Build packages for s390x #415

Workflow file for this run

	name: Docker

	on:
	push:
	branches:
	- main
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	paths-ignore:
	- "**.yml"
	- "**.yaml"
	- "**.md"
	pull_request:
	branches:
	- main
	repository_dispatch:
	types: [update]
	workflow_dispatch:

	concurrency:
	group: ${{ github.ref_name }}-ci
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	build-docker:
	name: Build Docker Image
	runs-on: ubuntu-24.04
	permissions:
	contents: read
	security-events: write
	packages: write
	services:
	registry:
	image: registry:2
	ports:
	- 5000:5000
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Output Variables
	id: var
	run: \|
	nginx_v=$(grep -m1 'FROM nginx:' <Dockerfile \| awk -F'[: ]' '{print $3}')
	docker pull nginx:$nginx_v \|\| exit 1
	njs=$(docker run nginx:$nginx_v env \| grep NJS_VERSION \| cut -d= -f2)
	echo "NJS_VERSION=$njs"
	echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
	echo "njs_version=${njs}" >> $GITHUB_OUTPUT

	- name: Setup QEMU
	uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
	with:
	platforms: arm,arm64,ppc64le,s390x
	if: github.event_name != 'pull_request'

	- name: Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	with:
	buildkitd-flags: --debug

	- name: DockerHub Login
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	if: github.event_name != 'pull_request'

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
	with:
	images: \|
	name=nginxcontrib/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
	name=ghcr.io/lucacome/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
	name=localhost:5000/nginx-ubi/local-ubi
	tags: \|
	type=raw,value=${{ steps.var.outputs.nginx_version }}

	- name: Build from source
	uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
	id: build
	with:
	pull: true
	push: true
	platforms: "linux/ppc64le, linux/s390x"
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=source
	cache-to: type=gha,scope=source,mode=max
	target: final
	provenance: mode=max
	sbom: true
	build-args: \|
	NGINX=${{ steps.var.outputs.nginx_version }}
	NJS=${{ steps.var.outputs.njs_version }}

	- name: Build prebuilt
	uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
	id: build-prebuilt
	with:
	pull: true
	push: true
	platforms: "linux/amd64, linux/arm64"
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=prebuilt
	cache-to: type=gha,scope=prebuilt,mode=max
	target: final
	file: Dockerfile.prebuilt
	provenance: mode=max
	sbom: true
	build-args: \|
	NGINX=${{ steps.var.outputs.nginx_version }}
	NJS=${{ steps.var.outputs.njs_version }}

	- name: Combine images
	run: \|
	docker buildx imagetools create nginxcontrib/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }}
	docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx-ubi:latest
	docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:latest-ubi
	docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:${{ steps.meta.outputs.version }}-ubi

	docker buildx imagetools create ghcr.io/lucacome/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }}
	docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx-ubi:latest
	docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:latest-ubi
	docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:${{ steps.meta.outputs.version }}-ubi
	if: github.event_name != 'pull_request'

	- name: Inspect SBOM and output manifest
	run: \|
	docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json
	docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --raw

	- name: Scan SBOM
	id: scan
	uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
	with:
	sbom: "sbom.json"
	only-fixed: true
	add-cpes-if-none: true
	fail-build: false

	- name: Upload scan result to GitHub Security tab
	uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
	continue-on-error: true
	with:
	sarif_file: ${{ steps.scan.outputs.sarif }}
	if: always()

	- name: Upload Scan Results
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	continue-on-error: true
	with:
	name: scan-results
	path: \|
	${{ steps.scan.outputs.sarif }}
	*.json
	if: always()

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build packages for s390x #415

Workflow file

Build packages for s390x #415

Jobs

Run details

Workflow file for this run