CI #2107
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '0 1 * * 0' | |
| env: | |
| IMAGE_NAME: haxorof/ansible | |
| LATEST_OS: alpine | |
| LATEST_VERSION: v11 | |
| # https://download.docker.com/linux/static/stable/x86_64/ | |
| DOCKER_CLI_VERSION: "27.3.1" | |
| # https://github.com/tianon/gosu/releases | |
| GOSU_VERSION: "1.17" | |
| jobs: | |
| build_push: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| os: [alpine, almalinux, ubuntu] | |
| version: [v10, v11] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Prepare | |
| id: prep | |
| run: | | |
| cp requirements/${MATRIX_VERSION}/requirements.txt requirements/requirements.txt | |
| TAGS="${IMAGE_NAME}:${MATRIX_VERSION}-${MATRIX_OS}" | |
| TEST_TAG="${TAGS}" | |
| if [[ "$MATRIX_OS" == "$LATEST_OS" ]]; then | |
| TAGS="${TAGS},${IMAGE_NAME}:$MATRIX_VERSION" | |
| if [[ "$MATRIX_VERSION" == "$LATEST_VERSION" ]]; then | |
| TAGS="${TAGS},${IMAGE_NAME}:latest-${MATRIX_OS},${IMAGE_NAME}:latest" | |
| fi | |
| elif [[ "$MATRIX_VERSION" == "$LATEST_VERSION" ]]; then | |
| TAGS="${TAGS},${IMAGE_NAME}:latest-${MATRIX_OS}" | |
| fi | |
| echo "test_tag=${TEST_TAG}" >> $GITHUB_OUTPUT | |
| echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
| echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
| env: | |
| MATRIX_OS: ${{ matrix.os }} | |
| MATRIX_VERSION: ${{ matrix.version }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3.9.0 | |
| - name: Build and Push | |
| uses: docker/build-push-action@v6.13.0 | |
| with: | |
| load: true | |
| labels: | | |
| org.opencontainers.image.created=${{ steps.prep.outputs.created }} | |
| org.opencontainers.image.source=${{ github.repositoryUrl }} | |
| org.opencontainers.image.version=${{ matrix.version }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.licenses=${{ github.event.repository.license.name }} | |
| build-args: | | |
| docker_version=${{ env.DOCKER_CLI_VERSION }} | |
| gosu_version=${{ env.GOSU_VERSION }} | |
| tags: ${{ steps.prep.outputs.test_tag }} | |
| context: . | |
| file: ./Dockerfile.${{ matrix.os }} | |
| - name: Test built image | |
| run: | | |
| docker run --rm -v ${PWD}/test:/mnt ${{ steps.prep.outputs.test_tag }} | |
| - name: Scan container image | |
| uses: anchore/scan-action@v6 | |
| id: scan | |
| with: | |
| image: ${{ steps.prep.outputs.test_tag }} | |
| fail-build: false | |
| severity-cutoff: critical | |
| - name: Upload scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3.3.0 | |
| if: ${{ endsWith(github.ref, '/master') }} | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and Push | |
| uses: docker/build-push-action@v6.13.0 | |
| with: | |
| labels: | | |
| org.opencontainers.image.created=${{ steps.prep.outputs.created }} | |
| org.opencontainers.image.source=${{ github.repositoryUrl }} | |
| org.opencontainers.image.version=${{ matrix.version }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.licenses=${{ github.event.repository.license.name }} | |
| build-args: | | |
| docker_version=${{ env.DOCKER_CLI_VERSION }} | |
| gosu_version=${{ env.GOSU_VERSION }} | |
| tags: ${{ steps.prep.outputs.tags }} | |
| context: . | |
| file: ./Dockerfile.${{ matrix.os }} | |
| push: ${{ endsWith(github.ref, '/master') }} | |
| dependabot: | |
| if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }} | |
| needs: build_push | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Dependabot metadata | |
| id: dependabot-metadata | |
| uses: dependabot/fetch-metadata@v2.3.0 | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Enable auto-merge for Dependabot PRs | |
| if: ${{steps.dependabot-metadata.outputs.package-ecosystem == 'github_actions'}} | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| update_docker_hub_description: | |
| needs: build_push | |
| runs-on: ubuntu-latest | |
| if: ${{ endsWith(github.ref, '/master') }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Docker Hub Description | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| repository: ${{ env.IMAGE_NAME }} |