-
-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add SemVer tag to docker image publication
- Loading branch information
1 parent
7273c89
commit cc594d4
Showing
1 changed file
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
name: Publish AnythingLLM Docker image on Release (amd64 & arm64) | ||
|
||
concurrency: | ||
group: build-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
on: | ||
release: | ||
types: [published] | ||
|
||
jobs: | ||
push_multi_platform_to_registries: | ||
name: Push Docker multi-platform image to multiple registries | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
contents: read | ||
steps: | ||
- name: Check out the repo | ||
uses: actions/checkout@v4 | ||
|
||
- name: Check if DockerHub build needed | ||
shell: bash | ||
run: | | ||
# Check if the secret for USERNAME is set (don't even check for the password) | ||
if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then | ||
echo "DockerHub build not needed" | ||
echo "enabled=false" >> $GITHUB_OUTPUT | ||
else | ||
echo "DockerHub build needed" | ||
echo "enabled=true" >> $GITHUB_OUTPUT | ||
fi | ||
id: dockerhub | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Log in to Docker Hub | ||
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | ||
# Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR | ||
if: steps.dockerhub.outputs.enabled == 'true' | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
|
||
- name: Log in to the Container registry | ||
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract metadata (tags, labels) for Docker | ||
id: meta | ||
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
with: | ||
images: | | ||
${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }} | ||
ghcr.io/${{ github.repository }} | ||
tags: | | ||
type=semver,pattern={{version}} | ||
type=semver,pattern={{major}}.{{minor}} | ||
- name: Build and push multi-platform Docker image | ||
uses: docker/build-push-action@v6 | ||
with: | ||
context: . | ||
file: ./docker/Dockerfile | ||
push: true | ||
sbom: true | ||
provenance: mode=max | ||
platforms: linux/amd64,linux/arm64 | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
|
||
# For Docker scout there are some intermediary reported CVEs which exists outside | ||
# of execution content or are unreachable by an attacker but exist in image. | ||
# We create VEX files for these so they don't show in scout summary. | ||
- name: Collect known and verified CVE exceptions | ||
id: cve-list | ||
run: | | ||
# Collect CVEs from filenames in vex folder | ||
CVE_NAMES="" | ||
for file in ./docker/vex/*.vex.json; do | ||
[ -e "$file" ] || continue | ||
filename=$(basename "$file") | ||
stripped_filename=${filename%.vex.json} | ||
CVE_NAMES+=" $stripped_filename" | ||
done | ||
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT | ||
shell: bash | ||
|
||
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/ | ||
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications | ||
- name: Add VEX attestations | ||
env: | ||
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} | ||
run: | | ||
echo $CVE_EXCEPTIONS | ||
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- | ||
for cve in $CVE_EXCEPTIONS; do | ||
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do | ||
echo "Attaching VEX exception $cve to $tag" | ||
docker scout attestation add \ | ||
--file "./docker/vex/$cve.vex.json" \ | ||
--predicate-type https://openvex.dev/ns/v0.2.0 \ | ||
$tag | ||
done | ||
done | ||
shell: bash |