mirror of
https://github.com/matrix-org/sliding-sync.git
synced 2025-03-10 13:37:11 +00:00
91 lines
2.9 KiB
YAML
91 lines
2.9 KiB
YAML
# Based on https://github.com/docker/build-push-action
|
|
|
|
name: "Docker"
|
|
|
|
on:
|
|
push:
|
|
branches: ["main"]
|
|
tags: ["v*"]
|
|
workflow_dispatch: # A build was manually requested
|
|
workflow_call: # Another pipeline called us
|
|
|
|
env:
|
|
GHCR_NAMESPACE: matrix-org
|
|
PLATFORMS: "linux/amd64,linux/arm64"
|
|
|
|
jobs:
|
|
slidingsync:
|
|
name: Sliding Sync image
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write # To upload Trivy sarif files
|
|
id-token: write # needed for signing the images with GitHub OIDC Token
|
|
steps:
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@v3.3.0
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
- name: Login to GitHub Containers
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build main sliding sync image
|
|
if: github.ref_name == 'main'
|
|
id: docker_build_sliding_sync
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
context: .
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
|
|
|
|
- name: Build release Sliding Sync image
|
|
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
|
|
id: docker_build_sliding_sync_release
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
context: .
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
|
|
env:
|
|
DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
|
|
TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
|
|
run: |
|
|
images=""
|
|
for tag in ${TAGS}; do
|
|
images+="${tag}@${DIGEST} "
|
|
done
|
|
cosign sign --yes ${images}
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
|
|
format: "sarif"
|
|
output: "trivy-results.sarif"
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|