name: Artifacts on: push: branches: - master tags: - v[0-9]+.[0-9]+.[0-9]+ pull_request: jobs: container-images: name: Container images runs-on: ubuntu-latest strategy: matrix: variant: - alpine - distroless steps: - name: Checkout uses: actions/checkout@v3 - name: Gather metadata id: meta uses: docker/metadata-action@v4 with: images: | ghcr.io/dexidp/dex dexidp/dex flavor: | latest = false tags: | type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }} type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }} type=ref,event=branch,suffix=-${{ matrix.variant }} type=ref,event=pr,suffix=-${{ matrix.variant }} type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }} labels: | org.opencontainers.image.documentation=https://dexidp.io/docs/ - name: Set up QEMU uses: docker/setup-qemu-action@v2 with: platforms: all - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ github.token }} if: github.event_name == 'push' - name: Login to Docker Hub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name == 'push' - name: Build and push uses: docker/build-push-action@v3 with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64 # cache-from: type=gha # cache-to: type=gha,mode=max push: ${{ github.event_name == 'push' }} tags: ${{ steps.meta.outputs.tags }} build-args: | BASE_IMAGE=${{ matrix.variant }} VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} labels: ${{ steps.meta.outputs.labels }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.2.5 with: image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" format: "sarif" output: "trivy-results.sarif" if: github.event_name == 'push' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: "trivy-results.sarif" if: github.event_name == 'push'