nicolabs/vegardit-docker-openldap
1
0
Fork 0
mirror of https://github.com/vegardit/docker-openldap.git synced 2026-04-10 03:54:26 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
vegardit-docker-openldap/.github/workflows/build.yml
sebthom 4ba8a959a0
Some checks are pending
Build / build (push) Waiting to run
Details
Build / delete-untagged-images (push) Blocked by required conditions
Details
ci: harden build workflow
2026-03-24 20:18:14 +01:00

191 lines
5.7 KiB
YAML
Raw Blame History

# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-openldap
#
# https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
name: Build
on: # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
schedule:
# https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#schedule
- cron: '0 17 * * 3'
push:
branches-ignore: # build all branches except:
- 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
tags-ignore: # don't build tags
- '**'
paths-ignore:
- '**/*.adoc'
- '**/*.md'
- '.editorconfig'
- '.git*'
- '.github/*.yml'
- '.github/ISSUE_TEMPLATE/*'
- '.github/workflows/stale.yml'
pull_request:
paths-ignore:
- '**/*.adoc'
- '**/*.md'
- '.editorconfig'
- '.git*'
- '.github/ISSUE_TEMPLATE/*'
- '.github/*.yml'
- '.github/workflows/stale.yml'
workflow_dispatch:
# https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch
defaults:
run:
shell: bash
env:
DOCKER_REPO_NAME: openldap
TRIVY_CACHE_DIR: ~/.trivy/cache
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
###########################################################
build:
###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 30
permissions:
packages: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: "Show: GitHub context"
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo $GITHUB_CONTEXT
- name: "Show: environment variables"
run: env | sort
- name: Git Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run the sh-checker
uses: luizm/action-sh-checker@883217215b11c1fabbf00eb1a9a041f62d74c744 # master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHFMT_OPTS: --simplify --keep-padding
with:
sh_checker_comment: true
sh_checker_checkbashisms_enable: true
sh_checker_shfmt_disable: true
- name: Check Dockerfile
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: image/Dockerfile
- name: Cache trivy cache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ env.TRIVY_CACHE_DIR }}
# https://github.com/actions/cache/issues/342#issuecomment-673371329
key: ${{ runner.os }}-trivy-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
- name: Configure fast APT repository mirror
uses: vegardit/fast-apt-mirror.sh@29a5ef3401107220fc3c32a0c659b6a1211f9e0f # v1
- name: Install dos2unix
run: sudo apt-get install --no-install-recommends -y dos2unix
- name: "Determine if docker images shall be published"
id: docker_push_actions
run: |
# ACT -> https://nektosact.com/usage/index.html#skipping-steps
set -x
if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT
if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
fi
fi
- name: Login to docker.io
if: ${{ env.DOCKER_PUSH }}
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ env.DOCKER_PUSH_GHCR }}
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image
env:
DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: bash build-image.sh
outputs:
DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }}
###########################################################
delete-untagged-images:
###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 5
needs: [build]
if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }}
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
packages: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Delete untagged images
uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
with:
package: ${{ env.DOCKER_REPO_NAME }}
delete-untagged: true
delete-partial-images: true
delete-ghost-images: true
delete-orphaned-images: true
validate: true
Reference in a new issue View git blame Copy permalink