mirror of
https://github.com/dangeroustech/ZeroTierBridge.git
synced 2025-12-06 09:06:58 +00:00
9a725ba61f
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: '2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
175 lines
4.9 KiB
YAML
175 lines
4.9 KiB
YAML
name: Publish Docker Image
|
|
permissions:
|
|
actions: read
|
|
checks: read
|
|
contents: write
|
|
deployments: read
|
|
issues: read
|
|
discussions: read
|
|
packages: read
|
|
pages: read
|
|
pull-requests: read
|
|
repository-projects: read
|
|
security-events: write
|
|
statuses: read
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
env:
|
|
REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge
|
|
|
|
jobs:
|
|
Docker_Build:
|
|
name: Docker Build And Release
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: true
|
|
matrix:
|
|
arch: [amd64, arm64]
|
|
version: [1.12.2]
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Login to Registry
|
|
id: login
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: registry.dangerous.tech
|
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
|
|
- name: Build
|
|
id: docker_build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
build-args: |
|
|
ARCH=${{ matrix.arch }}
|
|
VERSION=${{ matrix.version }}
|
|
push: true
|
|
platforms: linux/${{ matrix.arch }}
|
|
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true
|
|
|
|
- name: Export Digests
|
|
run: |
|
|
mkdir -p /tmp/digests
|
|
digest="${{ steps.docker_build.outputs.digest }}"
|
|
touch "/tmp/digests/${digest#sha256:}"
|
|
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: digests
|
|
path: /tmp/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
MergeRefs:
|
|
name: Do The Horrible Merge Thing
|
|
if: github.ref == 'refs/heads/main'
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- Docker_Build
|
|
steps:
|
|
- name: Download digests
|
|
uses: actions/download-artifact@v6
|
|
with:
|
|
name: digests
|
|
path: /tmp/digests
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Login to Registry
|
|
id: login
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: registry.dangerous.tech
|
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY_IMAGE }}
|
|
tags: |
|
|
# set latest tag for default branch
|
|
# https://github.com/docker/metadata-action#latest-tag
|
|
type=raw,value=latest,enable={{is_default_branch}}
|
|
|
|
- name: Create manifest list and push
|
|
working-directory: /tmp/digests
|
|
run: |
|
|
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
|
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
|
|
- name: Inspect image
|
|
run: |
|
|
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
|
|
|
|
- name: Generate SBOM
|
|
uses: anchore/sbom-action@v0
|
|
id: sbom
|
|
with:
|
|
image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
|
|
registry-username: ${{ secrets.REGISTRY_USERNAME }}
|
|
registry-password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
format: spdx-json
|
|
output-file: ./sbom.spdx.json
|
|
|
|
- name: Scan SBOM
|
|
uses: anchore/scan-action@v7
|
|
id: scan
|
|
with:
|
|
sbom: sbom.spdx.json
|
|
severity-cutoff: medium
|
|
fail-build: false
|
|
only-fixed: true
|
|
|
|
- name: upload Anchore scan SARIF report
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|
|
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Changelog
|
|
uses: TriPSs/conventional-changelog-action@v6
|
|
id: changelog
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
git-message: "chore 🤖: Release {version}"
|
|
output-file: CHANGELOG.md
|
|
tag-prefix: v
|
|
fallback-version: 1.0.0
|
|
release-count: 0 # preserve all versions in changelog
|
|
skip-on-empty: false # otherwise we don't publish fixes
|
|
|
|
- name: Create Release
|
|
uses: softprops/action-gh-release@v2
|
|
id: release
|
|
if: ${{ steps.changelog.outputs.skipped == 'false' }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.github_token }}
|
|
with:
|
|
tag_name: ${{ steps.changelog.outputs.tag }}
|
|
name: ${{ steps.changelog.outputs.tag }}
|
|
body: ${{ steps.changelog.outputs.clean_changelog }}
|
|
files: |
|
|
sbom.spdx.json
|