-
Notifications
You must be signed in to change notification settings - Fork 61
113 lines (97 loc) · 3.67 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Build Docker Images
permissions:
contents: read
packages: read
security-events: write
on:
push:
branches:
- main
- release/*
- cloud/*
pull_request:
branches:
- main
workflow_dispatch:
inputs:
commit:
description: "Commit sha"
required: true
jobs:
build-push-images:
runs-on: ubuntu-latest-16-cores
# Usually, a successful job takes ~17 mins.
# Anything more than 30 mins is a sign that job is stuck.
# This is a workaround until we find the root cause.
timeout-minutes: 30
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: "true"
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit || '' }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: ${{ !env.ACT }}
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PAT }}
- name: Set SHA when dispatched
run: |
SHA=$([ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ] && echo "${{ github.event.inputs.commit }}" || echo "${GITHUB_SHA}")
echo "SHA=${SHA}" >> $GITHUB_ENV
- name: Prepare build args
id: build_args
run: |
github_sha_short=${SHA:0:7}
echo "IMAGE_TAG=sha-${github_sha_short}" >> $GITHUB_ENV
TEMPORAL_SHA=$(git submodule status -- temporal | awk '{print $1}')
echo "TEMPORAL_SHA=${TEMPORAL_SHA}" >> $GITHUB_ENV
TCTL_SHA=$(git submodule status -- tctl | awk '{print $1}')
echo "TCTL_SHA=${TCTL_SHA}" >> $GITHUB_ENV
TAG_LATEST=${{(github.event_name == 'push' && github.ref == 'refs/heads/main') && 'true' || 'false'}}
echo "TAG_LATEST=${TAG_LATEST}" >> $GITHUB_ENV
echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- uses: actions/setup-go@v5
with:
cache-dependency-path: "**/*.sum"
go-version-file: 'temporal/go.mod'
# You can't use `load` when building a multiarch image, so we build and load the
# native image and build multiarch images later
- name: Bake native images for security scanning
run: BAKE_OUTPUT=docker make build-native
- name: Bake and push multiarch images
if: ${{ github.event_name == 'push' && !env.ACT }}
run: BAKE_OUTPUT=registry make build
# TODO: can we loop this somehow?
- name: Run Trivy vulnerability scanner on Server image
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/server:${{ env.IMAGE_TAG }}
image-name: server
- name: Run Trivy vulnerability scanner on Admin Tools image
if: ${{ github.event_name == 'push' && !env.ACT }}
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/admin-tools:${{ env.IMAGE_TAG }}
image-name: admin-tools
- name: Run Trivy vulnerability scanner on Auto Setup image
if: ${{ github.event_name == 'push' && !env.ACT }}
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/auto-setup:${{ env.IMAGE_TAG }}
image-name: auto-setup
- name: Ensure images work
run: make IMAGE_TAG=${{env.IMAGE_TAG}} test
- name: Upload compose logs
if: always()
continue-on-error: true
uses: actions/upload-artifact@v3
with:
name: docker-compose-logs
path: docker-compose.log