Skip to content

Build Application Docker #30

Build Application Docker

Build Application Docker #30

on:
workflow_dispatch:
release:
types: [published]
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
name: Build Application Docker
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: datalens-ui
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
steps:
- uses: actions/checkout@v4
# ? disabled due to a very long ARM build
# - uses: docker/setup-qemu-action@v3
# with:
# platforms: 'arm64'
# - uses: docker/setup-buildx-action@v3
- name: 'Get release build version'
run: |
BUILD_VERSION=$(jq -r '.version' package.json)
COMMIT_NAME=$(git log -n 1 --pretty=format:%s)
echo "Release build version: ${BUILD_VERSION}"
echo "BUILD_VERSION=$BUILD_VERSION" >> "$GITHUB_ENV"
echo "COMMIT_NAME=$COMMIT_NAME" >> "$GITHUB_ENV"
- name: Log in to the Container registry
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract tags for Docker
id: meta
uses: docker/[email protected]
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ env.BUILD_VERSION }}
${{ contains(env.COMMIT_NAME, '[release]') && 'type=raw,value=latest' || '' }}
- name: Build and push Docker image
uses: docker/[email protected]
with:
build-args: |
app_version=${{ env.BUILD_VERSION }}
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# ? disabled due to a very long ARM build
# platforms: linux/amd64,linux/arm64
# cache-from: type=gha
# cache-to: type=gha,mode=max
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
args: --file=Dockerfile --org=cf523e0b-3db4-4d9c-a4d0-13b9b91acec3
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif