name: Publish Docker Image on: pull_request: push: branches: - "main" env: REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge jobs: Docker_Build: name: "Docker Build And Release" runs-on: ubuntu-latest strategy: fail-fast: true matrix: arch: ["amd64", "arm64"] version: ["1.12.2"] steps: - name: Checkout Repository uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Registry id: login uses: docker/login-action@v3 with: registry: registry.dangerous.tech username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build id: docker_build uses: docker/build-push-action@v5 with: context: . build-args: | ARCH=${{ matrix.arch }} VERSION=${{ matrix.version }} push: true platforms: linux/${{ matrix.arch }} # tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true - name: Export Digests run: | mkdir -p /tmp/digests digest="${{ steps.docker_build.outputs.digest }}" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v3 with: name: digests path: /tmp/digests/* if-no-files-found: error retention-days: 1 MergeRefs: name: "Do The Horrible Merge Thing" runs-on: ubuntu-latest needs: - Docker_Build steps: - name: Download digests uses: actions/download-artifact@v3 with: name: digests path: /tmp/digests - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Registry id: login uses: docker/login-action@v3 with: registry: registry.dangerous.tech username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} tags: | # set latest tag for default branch # https://github.com/docker/metadata-action#latest-tag type=raw,value=latest,enable={{is_default_branch}} - name: Create manifest list and push working-directory: /tmp/digests run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - name: Generate SBOM uses: anchore/sbom-action@v0 id: sbom with: image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest registry-username: ${{ secrets.REGISTRY_USERNAME }} registry-password: ${{ secrets.REGISTRY_PASSWORD }} format: spdx-json output-file: ./sbom.spdx.json - name: Scan SBOM uses: anchore/scan-action@v3 id: scan with: sbom: sbom.spdx.json severity-cutoff: medium fail-build: false only-fixed: true by-cve: true - name: upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Changelog uses: TriPSs/conventional-changelog-action@v3 id: changelog if: ${{ github.event_name != 'pull_request' }} with: github-token: ${{ secrets.GITHUB_TOKEN }} git-message: "chore 🤖: Release {version}" output-file: "CHANGELOG.md" tag-prefix: "v" fallback-version: "1.0.0" release-count: 0 # preserve all versions in changelog skip-on-empty: false # otherwise we don't publish fixes - name: Create Release uses: softprops/action-gh-release@v1 id: release if: ${{ steps.changelog.outputs.skipped == 'false' }} env: GITHUB_TOKEN: ${{ secrets.github_token }} with: tag_name: ${{ steps.changelog.outputs.tag }} name: ${{ steps.changelog.outputs.tag }} body: ${{ steps.changelog.outputs.clean_changelog }} files: | sbom.spdx.json