Update Alpine to 3.20.3 version to fix CVE-2024-6119 #463
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: ["main"] | |
tags: ["*"] | |
pull_request: | |
branches: ["main"] | |
schedule: | |
- cron: "0 13 * * 4" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
############ | |
# Building # | |
############ | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
ver: ["1.6", "1.5"] | |
dist: ["apache", "fpm"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: docker/setup-buildx-action@v3 | |
- name: Verify Dockerfile is up-to-date | |
run: | | |
make codegen.dockerfile dir=${{ matrix.ver }}/${{ matrix.dist }} | |
git update-index --refresh | |
! git diff-index HEAD -- | grep '${{ matrix.ver }}/${{ matrix.dist }}' | |
- run: make docker.image no-cache=yes | |
DOCKERFILE=${{ matrix.ver }}/${{ matrix.dist }} | |
tag=build-${{ github.run_number }} | |
- run: make docker.tar to-file=.cache/image.tar | |
tags=build-${{ github.run_number }} | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ matrix.ver }}-${{ github.run_number }} | |
path: .cache/image.tar | |
retention-days: 1 | |
########### | |
# Testing # | |
########### | |
test: | |
needs: ["build"] | |
strategy: | |
fail-fast: false | |
matrix: | |
ver: ["1.6", "1.5"] | |
dist: ["apache", "fpm"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- run: make npm.install | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ matrix.ver }}-${{ github.run_number }} | |
path: .cache/ | |
- run: make docker.untar from-file=.cache/image.tar | |
- run: make test.docker | |
DOCKERFILE=${{ matrix.ver }}/${{ matrix.dist }} | |
tag=build-${{ github.run_number }} | |
############# | |
# Releasing # | |
############# | |
push: | |
if: ${{ github.event_name == 'push' | |
&& startsWith(github.ref, 'refs/tags/') }} | |
needs: ["build", "test"] | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
registry: ["docker.io", "ghcr.io", "quay.io"] | |
dist: ["apache", "fpm"] | |
runs-on: ubuntu-latest | |
steps: | |
# Skip if this is fork and no credentials are provided. | |
- id: skip | |
run: echo "no=${{ !( | |
github.repository_owner != 'instrumentisto' | |
&& ((matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_USER == '') | |
|| (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_USER == '')) | |
) }}" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- name: Parse semver versions from Git tag | |
id: semver | |
uses: actions-ecosystem/action-regex-match@v2 | |
with: | |
text: ${{ github.ref }} | |
regex: '^refs/tags/((([0-9]+)\.[0-9]+)\.[0-9]+-(.+))$' | |
- name: Parse Docker image name from Git repository name | |
id: image | |
uses: actions-ecosystem/action-regex-match@v2 | |
with: | |
text: ${{ github.repository }} | |
regex: '^${{ github.repository_owner }}/(.+)-docker-image$' | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ steps.semver.outputs.group2 }}-${{ github.run_number }} | |
path: .cache/ | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.untar from-file=.cache/image.tar | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- name: Login to ${{ matrix.registry }} container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ matrix.registry }} | |
username: ${{ (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_USER) | |
|| (matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_USER) | |
|| github.repository_owner }} | |
password: ${{ (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_PASS) | |
|| (matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_TOKEN) | |
|| secrets.GITHUB_TOKEN }} | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.tags of=build-${{ github.run_number }} | |
DOCKERFILE=${{ steps.semver.outputs.group2 }}/${{ matrix.dist }} | |
registries=${{ matrix.registry }} | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.push | |
DOCKERFILE=${{ steps.semver.outputs.group2 }}/${{ matrix.dist }} | |
registries=${{ matrix.registry }} | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
# On GitHub Container Registry README is automatically updated on pushes. | |
- name: Update README on Docker Hub | |
uses: christian-korneck/update-container-description-action@v1 | |
with: | |
provider: dockerhub | |
destination_container_repo: ${{ github.repository_owner }}/${{ steps.image.outputs.group1 }} | |
readme_file: README.md | |
env: | |
DOCKER_USER: ${{ secrets.DOCKERHUB_BOT_USER }} | |
DOCKER_PASS: ${{ secrets.DOCKERHUB_BOT_PASS }} | |
if: ${{ steps.skip.outputs.no == 'true' | |
&& matrix.registry == 'docker.io' }} | |
- name: Update README on Quay.io | |
uses: christian-korneck/update-container-description-action@v1 | |
with: | |
provider: quay | |
destination_container_repo: ${{ matrix.registry }}/${{ github.repository_owner }}/${{ steps.image.outputs.group1 }} | |
readme_file: README.md | |
env: | |
DOCKER_APIKEY: ${{ secrets.QUAYIO_API_TOKEN }} | |
if: ${{ steps.skip.outputs.no == 'true' | |
&& matrix.registry == 'quay.io' }} | |
release-github: | |
name: release (GitHub) | |
if: ${{ github.event_name == 'push' | |
&& startsWith(github.ref, 'refs/tags/') }} | |
needs: ["push"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Parse semver versions from Git tag | |
id: semver | |
uses: actions-ecosystem/action-regex-match@v2 | |
with: | |
text: ${{ github.ref }} | |
regex: '^refs/tags/((([0-9]+)\.[0-9]+)\.[0-9]+-(.+))$' | |
- name: Parse CHANGELOG link | |
id: changelog | |
run: echo "link=${{ github.server_url }}/${{ github.repository }}/blob/${{ steps.semver.outputs.group1 }}/CHANGELOG.md#$(sed -n '/^## \[${{ steps.semver.outputs.group1 }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)" | |
>> $GITHUB_OUTPUT | |
- name: Create GitHub release | |
uses: softprops/action-gh-release@v2 | |
with: | |
name: ${{ steps.semver.outputs.group1 }} | |
body: | | |
[Changelog](${{ steps.changelog.outputs.link }}) |