container-build #187
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: container-build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| container_registry_push: | |
| description: "Push the image to Container Registry" | |
| type: boolean | |
| required: false | |
| default: false | |
| container_image_skip_vulnerability_checks: | |
| description: "Skip image (vulnerability) scanner" | |
| type: boolean | |
| required: false | |
| default: false | |
| container_image_expires_after: | |
| description: "Expires after (days) [or 'Never']" | |
| type: string | |
| required: false | |
| default: "Never" | |
| push_to_ghcr: | |
| description: "If 'Push the image to Container Registry' is enabled - push image to ghcr.io too" | |
| type: boolean | |
| required: false | |
| default: true | |
| push: | |
| tags: | |
| # For code tagging use 'v' prefix, but 'v' prefix should not be part of container tag | |
| - "v[0-9]+.[0-9]+.[0-9]+*" | |
| paths: | |
| - Dockerfile | |
| schedule: | |
| - cron: "0 0 * * 0" | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| packages: write | |
| jobs: | |
| container-build-pipeline: | |
| name: "💡 ${{ matrix.container_image_dockerfile_location }}" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - container_image: quay.io/petr_ruzicka/malware-cryptominer-container | |
| container_image_repository_url: https://quay.io/repository/petr_ruzicka/malware-cryptominer-container?tab=tags | |
| container_image_dockerfile_location: Dockerfile | |
| # This is the "default Dockerfile", which will create tags without any suffix (like 'latest') | |
| container_image_tag_suffix: "" | |
| container_image_platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
| container_image_logo_url: https://raw.githubusercontent.com/MISP/intelligence-icons/513abc840b7ac92e4f8a4a7ecab2964007bf25f5/svg/threat_actor.svg | |
| uses: ruzickap/container-build/.github/workflows/container-build-reusable-workflow.yml@main | |
| with: | |
| container_image_dockerfile_location: ${{ matrix.container_image_dockerfile_location }} | |
| container_image_tag_suffix: ${{ matrix.container_image_tag_suffix }} | |
| # The following variables can not be easily taken to `env` variables, because it is not supported :-( | |
| container_image_destination: ${{ matrix.container_image }} | |
| container_image_platforms: ${{ matrix.container_image_platforms }} | |
| container_image_product_id: 12345 | |
| container_image_vendor: MyCompany | |
| container_image_authors: [email protected] | |
| container_image_authors_name: Petr Ruzicka | |
| container_image_logo_url: ${{ matrix.container_image_logo_url }} | |
| container_image_repository_url: ${{ matrix.container_image_repository_url }} | |
| container_image_expires_after: ${{ inputs.container_image_expires_after || 'Never' }} # days | |
| # https://github.com/actions/runner/issues/1483 (there are no "inputs" when not running using 'workflow_dispatch') | |
| container_image_skip_vulnerability_checks: ${{ inputs.container_image_skip_vulnerability_checks == true && true || false }} | |
| container_registry_push: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'schedule' || inputs.container_registry_push }} | |
| push_to_ghcr: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'schedule' || ( inputs.container_registry_push && inputs.push_to_ghcr ) }} | |
| secrets: | |
| container_registry_user: ${{ secrets.CONTAINER_REGISTRY_USER }} | |
| container_registry_password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} | |
| # Snyk credentials (optional) | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| create-release: | |
| runs-on: ubuntu-latest | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Create Release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euxo pipefail | |
| gh release create ${{ github.ref_name }} --generate-notes |