-
Notifications
You must be signed in to change notification settings - Fork 0
145 lines (121 loc) ยท 4.63 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: CI
on:
push:
branches:
- "main"
pull_request:
permissions:
contents: write
packages: write
pull-requests: write
security-events: write
env:
APP_NAME: github-actions-runner
jobs:
build_and_test:
name: Build and Test
runs-on: ubuntu-latest
steps:
- name: Checkout ๐
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Setup Docker Buildx ๐ฅ๏ธ
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
- name: Build Container ๐๏ธ
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6
with:
context: .
push: false
release:
name: Release
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
needs:
- build_and_test
outputs:
skipped: ${{ steps.changelog.outputs.skipped }}
tag: ${{ steps.changelog.outputs.tag }}
clean_changelog: ${{ steps.changelog.outputs.clean_changelog }}
version: ${{ steps.changelog.outputs.version }}
steps:
- name: Generate GitHub App Token ๐ช
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
id: generate-token
with:
app_id: ${{ secrets.BRAID_BOT_APP_ID }}
private_key: ${{ secrets.BRAID_BOT_PRIVATE_KEY }}
- name: Checkout ๐
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
ref: ${{ github.head_ref }}
token: ${{ steps.generate-token.outputs.token }}
- name: Conventional Changelog Action ๐
id: changelog
uses: TriPSs/conventional-changelog-action@3a392e9aa44a72686b0fc13259a90d287dd0877c # v5
with:
github-token: ${{ steps.generate-token.outputs.token }}
git-user-name: "braid-bot[bot]"
git-user-email: "169546839+braid-bot[bot]@users.noreply.github.com"
skip-git-pull: "true"
skip-on-empty: "false"
release-count: 10
version-file: package.yaml
create-summary: true
- name: Generate Release ๐ฆ
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2
with:
tag_name: ${{ steps.changelog.outputs.tag }}
name: ${{ steps.changelog.outputs.tag }}
generate_release_notes: true
body: ${{ steps.changelog.outputs.clean_changelog }}
publish:
name: Publish
if: github.event_name != 'pull_request' && needs.release.outputs.skipped == 'false'
runs-on: ubuntu-latest
needs:
- release
steps:
- name: Checkout ๐
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Login to GitHub Container Registry ๐
if: github.event_name != 'pull_request'
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker Metadata ๐ท๏ธ
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ env.APP_NAME }}
tags: |
latest
${{ needs.release.outputs.version}}
${{ github.sha }}
- name: Setup QEMU ๐ฅ๏ธ
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
- name: Setup Docker Buildx ๐ฅ๏ธ
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
- name: Build and push ๐๏ธ
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6
with:
context: .
platforms: linux/amd64,linux/arm64
provenance: false
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Run Trivy Vulnerability Scanner ๐ฐ
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/${{ env.APP_NAME }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
vuln-type: 'os,library'
severity: "HIGH,CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab ๐ฎ
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3
with:
sarif_file: 'trivy-results.sarif'