Skip to content

Ghost V5 alpine

Ghost V5 alpine #1304

Workflow file for this run

# The beauty of our CI setup is that it will build Dockerfile and set variables from the Dockerfile
# by https://pascalandy.com at https://firepress.org
# GNU v3 https://github.com/firepress-org/ghostfire/blob/master/LICENSE
name: Ghost V5 alpine
on:
schedule:
- cron: "0 5 * * *" # everyday at 7am
pull_request:
branches: [master, main]
paths:
- "v5/**"
- ".github/workflows/**"
push:
tags:
- "5.*.*"
paths-ignore:
- "**.md"
# branches: [master, main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
# needed to define path within 'uses'
SUB_DIR: "v5"
permissions:
contents: read
packages: write # if you're pushing to GitHub Packages
pull-requests: write # allows Dependabot to auto-merge its PRs if you've configured it to do so
defaults:
run:
shell: "bash -Eeuo pipefail -x {0}"
# works within 'run' but not with 'uses'
working-directory: "v5"
jobs:
# ----------------------------------------------
# SET VARIABLES
# More context about the way we set variables https://github.com/firepress-org/ghostfire/issues/46
# ----------------------------------------------
myvars:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Github Actions system status
uses: crazy-max/[email protected]
with:
actions_threshold: operational
git_threshold: degraded_performance
- name: Create dir for our varz
run: mkdir -pv ~/varz
# Build Logic
# By default, every builds uses 'edge' workflow
# Commits from a PR, it uses 'edge' workflow
# When a PR is merge/rebase into master, it uses 'edge' workflow
# When a schedule build rund, it uses 'edge' workflow
# Commits on master/main uses, it uses 'edge' workflow (I do this all the time to test ci yaml)
# Once everything is clean ..
# I TAG a commit (i.e. 5.19.1), then the CI uses 'stable' workflow and push the OFFICIAL docker image
- name: edge | Set BRANCH_NAME
if: github.ref_type != 'tag'
run: echo "edge" > ~/varz/BRANCH_NAME
- name: stable | Set BRANCH_NAME
if: github.ref_type == 'tag'
run: echo "stable" > ~/varz/BRANCH_NAME
- name: Define and save variables to disk
run: |
cat Dockerfile | grep APP_NAME= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/APP_NAME
cat Dockerfile | grep VERSION= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/VERSION_TMP
echo "— — — DO NOT MIX alpine vs debian Tags! — — — "
echo "$(cat ~/varz/VERSION_TMP)" > ~/varz/VERSION
cat Dockerfile | grep DOCKERHUB_USER= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/DOCKERHUB_USER
cat Dockerfile | grep GITHUB_ORG= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_ORG
cat Dockerfile | grep GITHUB_REGISTRY= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_REGISTRY
echo "$(cat ~/varz/DOCKERHUB_USER)/$(cat ~/varz/APP_NAME)" > ~/varz/DKR_PREFIX
echo "ghcr.io/$(cat ~/varz/GITHUB_ORG)/$(cat ~/varz/GITHUB_REGISTRY)/$(cat ~/varz/APP_NAME)" > ~/varz/GPR_PREFIX
git rev-parse --short HEAD > ~/varz/SHORT_HASH_COMMIT
date "+%Y-%m-%d_%HH%M" > ~/varz/DATE
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/VERSION_HASH_ONLY
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)_$(cat ~/varz/DATE)" > ~/varz/VERSION_HASH_DATE
echo "$(cat ~/varz/APP_NAME):$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/_NOTI_MESSAGE
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_DKR_VERSION
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_DKR_BRANCH_NAME
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_DKR_VERSION_HASH_ONLY
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_DKR_VERSION_HASH_DATE
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_GPR_VERSION
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_GPR_BRANCH_NAME
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_GPR_VERSION_HASH_ONLY
