name: Docker on: push: branches: - master tags: - v[0-9]+.[0-9]+.[0-9]+ pull_request: jobs: docker: name: Docker runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Calculate Docker image tags id: tags env: DOCKER_IMAGES: "ghcr.io/dexidp/dex dexidp/dex" run: | case $GITHUB_REF in refs/tags/*) VERSION=${GITHUB_REF#refs/tags/};; refs/heads/*) VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g');; refs/pull/*) VERSION=pr-${{ github.event.number }};; *) VERSION=sha-${GITHUB_SHA::8};; esac TAGS=() for image in $DOCKER_IMAGES; do TAGS+=("${image}:${VERSION}") if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then TAGS+=("${image}:latest") fi done echo ::set-output name=version::${VERSION} echo ::set-output name=tags::$(IFS=,; echo "${TAGS[*]}") echo ::set-output name=commit_hash::${GITHUB_SHA::8} echo ::set-output name=build_date::$(git show -s --format=%cI) - name: Set up QEMU uses: docker/setup-qemu-action@v1 with: platforms: all - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: install: true version: latest # TODO: Remove driver-opts once fix is released docker/buildx#386 driver-opts: image=moby/buildkit:master - name: Login to GitHub Container Registry uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ github.token }} if: github.event_name == 'push' - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name == 'push' - name: Build and push uses: docker/build-push-action@v2 with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max push: ${{ github.event_name == 'push' }} tags: ${{ steps.tags.outputs.tags }} build-args: | VERSION=${{ steps.tags.outputs.version }} COMMIT_HASH=${{ steps.tags.outputs.commit_hash }} BUILD_DATE=${{ steps.tags.outputs.build_date }} labels: | org.opencontainers.image.title=${{ github.event.repository.name }} org.opencontainers.image.description=${{ github.event.repository.description }} org.opencontainers.image.url=${{ github.event.repository.html_url }} org.opencontainers.image.source=${{ github.event.repository.clone_url }} org.opencontainers.image.version=${{ steps.tags.outputs.version }} org.opencontainers.image.created=${{ steps.tags.outputs.build_date }} org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} org.opencontainers.image.documentation=https://dexidp.io/docs/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.2.2 with: image-ref: "ghcr.io/dexidp/dex:${{ steps.tags.outputs.version }}" format: "template" template: "@/contrib/sarif.tpl" output: "trivy-results.sarif" if: github.event_name == 'push' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: "trivy-results.sarif" if: github.event_name == 'push'