-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (115 loc) · 5.19 KB
/
dockerimage.yml
File metadata and controls
134 lines (115 loc) · 5.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Lua Docker - Image CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
# Add permissions needed for GitHub Container Registry
permissions:
contents: read
packages: write
attestations: write
id-token: write
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
lua-version: ['5.1.4', '5.2.3', '5.3.4', '5.4.7']
luarocks-version: ['3.11.1']
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set image name variables
id: image_names
run: |
DOCKERHUB_IMAGE="evandarwin/lua"
# Convert GitHub repository owner to lowercase using tr
OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
GHCR_IMAGE="ghcr.io/${OWNER}/lua"
echo "dockerhub_image=$DOCKERHUB_IMAGE" >> $GITHUB_OUTPUT
echo "ghcr_image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
- name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version components
id: version
run: |
FULL_VERSION=${{ matrix.lua-version }}
MAJOR_VERSION=$(echo $FULL_VERSION | cut -d'.' -f1)
MAJOR_MINOR_VERSION=$(echo $FULL_VERSION | cut -d'.' -f1,2)
echo "full_version=$FULL_VERSION" >> $GITHUB_OUTPUT
echo "major_version=$MAJOR_VERSION" >> $GITHUB_OUTPUT
echo "major_minor_version=$MAJOR_MINOR_VERSION" >> $GITHUB_OUTPUT
- name: Install Syft for SBOM generation
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Extract metadata from Docker Hub
uses: docker/metadata-action@v4
with:
images: ${{ steps.image_names.outputs.dockerhub_image }},${{ steps.image_names.outputs.ghcr_image }}
- name: Build and push
id: push
uses: docker/build-push-action@v4
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: |
${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.full_version }}
${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.major_minor_version }}
${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.major_version }}
${{ matrix.lua-version == '5.4.7' && format('{0}:latest', steps.image_names.outputs.dockerhub_image) || '' }}
${{ steps.image_names.outputs.ghcr_image }}:${{ steps.version.outputs.full_version }}
${{ steps.image_names.outputs.ghcr_image }}:${{ steps.version.outputs.major_minor_version }}
${{ steps.image_names.outputs.ghcr_image }}:${{ steps.version.outputs.major_version }}
${{ matrix.lua-version == '5.4.7' && format('{0}:latest', steps.image_names.outputs.ghcr_image) || '' }}
# Enable provenance attestation for both registries
provenance: mode=max
outputs: |
type=image,name=${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.full_version }}
build-args: |
BUILD_DATE=${{ github.event.repository.updated_at }}
VCS_REF=${{ github.sha }}
LUA_VERSION=${{ matrix.lua-version }}
LUAROCKS_VERSION=${{ matrix.luarocks-version }}
- name: Generate artifact attestation for Docker Hub
uses: actions/attest-build-provenance@v2
with:
subject-name: index.docker.io/${{ steps.image_names.outputs.dockerhub_image }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation for GitHub Container Registry
uses: actions/attest-build-provenance@v2
with:
subject-name: ghcr.io/${{ steps.image_names.outputs.ghcr_image }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Generate SBOM
if: github.event_name != 'pull_request'
run: |
# Create output directory
mkdir -p sbom
# Generate SBOM in multiple formats
syft ${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.full_version }} -o spdx-json=sbom/spdx.json
syft ${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.full_version }} -o cyclonedx-json=sbom/cyclonedx.json
# Optional: Generate human-readable text version
syft ${{ steps.image_names.outputs.dockerhub_image }}:${{ steps.version.outputs.full_version }} -o text=sbom/sbom.txt
- name: Upload SBOM as artifact
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v4
with:
name: sbom-files-${{ matrix.lua-version }}
path: sbom/
retention-days: 90