Update Alpine to 3.20.3 version to fix CVE-2024-6119 #345
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: ["main"] | |
tags: ["*"] | |
pull_request: | |
branches: ["main"] | |
schedule: | |
- cron: "0 13 * * 5" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
############ | |
# Building # | |
############ | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
dist: ["alpine", "debian"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: docker/setup-buildx-action@v3 | |
- name: Verify Dockerfile is up-to-date | |
run: | | |
make codegen.dockerfile dir=${{ matrix.dist }} | |
git update-index --refresh | |
! git diff-index HEAD -- | grep '${{ matrix.dist }}' | |
- run: make docker.image no-cache=yes | |
dockerfile=${{ matrix.dist }} | |
tag=build-${{ github.run_number }} | |
- run: make docker.tar to-file=.cache/image.tar | |
tags=build-${{ github.run_number }} | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ github.run_number }} | |
path: .cache/image.tar | |
retention-days: 1 | |
########### | |
# Testing # | |
########### | |
test: | |
needs: ["build"] | |
strategy: | |
fail-fast: false | |
matrix: | |
dist: ["alpine", "debian"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- run: make npm.install | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ github.run_number }} | |
path: .cache/ | |
- run: make docker.untar from-file=.cache/image.tar | |
- run: make test.docker | |
tag=build-${{ github.run_number }} | |
env: | |
DOCKERFILE: ${{ matrix.dist }} | |
############# | |
# Releasing # | |
############# | |
push: | |
if: ${{ github.event_name == 'push' | |
&& startsWith(github.ref, 'refs/tags/') }} | |
needs: ["build", "test"] | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
registry: ["docker.io", "ghcr.io", "quay.io"] | |
dist: ["alpine", "debian"] | |
runs-on: ubuntu-latest | |
steps: | |
# Skip if this is fork and no credentials are provided. | |
- id: skip | |
run: echo "no=${{ !( | |
github.repository_owner != 'instrumentisto' | |
&& ((matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_USER == '') | |
|| (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_USER == '')) | |
) }}" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- name: Parse Docker image name from Git repository name | |
id: image | |
uses: actions-ecosystem/action-regex-match@v2 | |
with: | |
text: ${{ github.repository }} | |
regex: '^${{ github.repository_owner }}/(.+)-docker-image$' | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.dist }}-${{ github.run_number }} | |
path: .cache/ | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.untar from-file=.cache/image.tar | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- name: Login to ${{ matrix.registry }} container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ matrix.registry }} | |
username: ${{ (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_USER) | |
|| (matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_USER) | |
|| github.repository_owner }} | |
password: ${{ (matrix.registry == 'docker.io' | |
&& secrets.DOCKERHUB_BOT_PASS) | |
|| (matrix.registry == 'quay.io' | |
&& secrets.QUAYIO_ROBOT_TOKEN) | |
|| secrets.GITHUB_TOKEN }} | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.tags of=build-${{ github.run_number }} | |
registries=${{ matrix.registry }} | |
env: | |
DOCKERFILE: ${{ matrix.dist }} # for correct `tags` auto-detection | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
- run: make docker.push | |
registries=${{ matrix.registry }} | |
env: | |
DOCKERFILE: ${{ matrix.dist }} # for correct `tags` auto-detection | |
if: ${{ steps.skip.outputs.no == 'true' }} | |
# On GitHub Container Registry README is automatically updated on pushes. | |
- name: Update README on Docker Hub | |
uses: christian-korneck/update-container-description-action@v1 | |
with: | |
provider: dockerhub | |
destination_container_repo: ${{ github.repository_owner }}/${{ steps.image.outputs.group1 }} | |
readme_file: README.md | |
env: | |
DOCKER_USER: ${{ secrets.DOCKERHUB_BOT_USER }} | |
DOCKER_PASS: ${{ secrets.DOCKERHUB_BOT_PASS }} | |
if: ${{ steps.skip.outputs.no == 'true' | |
&& matrix.registry == 'docker.io' }} | |
- name: Update README on Quay.io | |
uses: christian-korneck/update-container-description-action@v1 | |
with: | |
provider: quay | |
destination_container_repo: ${{ matrix.registry }}/${{ github.repository_owner }}/${{ steps.image.outputs.group1 }} | |
readme_file: README.md | |
env: | |
DOCKER_APIKEY: ${{ secrets.QUAYIO_API_TOKEN }} | |
if: ${{ steps.skip.outputs.no == 'true' | |
&& matrix.registry == 'quay.io' }} | |
release-github: | |
name: release (GitHub) | |
if: ${{ github.event_name == 'push' | |
&& startsWith(github.ref, 'refs/tags/') }} | |
needs: ["push"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Parse semver versions from Git tag | |
id: semver | |
uses: actions-ecosystem/action-regex-match@v2 | |
with: | |
text: ${{ github.ref }} | |
regex: '^refs/tags/((([0-9]+)\.[0-9]+)\.[0-9]+-(.+))$' | |
- name: Parse CHANGELOG link | |
id: changelog | |
run: echo "link=${{ github.server_url }}/${{ github.repository }}/blob/${{ steps.semver.outputs.group1 }}/CHANGELOG.md#$(sed -n '/^## \[${{ steps.semver.outputs.group1 }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)" | |
>> $GITHUB_OUTPUT | |
- name: Create GitHub release | |
uses: softprops/action-gh-release@v2 | |
with: | |
name: ${{ steps.semver.outputs.group1 }} | |
body: | | |
[Changelog](${{ steps.changelog.outputs.link }}) |