Merge pull request #2 from IntimateMerger/feature-1.27.1.2 #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Docker Image | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - main | |
| tags: | |
| - '*.*.*.*-*' # Format: 1.27.1.2-0 | |
| pull_request: | |
| branches: | |
| - master | |
| - main | |
| workflow_dispatch: | |
| env: | |
| DOCKER_IMAGE: intimatemerger/openresty | |
| jobs: | |
| build: | |
| name: Build ${{ matrix.platform }} | |
| if: github.event_name != 'pull_request' | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| runner: ubuntu-latest | |
| arch: amd64 | |
| - platform: linux/arm64 | |
| runner: ubuntu-latest-arm | |
| arch: arm64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_READ_WRITE }} | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| outputs: type=image,name=${{ env.DOCKER_IMAGE }},push-by-digest=true,name-canonical=true,push=true | |
| sbom: true | |
| provenance: false | |
| cache-from: type=gha,scope=${{ matrix.arch }} | |
| cache-to: type=gha,mode=max,scope=${{ matrix.arch }} | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: digests-${{ matrix.arch }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| name: Create manifest list | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v7 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_READ_WRITE }} | |
| - name: Extract version from tag | |
| id: version | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| TAG=${GITHUB_REF#refs/tags/} | |
| echo "Original tag: $TAG" | |
| # Extract version parts from tag format: 1.27.1.2-0 | |
| if [[ $TAG =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)-[0-9]+$ ]]; then | |
| MAJOR=${BASH_REMATCH[1]} | |
| MINOR=${BASH_REMATCH[2]} | |
| PATCH=${BASH_REMATCH[3]} | |
| # Docker tags: MAJOR.MINOR.PATCH and MAJOR.MINOR | |
| PATCH_VERSION="${MAJOR}.${MINOR}.${PATCH}" # e.g., 1.27.1 | |
| MINOR_VERSION="${MAJOR}.${MINOR}" # e.g., 1.27 | |
| echo "patch_version=$PATCH_VERSION" >> $GITHUB_OUTPUT | |
| echo "minor_version=$MINOR_VERSION" >> $GITHUB_OUTPUT | |
| echo "Generated Docker tags: $PATCH_VERSION, $MINOR_VERSION" | |
| else | |
| echo "Tag format does not match expected pattern (X.X.X.X-X)" | |
| fi | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.DOCKER_IMAGE }} | |
| tags: | | |
| type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') || github.ref == format('refs/heads/{0}', 'main') }} | |
| type=raw,value=${{ steps.version.outputs.patch_version }},enable=${{ startsWith(github.ref, 'refs/tags/') && steps.version.outputs.patch_version != '' }} | |
| type=raw,value=${{ steps.version.outputs.minor_version }},enable=${{ startsWith(github.ref, 'refs/tags/') && steps.version.outputs.minor_version != '' }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| set -euo pipefail | |
| # metadata-action からタグを取得 | |
| TAGS=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") | |
| if [ -z "${TAGS}" ]; then | |
| echo "No tags to create" | |
| exit 1 | |
| fi | |
| echo "Creating manifest list with tags: ${TAGS}" | |
| echo "From digests:" | |
| ls -la | |
| docker buildx imagetools create ${TAGS} \ | |
| $(printf '${{ env.DOCKER_IMAGE }}@sha256:%s ' *) | |
| echo "Successfully created and pushed manifest lists" | |
| - name: Inspect manifest | |
| if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' | |
| run: | | |
| docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} | |
| - name: Docker Scout CVE scan | |
| if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' | |
| uses: docker/scout-action@v1 | |
| continue-on-error: true | |
| with: | |
| command: cves | |
| image: ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} | |
| only-severities: critical,high | |
| exit-code: false | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'config' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |