Merge pull request #345 from cybozu/add-crane-command #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
branches: | |
- 'main' | |
env: | |
go-version: 1.23 | |
jobs: | |
release: | |
name: Build and release images | |
strategy: | |
fail-fast: false | |
matrix: | |
ubuntu-version: ["20.04", "22.04", "24.04"] | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: ${{ matrix.ubuntu-version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64/v8 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: v0.17.1 | |
- name: Login to container registry | |
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup golang | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.go-version }} | |
- name: Install container-tag-exists | |
run: go install github.com/Hsn723/container-tag-exists@latest | |
- name: Build and push ubuntu-minimal image if needed | |
run: | | |
TAG_MINIMAL=$(cat TAG_MINIMAL) | |
for repo in ghcr.io quay.io; do | |
c="$(container-tag-exists ${repo}/cybozu/ubuntu-minimal $TAG_MINIMAL 2>&1)" | |
if [ "$c" = "" ]; then | |
echo | |
echo "building ubuntu-minimal ..." | |
docker buildx build \ | |
--platform linux/amd64,linux/arm64/v8 \ | |
--push \ | |
-t ${repo}/cybozu/ubuntu-minimal:$TAG_MINIMAL \ | |
--build-arg TAG_MINIMAL=$TAG_MINIMAL \ | |
ubuntu-minimal | |
fi | |
done | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract targets | |
run: | | |
TAG=$(cat TAG) | |
for repo in ghcr.io quay.io; do | |
for image in ubuntu ubuntu-dev ubuntu-debug; do | |
c="$(container-tag-exists ${repo}/cybozu/$image $TAG 2>&1)" | |
if [ "$c" = "" ]; then | |
echo "build ${repo}/cybozu/$image:$TAG" | |
echo ${repo}/cybozu/$image >> BUILDS | |
fi | |
done | |
done | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push images | |
run: | | |
if [ ! -f BUILDS ]; then | |
echo "nothing to build." | |
exit 0 | |
fi | |
TAG_MINIMAL=$(cat TAG_MINIMAL) | |
TAG=$(cat TAG) | |
BRANCH=$(cat BRANCH) | |
for d in $(cat BUILDS); do | |
echo | |
echo "building $d ..." | |
dir=$(echo ${d} | awk -F'/' '{print $3}') | |
docker buildx build \ | |
--platform linux/amd64,linux/arm64/v8 \ | |
--push \ | |
-t ${d}:$TAG \ | |
-t ${d}:$BRANCH \ | |
--build-arg TAG_MINIMAL=$TAG_MINIMAL \ | |
--build-arg TAG=$TAG \ | |
${dir} | |
done | |
scan: | |
name: Scan images | |
runs-on: ubuntu-24.04 | |
needs: release | |
env: | |
YAMORY_ACCESS_TOKEN: ${{ secrets.YAMORY_ACCESS_TOKEN }} | |
ubuntu-version: "20.04 22.04 24.04" | |
ubuntu-image: "ubuntu-debug ubuntu-dev" | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Trivy | |
run: | | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin | |
- name: Scan images | |
run: | | |
for ubuntu_version in ${{ env.ubuntu-version }}; do | |
TAG=$(cat ${ubuntu_version}/TAG) | |
for ubuntu_image in ${{ env.ubuntu-image }}; do | |
echo | |
echo "scanning ${ubuntu_image}:${TAG} ..." | |
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="ghcr.io/cybozu/${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)" | |
done | |
done |