Feature/improved auto workflows #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Deploy | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build & Deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| include: | |
| - python_version: "3.9" | |
| debian_version: "bullseye" | |
| - python_version: "3.10" | |
| debian_version: "bullseye" | |
| - python_version: "3.11" | |
| debian_version: "bookworm" | |
| - python_version: "3.12" | |
| debian_version: "bookworm" | |
| - python_version: "3.13" | |
| debian_version: "bookworm" | |
| - python_version: "3.14" | |
| debian_version: "bookworm" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push Docker images | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| build-args: | | |
| DEBIAN_VERSION=${{ matrix.debian_version }} | |
| PYTHON_VERSION=${{ matrix.python_version }} | |
| tags: | | |
| ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} | |
| ${{ matrix.python_version == '3.14' && format('ghcr.io/{0}/python-container-builder:latest', github.repository_owner) || '' }} | |
| provenance: false | |
| outputs: type=image,name=python-container-builder,annotation-index.org.opencontainers.image.description=build your Python distroless containers with this | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:latest | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Print Trivy results summary | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:latest | |
| format: 'table' | |
| severity: 'CRITICAL,HIGH' | |
| test: | |
| name: Test Images | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| python_version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] | |
| steps: | |
| - name: Test Python version | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} python --version | |
| - name: Test uv is installed | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} uv --version | |
| - name: Test poetry is installed | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} poetry --version | |
| - name: Test pipenv is installed | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} pipenv --version | |
| - name: Test pdm is installed | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} pdm --version | |
| - name: Test venv is created | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} sh -c 'test -d /.venv && echo "venv exists"' | |
| - name: Test package installation with uv | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} sh -c 'uv pip install requests && python -c "import requests; print(f\"requests {requests.__version__} imported successfully\")"' | |
| - name: Test package installation with pip | |
| run: | | |
| docker run --rm ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }} sh -c 'pip install click && python -c "import click; print(f\"click {click.__version__} imported successfully\")"' |