proxy/.github/workflows/proxy.yml at 22cbf536ca87d9f040781b1618f1f0345b01a32d · openremote/proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Docker Image

on:
  # When a release is published
  release:
    types: [published]

  # Push excluding tags and Markdown-only changes
  push:
    branches:
      - main
    tags-ignore:
      - '*.*'
    paths-ignore:
      - '**/*.md'

  # Validate pull requests without publishing
  pull_request:
    branches:
      - main
    paths-ignore:
      - '**/*.md'

  # Manual trigger
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.head.sha || github.ref }}
  cancel-in-progress: true

env:
  IMAGE_NAME: ${{ vars.DOCKERHUB_NAMESPACE || github.repository_owner }}/proxy
  PLATFORM: linux/amd64,linux/arm64
  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

jobs:
  image_proxy:
    name: Build images
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
        with:
          platforms: all

      - name: Set up Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to Docker Hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets._TEMP_DOCKERHUB_USER }}
          password: ${{ secrets._TEMP_DOCKERHUB_PASSWORD }}

      - name: Compute image metadata
        id: meta
        shell: bash
        run: |
          VERSION=""
          IS_VERSIONED="false"
          PRIMARY_TAG=""
          PUSH_TAGS=""

          if [[ "${{ github.event_name }}" == "release" ]]; then
            VERSION="${{ github.event.release.tag_name }}"
            IS_VERSIONED="true"
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            if [[ "${{ github.ref_type }}" == "tag" ]]; then
              VERSION="${{ github.ref_name }}"
              IS_VERSIONED="true"
            elif [[ "${{ github.ref }}" != "refs/heads/main" ]]; then
              echo "workflow_dispatch must be run on main or on a tag"
              exit 1
            fi
          fi

          if [[ "$IS_VERSIONED" == "true" ]]; then
            PRIMARY_TAG="${IMAGE_NAME}:${VERSION}"
            PUSH_TAGS="${IMAGE_NAME}:${VERSION}
          ${IMAGE_NAME}:latest"
          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            PRIMARY_TAG="${IMAGE_NAME}:develop"
            PUSH_TAGS="${IMAGE_NAME}:develop"
          else
            PRIMARY_TAG="${IMAGE_NAME}:pr-${{ github.event.pull_request.number || github.run_number }}"
            PUSH_TAGS="${PRIMARY_TAG}"
          fi

          {
            echo "version=$VERSION"
            echo "is_versioned=$IS_VERSIONED"
            echo "primary_tag=$PRIMARY_TAG"
            echo "push_tags<<EOF"
            echo "$PUSH_TAGS"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Build image locally for scanning
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: linux/amd64
          load: true
          push: false
          tags: ${{ steps.meta.outputs.primary_tag }}
          build-args: |
            GIT_COMMIT=${{ github.sha }}
          cache-from: type=gha,scope=proxy-amd64
          cache-to: type=gha,mode=max,scope=proxy-amd64

      - name: Scan proxy Docker image
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
        id: anchore-scan
        with:
          image: ${{ steps.meta.outputs.primary_tag }}
          fail-build: false
          severity-cutoff: critical

      - name: Upload Anchore scan SARIF report
        if: ${{ !cancelled() && github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}
        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
          category: grype-proxy

      - name: Build and push multi-arch images
        if: github.event_name != 'pull_request'
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: ${{ env.PLATFORM }}
          push: true
          tags: ${{ steps.meta.outputs.push_tags }}
          build-args: |
            GIT_COMMIT=${{ github.sha }}
          cache-from: type=gha,scope=proxy-multiarch
          cache-to: type=gha,mode=max,scope=proxy-multiarch

      # Skip SonarQube when SONAR_TOKEN is not configured, and also skip fork PRs because repository secrets are not exposed there
      - name: SonarQube Scan
        if: ${{ env.SONAR_TOKEN != '' && (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) }}
        uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0