Skip to content

CD

CD #982

Workflow file for this run

name: CD
on:
push:
branches: [master]
schedule:
- cron: '30 4 * * *'
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force image rebuild'
required: true
type: choice
options: [yes, no]
permissions:
packages: write
contents: read
env:
REGISTRY: ghcr.io
jobs:
Alpine:
name: Alpine
runs-on: ubuntu-latest
timeout-minutes: 5
strategy:
matrix:
version: [ '3.15', '3.16', '3.17', '3.18', '3.19', '3.20' ]
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check for rebuild
id: rebuild_check
continue-on-error: true
run : |
# [rebuild-check]
echo -e "::group::\033[34mChecking for packages updates…\033[0m"
if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
else
if ! docker pull "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
if ! docker run --rm "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" checkupdate ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: packages update)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
fi
echo "::endgroup::"
echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"
echo "Pulling alpine:${{matrix.version}} from registry…"
echo ""
if ! docker pull "alpine:${{matrix.version}}" ; then
echo "::error::Can't pull image alpine:${{matrix.version}}"
exit 1
fi
orig_dig=$(docker inspect "alpine:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
our_dig=$(docker inspect "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
echo ""
echo "Original: ${orig_dig}"
echo "Our: ${our_dig}"
if [[ "$orig_dig" != "$our_dig" ]] ; then
echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
echo "build=true" >> $GITHUB_OUTPUT
exit 0
fi
echo "::endgroup::"
- name: Checkout
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
uses: actions/checkout@v4
- name: Set build context
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
id: build_context
run: |
dockerfile=$(echo "${{matrix.version}}" | tr -d ".")
echo "dockerfile=$dockerfile.docker" >> $GITHUB_OUTPUT
- name: Rebuild and push image
if: ${{ steps.rebuild_check.outputs.build == 'true' }}
uses: docker/build-push-action@v5
with:
context: .
file: ${{ steps.build_context.outputs.dockerfile }}
push: true
tags: |
ghcr.io/${{github.repository}}:${{matrix.version}}
${{github.repository}}:${{matrix.version}}
- name: Show info about image
uses: essentialkaos/docker-info-action@v1
with:
image: ${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}
- name: Scan final image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}"
format: "table"
ignore-unfixed: true
severity: "LOW,MEDIUM,HIGH,CRITICAL"
scanners: "vuln"