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
- name: Cache cargo index | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cargo/git | |
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} | |
- name: Cache cargo build | |
uses: actions/cache@v3 | |
with: | |
path: target | |
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: 1.72 | |
override: true | |
target: ${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }} | |
- name: Build | |
uses: actions-rs/cargo@v1 | |
with: | |
use-cross: true | |
command: build | |
args: --release --locked --target ${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }} | |
- name: Create builds folder | |
run: mkdir ./builds | |
- name: Rename file | |
run: mv ./target/${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}/release/mail-autodiscover-autoconfig ./builds/mail-autodiscover-autoconfig_${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }} | |
- name: Upload Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: mail-autodiscover-autoconfig_${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}.tgz | |
path: ./builds/* | |
if-no-files-found: error | |
retention-days: 1 | |
build-image: | |
runs-on: ubuntu-latest | |
environment: | |
name: "github-registry" | |
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig | |
strategy: | |
fail-fast: false | |
max-parallel: 4 | |
matrix: | |
include: | |
- { platform: "linux/arm/v6", internal-tag: "armv6" } | |
- { platform: "linux/arm/v7", internal-tag: "armv7" } | |
# Does not finish building | |
#- { platform: "linux/arm64/v8", internal-tag: "arm64v8" } | |
- { platform: "linux/386", internal-tag: "386" } | |
# Does not finish building | |
#- { platform: "linux/ppc64le", internal-tag: "ppc64le" } | |
- { platform: "linux/amd64", internal-tag: "amd64" } | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# https://github.com/docker/setup-qemu-action | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to the registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push image | |
run: make docker-build | |
env: | |
DOCKER_BUILDKIT: 1 | |
BUILDKIT_MULTI_PLATFORM: "false" | |
PLATFORM: ${{ matrix.platform }} | |
IMAGE_TAG: "ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:${{ matrix.internal-tag }}-edge" | |
ACTION: push | |
# Disable provenance to remove the attestation from the pushed image | |
# See: https://github.com/docker/buildx/issues/1509 | |
# It makes: ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:<arch>-edge a manifest list | |
# And docker manifest create does not like that | |
EXTRA_ARGS: "--provenance=false" | |
create-final-image: | |
runs-on: ubuntu-latest | |
needs: build-image | |
name: Create the image manifest | |
environment: | |
name: "github-registry" | |
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig | |
steps: | |
- name: Login to the registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create the manifest | |
# ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:arm64v8-edge \ | |
# ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:ppc64le-edge \ | |
run: | | |
docker manifest create ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge \ | |
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:armv6-edge \ | |
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:armv7-edge \ | |
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:386-edge \ | |
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:amd64-edge | |
- name: Push the manifest | |
run: docker manifest push ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge | |
- name: Inspect the manifest | |
run: docker manifest inspect ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge | |
tags-cleanup: | |
runs-on: ubuntu-latest | |
needs: create-final-image | |
name: Cleanup build tags | |
environment: | |
name: "github-registry" | |
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
include: | |
- { platform: "linux/arm/v6", internal-tag: "armv6" } | |
- { platform: "linux/arm/v7", internal-tag: "armv7" } | |
# Does not finish building | |
#- { platform: "linux/arm64/v8", internal-tag: "arm64v8" } | |
- { platform: "linux/386", internal-tag: "386" } | |
# Does not finish building | |
#- { platform: "linux/ppc64le", internal-tag: "ppc64le" } | |
- { platform: "linux/amd64", internal-tag: "amd64" } | |
steps: | |
- name: Delete build tag | |
uses: bots-house/ghcr-delete-image-action@v1.1.0 | |
with: | |
owner: wdes | |
name: mail-autodiscover-autoconfig/mail-autodiscover-autoconfig | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ matrix.internal-tag }}-edge |