Skip to content

fix: docker/Dockerfile to reduce vulnerabilities #59

fix: docker/Dockerfile to reduce vulnerabilities

fix: docker/Dockerfile to reduce vulnerabilities #59

Workflow file for this run

name: Publish Docker image
permissions:
contents: read
packages: write
on:
push:
jobs:
untagged-cleanup:
name: Cleanup not tagged refs
environment:
name: "github-registry"
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Delete not tagged refs
uses: bots-house/ghcr-delete-image-action@v1.1.0
with:
owner: wdes
name: mail-autodiscover-autoconfig/mail-autodiscover-autoconfig
token: ${{ secrets.GITHUB_TOKEN }}
# Keep latest N untagged images
untagged-keep-latest: 6
build-binaries:
name: Build multi arch binaries (${{ matrix.arch }}-${{ matrix.variant }}) for ${{ matrix.os }}
environment:
name: "github-registry"
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig
runs-on: ubuntu-latest
strategy:
fail-fast: false
max-parallel: 1
matrix:
include:
- { os: linux, arch: x86_64, variant: gnu }
- { os: linux, arch: x86_64, variant: musl }
- { os: linux, arch: aarch64, variant: gnu }
- { os: linux, arch: aarch64, variant: musl }
- { os: linux, arch: riscv64gc, variant: gnu }
# Toolchain not found
#- { os: linux, arch: riscv64gc, variant: musl }
# Toolchain not found
#- { os: linux, arch: riscv32gc, variant: gnu }
# Toolchain not found
#- { os: linux, arch: riscv32gc, variant: musl }
- { os: linux, arch: arm, variant: gnueabi }
- { os: linux, arch: arm, variant: gnueabihf }
- { os: linux, arch: arm, variant: musleabi }
- { os: linux, arch: arm, variant: musleabihf }
- { os: linux, arch: armv7, variant: gnueabi }
- { os: linux, arch: armv7, variant: gnueabihf }
- { os: linux, arch: armv7, variant: musleabi }
- { os: linux, arch: armv7, variant: musleabihf }
- { os: linux, arch: s390x, variant: gnu }
- { os: linux, arch: armv5te, variant: gnueabi }
- { os: linux, arch: armv5te, variant: musleabi }
- { os: linux, arch: i586, variant: gnu }
- { os: linux, arch: i586, variant: musl }
- { os: linux, arch: i686, variant: gnu }
- { os: linux, arch: powerpc, variant: gnu }
- { os: linux, arch: powerpc64, variant: gnu }
- { os: linux, arch: powerpc64le, variant: gnu }
- { os: linux, arch: sparc64, variant: gnu }
steps:
- name: Cache cargo registry
uses: actions/cache@v3
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache cargo index
uses: actions/cache@v3
with:
path: ~/.cargo/git
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
- name: Cache cargo build
uses: actions/cache@v3
with:
path: target
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: 1.72
override: true
target: ${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}
- name: Build
uses: actions-rs/cargo@v1
with:
use-cross: true
command: build
args: --release --locked --target ${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}
- name: Create builds folder
run: mkdir ./builds
- name: Rename file
run: mv ./target/${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}/release/mail-autodiscover-autoconfig ./builds/mail-autodiscover-autoconfig_${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: mail-autodiscover-autoconfig_${{ matrix.arch }}-unknown-${{ matrix.os }}-${{ matrix.variant }}.tgz
path: ./builds/*
if-no-files-found: error
retention-days: 1
build-image:
runs-on: ubuntu-latest
environment:
name: "github-registry"
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig
strategy:
fail-fast: false
max-parallel: 4
matrix:
include:
- { platform: "linux/arm/v6", internal-tag: "armv6" }
- { platform: "linux/arm/v7", internal-tag: "armv7" }
# Does not finish building
#- { platform: "linux/arm64/v8", internal-tag: "arm64v8" }
- { platform: "linux/386", internal-tag: "386" }
# Does not finish building
#- { platform: "linux/ppc64le", internal-tag: "ppc64le" }
- { platform: "linux/amd64", internal-tag: "amd64" }
steps:
- name: Checkout repository
uses: actions/checkout@v4
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to the registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push image
run: make docker-build
env:
DOCKER_BUILDKIT: 1
BUILDKIT_MULTI_PLATFORM: "false"
PLATFORM: ${{ matrix.platform }}
IMAGE_TAG: "ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:${{ matrix.internal-tag }}-edge"
ACTION: push
# Disable provenance to remove the attestation from the pushed image
# See: https://github.com/docker/buildx/issues/1509
# It makes: ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:<arch>-edge a manifest list
# And docker manifest create does not like that
EXTRA_ARGS: "--provenance=false"
create-final-image:
runs-on: ubuntu-latest
needs: build-image
name: Create the image manifest
environment:
name: "github-registry"
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig
steps:
- name: Login to the registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create the manifest
# ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:arm64v8-edge \
# ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:ppc64le-edge \
run: |
docker manifest create ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge \
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:armv6-edge \
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:armv7-edge \
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:386-edge \
ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:amd64-edge
- name: Push the manifest
run: docker manifest push ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge
- name: Inspect the manifest
run: docker manifest inspect ghcr.io/wdes/mail-autodiscover-autoconfig/mail-autodiscover-autoconfig:edge
tags-cleanup:
runs-on: ubuntu-latest
needs: create-final-image
name: Cleanup build tags
environment:
name: "github-registry"
url: https://github.com/orgs/wdes/packages?repo_name=mail-autodiscover-autoconfig
strategy:
fail-fast: false
max-parallel: 1
matrix:
include:
- { platform: "linux/arm/v6", internal-tag: "armv6" }
- { platform: "linux/arm/v7", internal-tag: "armv7" }
# Does not finish building
#- { platform: "linux/arm64/v8", internal-tag: "arm64v8" }
- { platform: "linux/386", internal-tag: "386" }
# Does not finish building
#- { platform: "linux/ppc64le", internal-tag: "ppc64le" }
- { platform: "linux/amd64", internal-tag: "amd64" }
steps:
- name: Delete build tag
uses: bots-house/ghcr-delete-image-action@v1.1.0
with:
owner: wdes
name: mail-autodiscover-autoconfig/mail-autodiscover-autoconfig
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ matrix.internal-tag }}-edge