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_GPR_VERSION_HASH_DATE
- name: Upload variables as artifact
uses: actions/upload-artifact@master
with:
name: variables_on_disk
path: ~/varz
- name: Expose variables to all jobs
id: myvars
run: |
echo "APP_NAME=$(cat ~/varz/APP_NAME)" >> "$GITHUB_OUTPUT"
echo "VERSION=$(cat ~/varz/VERSION)" >> "$GITHUB_OUTPUT"
echo "DOCKERHUB_USER=$(cat ~/varz/DOCKERHUB_USER)" >> "$GITHUB_OUTPUT"
echo "GITHUB_ORG=$(cat ~/varz/GITHUB_ORG)" >> "$GITHUB_OUTPUT"
echo "GITHUB_REGISTRY=$(cat ~/varz/GITHUB_REGISTRY)" >> "$GITHUB_OUTPUT"
echo "DKR_PREFIX=$(cat ~/varz/DKR_PREFIX)" >> "$GITHUB_OUTPUT"
echo "GPR_PREFIX=$(cat ~/varz/GPR_PREFIX)" >> "$GITHUB_OUTPUT"
echo "SUB_DIR=$(cat ~/varz/SUB_DIR)" >> "$GITHUB_OUTPUT"
echo "SHORT_HASH_COMMIT=$(cat ~/varz/SHORT_HASH_COMMIT)" >> "$GITHUB_OUTPUT"
echo "DATE=$(cat ~/varz/DATE)" >> "$GITHUB_OUTPUT"
echo "BRANCH_NAME=$(cat ~/varz/BRANCH_NAME)" >> "$GITHUB_OUTPUT"
echo "VERSION_HASH_ONLY=$(cat ~/varz/VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT"
echo "VERSION_HASH_DATE=$(cat ~/varz/VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT"
echo "_NOTI_MESSAGE=$(cat ~/varz/_NOTI_MESSAGE)" >> "$GITHUB_OUTPUT"
echo "TAG_DKR_VERSION=$(cat ~/varz/TAG_DKR_VERSION)" >> "$GITHUB_OUTPUT"
echo "TAG_DKR_BRANCH_NAME=$(cat ~/varz/TAG_DKR_BRANCH_NAME)" >> "$GITHUB_OUTPUT"
echo "TAG_DKR_VERSION_HASH_ONLY=$(cat ~/varz/TAG_DKR_VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT"
echo "TAG_DKR_VERSION_HASH_DATE=$(cat ~/varz/TAG_DKR_VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT"
echo "TAG_GPR_VERSION=$(cat ~/varz/TAG_GPR_VERSION)" >> "$GITHUB_OUTPUT"
echo "TAG_GPR_BRANCH_NAME=$(cat ~/varz/TAG_GPR_BRANCH_NAME)" >> "$GITHUB_OUTPUT"
echo "TAG_GPR_VERSION_HASH_ONLY=$(cat ~/varz/TAG_GPR_VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT"
echo "TAG_GPR_VERSION_HASH_DATE=$(cat ~/varz/TAG_GPR_VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT"
outputs:
APP_NAME: ${{ steps.myvars.outputs.APP_NAME }}
VERSION: ${{ steps.myvars.outputs.VERSION }}
SUB_DIR: ${{ steps.myvars.outputs.SUB_DIR }}
DOCKERHUB_USER: ${{ steps.myvars.outputs.DOCKERHUB_USER }}
GITHUB_ORG: ${{ steps.myvars.outputs.GITHUB_ORG }}
GITHUB_REGISTRY: ${{ steps.myvars.outputs.GITHUB_REGISTRY }}
DKR_PREFIX: ${{ steps.myvars.outputs.DKR_PREFIX }}
GPR_PREFIX: ${{ steps.myvars.outputs.GPR_PREFIX }}
SHORT_HASH_COMMIT: ${{ steps.myvars.outputs.SHORT_HASH_COMMIT }}
DATE: ${{ steps.myvars.outputs.DATE }}
BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }}
VERSION_HASH_ONLY: ${{ steps.myvars.outputs.VERSION_HASH_ONLY }}
VERSION_HASH_DATE: ${{ steps.myvars.outputs.VERSION_HASH_DATE }}
_NOTI_MESSAGE: ${{ steps.myvars.outputs._NOTI_MESSAGE }}
TAG_DKR_VERSION: ${{ steps.myvars.outputs.TAG_DKR_VERSION }}
TAG_DKR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_DKR_BRANCH_NAME }}
TAG_DKR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
TAG_DKR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
TAG_GPR_VERSION: ${{ steps.myvars.outputs.TAG_GPR_VERSION }}
TAG_GPR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_GPR_BRANCH_NAME }}
TAG_GPR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
TAG_GPR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
# ----------------------------------------------
# build / edge OR stable
# tags are not the same between edge or stable
# ----------------------------------------------
build_edge:
needs: [myvars]
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
with:
version: v0.6.0
- uses: docker/[email protected]
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }}
- uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }}
- name: Build and push image (edge)
uses: docker/build-push-action@v6
with:
context: .
