Refactor proxy Docker workflows for PR builds, releases, and fork compatibility #115
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image | |
| on: | |
| # When a release is published | |
| release: | |
| types: [published] | |
| # Push excluding tags and Markdown-only changes | |
| push: | |
| branches: | |
| - main | |
| tags-ignore: | |
| - '*.*' | |
| paths-ignore: | |
| - '**/*.md' | |
| # Validate pull requests without publishing | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/*.md' | |
| # Manual trigger | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.head.sha || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| IMAGE_NAME: ${{ vars.DOCKERHUB_NAMESPACE || github.repository_owner }}/proxy | |
| PLATFORM: linux/amd64,linux/arm64 | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| jobs: | |
| image_proxy: | |
| name: Build images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| with: | |
| platforms: all | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Log in to Docker Hub | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| username: ${{ secrets._TEMP_DOCKERHUB_USER }} | |
| password: ${{ secrets._TEMP_DOCKERHUB_PASSWORD }} | |
| - name: Compute image metadata | |
| id: meta | |
| shell: bash | |
| run: | | |
| VERSION="" | |
| IS_VERSIONED="false" | |
| PRIMARY_TAG="" | |
| PUSH_TAGS="" | |
| if [[ "${{ github.event_name }}" == "release" ]]; then | |
| VERSION="${{ github.event.release.tag_name }}" | |
| IS_VERSIONED="true" | |
| elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| if [[ "${{ github.ref_type }}" == "tag" ]]; then | |
| VERSION="${{ github.ref_name }}" | |
| IS_VERSIONED="true" | |
| elif [[ "${{ github.ref }}" != "refs/heads/main" ]]; then | |
| echo "workflow_dispatch must be run on main or on a tag" | |
| exit 1 | |
| fi | |
| fi | |
| if [[ "$IS_VERSIONED" == "true" ]]; then | |
| PRIMARY_TAG="${IMAGE_NAME}:${VERSION}" | |
| PUSH_TAGS="${IMAGE_NAME}:${VERSION} | |
| ${IMAGE_NAME}:latest" | |
| elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| PRIMARY_TAG="${IMAGE_NAME}:develop" | |
| PUSH_TAGS="${IMAGE_NAME}:develop" | |
| else | |
| PRIMARY_TAG="${IMAGE_NAME}:pr-${{ github.event.pull_request.number || github.run_number }}" | |
| PUSH_TAGS="${PRIMARY_TAG}" | |
| fi | |
| { | |
| echo "version=$VERSION" | |
| echo "is_versioned=$IS_VERSIONED" | |
| echo "primary_tag=$PRIMARY_TAG" | |
| echo "push_tags<<EOF" | |
| echo "$PUSH_TAGS" | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Build image locally for scanning | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| load: true | |
| push: false | |
| tags: ${{ steps.meta.outputs.primary_tag }} | |
| build-args: | | |
| GIT_COMMIT=${{ github.sha }} | |
| cache-from: type=gha,scope=proxy-amd64 | |
| cache-to: type=gha,mode=max,scope=proxy-amd64 | |
| - name: Scan proxy Docker image | |
| uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 | |
| id: anchore-scan | |
| with: | |
| image: ${{ steps.meta.outputs.primary_tag }} | |
| fail-build: false | |
| severity-cutoff: critical | |
| - name: Upload Anchore scan SARIF report | |
| if: ${{ !cancelled() && github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }} | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: ${{ steps.anchore-scan.outputs.sarif }} | |
| category: grype-proxy | |
| - name: Build and push multi-arch images | |
| if: github.event_name != 'pull_request' | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 | |
| with: | |
| context: . | |
| platforms: ${{ env.PLATFORM }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.push_tags }} | |
| build-args: | | |
| GIT_COMMIT=${{ github.sha }} | |
| cache-from: type=gha,scope=proxy-multiarch | |
| cache-to: type=gha,mode=max,scope=proxy-multiarch | |
| # Skip SonarQube when SONAR_TOKEN is not configured, and also skip fork PRs because repository secrets are not exposed there | |
| - name: SonarQube Scan | |
| if: ${{ env.SONAR_TOKEN != '' && (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) }} | |
| uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 | |