Skip to content

Merge pull request #340 from cybozu/scan-compatible #26

Merge pull request #340 from cybozu/scan-compatible

Merge pull request #340 from cybozu/scan-compatible #26

Workflow file for this run

name: release
on:
push:
branches:
- 'main'
env:
go-version: 1.23
jobs:
release:
name: Build and release images
strategy:
fail-fast: false
matrix:
ubuntu-version: ["20.04", "22.04", "24.04"]
runs-on: ubuntu-24.04
defaults:
run:
working-directory: ${{ matrix.ubuntu-version }}
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: linux/amd64,linux/arm64/v8
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: v0.17.1
- name: Login to container registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup golang
uses: actions/setup-go@v5
with:
go-version: ${{ env.go-version }}
- name: Install container-tag-exists
run: go install github.com/Hsn723/container-tag-exists@latest
- name: Build and push ubuntu-minimal image if needed
run: |
TAG_MINIMAL=$(cat TAG_MINIMAL)
for repo in ghcr.io quay.io; do
c="$(container-tag-exists ${repo}/cybozu/ubuntu-minimal $TAG_MINIMAL 2>&1)"
if [ "$c" = "" ]; then
echo
echo "building ubuntu-minimal ..."
docker buildx build \
--platform linux/amd64,linux/arm64/v8 \
--push \
-t ${repo}/cybozu/ubuntu-minimal:$TAG_MINIMAL \
--build-arg TAG_MINIMAL=$TAG_MINIMAL \
ubuntu-minimal
fi
done
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Extract targets
run: |
TAG=$(cat TAG)
for repo in ghcr.io quay.io; do
for image in ubuntu ubuntu-dev ubuntu-debug; do
c="$(container-tag-exists ${repo}/cybozu/$image $TAG 2>&1)"
if [ "$c" = "" ]; then
echo "build ${repo}/cybozu/$image:$TAG"
echo ${repo}/cybozu/$image >> BUILDS
fi
done
done
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push images
run: |
if [ ! -f BUILDS ]; then
echo "nothing to build."
exit 0
fi
TAG_MINIMAL=$(cat TAG_MINIMAL)
TAG=$(cat TAG)
BRANCH=$(cat BRANCH)
for d in $(cat BUILDS); do
echo
echo "building $d ..."
dir=$(echo ${d} | awk -F'/' '{print $3}')
docker buildx build \
--platform linux/amd64,linux/arm64/v8 \
--push \
-t ${d}:$TAG \
-t ${d}:$BRANCH \
--build-arg TAG_MINIMAL=$TAG_MINIMAL \
--build-arg TAG=$TAG \
${dir}
done
scan:
name: Scan images
runs-on: ubuntu-24.04
needs: release
env:
YAMORY_ACCESS_TOKEN: ${{ secrets.YAMORY_ACCESS_TOKEN }}
ubuntu-version: "20.04 22.04 24.04"
ubuntu-image: "ubuntu-debug ubuntu-dev"
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan images
run: |
for ubuntu_version in ${{ env.ubuntu-version }}; do
TAG=$(cat ${ubuntu_version}/TAG)
for ubuntu_image in ${{ env.ubuntu-image }}; do
echo
echo "scanning ${ubuntu_image}:${TAG} ..."
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="ghcr.io/cybozu/${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
done
done