Update SECURITY.md #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: docker | |
| on: | |
| push: | |
| tags: | |
| - 'v2.*' | |
| # This is needed to push to GitHub Container Registry. See https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry | |
| permissions: | |
| contents: read | |
| packages: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| # This step generates the docker tags | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| env: | |
| # This env var ensures {{sha}} is a real commit SHA for type=ref,event=pr | |
| DOCKER_METADATA_PR_HEAD_SHA: 'true' | |
| with: | |
| images: | | |
| djmaze/snappymail | |
| ghcr.io/${{ github.repository }} | |
| # type=ref,event=branch generates tag(s) on branch only. E.g. 'master', 'master-abc0123' | |
| # type=ref,event=tag generates tag(s) on tags only. E.g. 'v0.0.0', 'v0.0.0-abc0123', and 'latest' | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| # The rest of the org.opencontainers.image.xxx labels are dynamically generated | |
| labels: | | |
| org.opencontainers.image.description=SnappyMail | |
| org.opencontainers.image.licenses=AGPLv3 | |
| # See: https://github.com/docker/build-push-action/blob/v2.6.1/docs/advanced/cache.md#github-cache | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v3 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Login to Docker Hub registry | |
| if: startsWith(github.ref, 'refs/tags/') # Login only on tags | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| if: startsWith(github.ref, 'refs/tags/') # Login only on tags | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # See: https://github.com/docker/buildx/issues/59 | |
| - name: Build | |
| id: build | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: '.' | |
| file: ./.docker/release/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| - name: Docker images | |
| run: | | |
| docker images | |
| - name: Test | |
| run: | | |
| TAG=$( echo "${{ steps.meta.outputs.tags }}" | head -n1 ) | |
| .docker/release/test/test.sh "$TAG" | |
| - name: Build and push | |
| id: build-and-push | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: '.' | |
| file: ./.docker/release/Dockerfile | |
| # TODO: Add more arches? | |
| # platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x | |
| platforms: linux/386,linux/amd64,linux/arm64 | |
| push: ${{ startsWith(github.ref, 'refs/tags/') }} # Push only on tags | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| # Temp fix | |
| # https://github.com/docker/build-push-action/issues/252 | |
| # https://github.com/moby/buildkit/issues/1896 | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |