-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (133 loc) · 4.99 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
name: ci
"on":
workflow_dispatch:
push:
branches:
- master
paths-ignore:
- LICENSE
- README.md
- fly.toml
- '.gitignore'
- '.github/workflows/*'
- '.github/dependabot.yaml'
pull_request:
branches:
- master
paths-ignore:
- LICENSE
- README.md
- fly.toml
- '.gitignore'
- '.github/workflows/*'
- '.github/dependabot.yaml'
permissions:
contents: read
id-token: write
packages: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: build filmbot
runs-on: ubuntu-latest
steps:
- name: checkout project
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: rust stable latest
id: rust
run: |
latest="$(curl -sL https://api.github.com/repos/rust-lang/rust/releases/latest | jq -r .tag_name)"
echo "rust stable latest: ${latest}"
echo "stable_latest=${latest}" >> "$GITHUB_OUTPUT"
echo "rust stable used: ${used}"
used="$(cargo --version | awk '{print $2}')"
echo "stable_used=${used}" >> "$GITHUB_OUTPUT"
- name: check cache
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
id: cache
with:
path: |
~/.cargo/
~/.rustup/
target/
key: ${{ runner.os }}-rust-${{ steps.rust.outputs.stable_latest }}-${{ hashFiles('Cargo.toml') }}-${{ hashFiles('Cargo.lock') }}
- name: update toolchain
if: steps.rust.outputs.stable_latest != steps.rust.outputs.stable_used
run: |
rustup update stable
- name: cargo fmt
run: |
cargo fmt -- --check --verbose
- name: cargo clippy
run: |
cargo clippy --locked --workspace
- name: build filmbot
run: |
cargo build --release --locked
- name: install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
- name: verify base images
run: |
cosign dockerfile verify \
--certificate-identity \
'https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
Dockerfile | jq .
- name: docker buildx
id: buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
- name: login ghcr.io
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.IMAGE_NAME }}
- name: build filmbot (devel)
id: docker
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
with:
context: .
push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:devel
labels: ${{ steps.meta.outputs.labels }}
builder: ${{ steps.buildx.outputs.name }}
sbom: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
provenance: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
load: ${{ github.event_name == 'pull_request' }}
- name: smoke test
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
set -x
# only ensure runtime deps are ok
docker run --rm \
"${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}" &> filmbot.log || true
cat filmbot.log
grep --quiet --fixed-strings "TELOXIDE_TOKEN" filmbot.log
- name: smoke test
if: github.event_name == 'pull_request'
run: |
set -x
# only ensure runtime deps are ok
docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:devel &> filmbot.log || true
cat filmbot.log
grep --quiet --fixed-strings "TELOXIDE_TOKEN" filmbot.log
- name: cosign filmbot
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
cosign sign -y "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}"
- name: install crane
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
- name: tag filmbot (latest)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
crane tag "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:devel" latest