Skip to content
Docker

update #420

Sign in to view logs

update

update #420

Workflow file for this run

.github/workflows/docker.yml at 04b9b91
name: Docker
on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
paths-ignore:
- "**.yml"
- "**.yaml"
- "**.md"
pull_request:
branches:
- main
repository_dispatch:
types: [update]
workflow_dispatch:
env:
PLATFORMS: "linux/amd64, linux/arm64, linux/s390x"
BUILD_PLATFORMS: "linux/ppc64le"
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
build-docker:
name: Build Docker Image
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
packages: write
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Output Variables
id: var
run: |
nginx_v=$(grep -m1 'FROM nginx:' <Dockerfile | awk -F'[: ]' '{print $3}')
docker pull nginx:$nginx_v || exit 1
njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
echo "NJS_VERSION=$njs"
echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
echo "njs_version=${njs}" >> $GITHUB_OUTPUT
- name: Setup QEMU
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
with:
platforms: arm,arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
with:
buildkitd-flags: --debug
- name: DockerHub Login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
nginxcontrib/nginx-ubi
ghcr.io/lucacome/nginx-ubi
tags: |
type=raw,value=${{ steps.var.outputs.nginx_version }}
- name: Build from source
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
id: build
with:
pull: true
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
platforms: ${{ github.event_name != 'pull_request' && env.BUILD_PLATFORMS || '' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=source
cache-to: type=gha,scope=source,mode=max
target: final
provenance: ${{ github.event_name != 'pull_request' && 'mode=max' || 'false' }}
sbom: ${{ github.event_name != 'pull_request' }}
build-args: |
NGINX=${{ steps.var.outputs.nginx_version }}
NJS=${{ steps.var.outputs.njs_version }}
- name: Build prebuilt
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
id: build-prebuilt
with:
pull: true
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=prebuilt
cache-to: type=gha,scope=prebuilt,mode=max
target: final
file: Dockerfile.prebuilt
provenance: ${{ github.event_name != 'pull_request' }}
sbom: ${{ github.event_name != 'pull_request' }}
build-args: |
NGINX=${{ steps.var.outputs.nginx_version }}
NJS=${{ steps.var.outputs.njs_version }}
- name: Combine images
run: |
docker buildx imagetools create nginxcontrib/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }}
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx-ubi:latest
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:latest-ubi
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:${{ steps.meta.outputs.version }}-ubi
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }}
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx-ubi:latest
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:latest-ubi
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:${{ steps.meta.outputs.version }}-ubi
if: github.event_name != 'pull_request'
- name: Scan image
uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
id: scan
continue-on-error: true
with:
image: nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }}
only-fixed: true
add-cpes-if-none: true
- name: Upload scan result to GitHub Security tab
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
continue-on-error: true
with:
sarif_file: ${{ steps.scan.outputs.sarif }}