-
Notifications
You must be signed in to change notification settings - Fork 26
153 lines (128 loc) · 4.16 KB
/
cd.yml
File metadata and controls
153 lines (128 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: cd
on:
push:
branches: [main]
paths-ignore:
- '**.md'
schedule:
- cron: '43 1 * * SUN' # every Sunday at 1:43 AM UTC
workflow_dispatch:
# Set empty permissions to empty by default, and then set more granular permissions for each job
permissions: {}
concurrency:
group: cd-${{ github.ref }}
env:
IMAGE_NAME: network-tools
jobs:
# Test building on multiple architectures
test:
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
strategy:
matrix:
platform: [linux/amd64, linux/arm64]
steps:
- name: Check out repository
uses: actions/checkout@main
- name: Set up QEMU
uses: docker/setup-qemu-action@master
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
- name: Test build for ${{ matrix.platform }}
uses: docker/build-push-action@master
with:
context: .
platforms: ${{ matrix.platform }}
push: false
cache-from: type=gha,scope=${{ matrix.platform }}
cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
publish:
needs: test
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
permissions:
packages: write
contents: read
actions: read
attestations: write
steps:
- name: Check out repository
uses: actions/checkout@main
- name: Log in to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Log in to GitHub Container Registry
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Lint Dockerfile
run: make lint
- name: Extract metadata for images
id: meta
uses: docker/metadata-action@master
with:
images: |
${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
# manually handle the 'latest' tag
flavor: |
latest=false
tags: |
type=raw,value=latest
type=sha,format=short
labels: |
org.opencontainers.image.licenses=MIT
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.description=A Docker image with various network tools pre-installed
- name: Set up QEMU
uses: docker/setup-qemu-action@master
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
- name: Build and push images
uses: docker/build-push-action@master
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true
sbom: true
prune:
needs: publish
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' }}
permissions:
packages: write
contents: read
env:
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
steps:
- name: Checkout Git repository
uses: actions/checkout@main
- name: Setup Python
uses: actions/setup-python@main
with:
python-version: '3.13'
cache: 'pip'
cache-dependency-path: 'scripts/prune/requirements.txt'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --requirement scripts/prune/requirements.txt
- name: Prune old images
env:
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
run: python scripts/prune/main.py --container ${{ env.IMAGE_NAME }} --registry all --keep-latest 25 --verbose