file: ./${{ env.SUB_DIR }}/Dockerfile
platforms: |
linux/amd64
# linux/arm64/v8
# linux/arm/v8
# linux/arm/v7
push: true
tags: |
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
# The order for <docker push -tag> matters for our CD down the line
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}, mode=max
- name: UAT run edge | Wait for container to run
timeout-minutes: 2
# These two VAR are here to force SQLite over Mysql
# database__client=s
# database__connection__filename=
run: |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
echo "--- Wait for ghostUAT --->"
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do
echo "--- ghostUAT is starting..."
sleep 1
done;
echo "--- ghostUAT is running! --->"
- name: UAT docker test edge | docker-library tests
# Ghost V5 grep "Thoughts, stories and ideas"
# Ghost V4 grep "Thoughts, stories and ideas"
# Ghost V3 grep "The professional publishing platform"
run: |
curl http://localhost:2368 | grep "Thoughts, stories and ideas"
git clone --depth 1 https://github.com/docker-library/official-images.git official-images
cp ./test/config.sh official-images/test/config.sh
official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
- name: Checkpoint | image ls
run: docker image ls
build_stable:
needs: [myvars]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
with:
version: v0.6.0
- uses: docker/[email protected]
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }}
- uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }}
- name: Build and push image (stable)
uses: docker/build-push-action@v6
with:
context: .
file: ./${{ env.SUB_DIR }}/Dockerfile
platforms: |
linux/amd64
# linux/arm64/v8
# linux/arm/v8
# linux/arm/v7
push: true
tags: |
${{ needs.myvars.outputs.TAG_DKR_VERSION }}
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
${{ needs.myvars.outputs.TAG_GPR_VERSION }}
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
# The order for <docker push -tag> matters for our CD down the line
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}, mode=max
- name: UAT run stable | Wait for container to run
timeout-minutes: 2
# These two VAR are here to force SQLite over Mysql
# database__client=s
# database__connection__filename=
run: |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
echo "--- Wait for ghostUAT --->"
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do
echo "--- ghostUAT is starting..."
sleep 1
done;
echo "--- ghostUAT is running! --->"
- name: UAT docker test stable | docker-library tests
# Ghost V5 grep "0o0o"
# Ghost V4 grep "Thoughts, stories and ideas"
# Ghost V3 grep "The professional publishing platform"
run: |
curl http://localhost:2368 | grep "Thoughts, stories and ideas"
git clone --depth 1 https://github.com/docker-library/official-images.git official-images
cp ./test/config.sh official-images/test/config.sh
official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | image ls
run: docker image ls
# ----------------------------------------------
# UAT / edge OR stable
# This job is bypassed: weird bug on the uat job. Ci complain about docker login. So the UAT is under the build job.
# ----------------------------------------------
# ----------------------------------------------
# Continuous Deployment / edge OR stable
# I duplicate this in two jobs to have a better visual representation
# ----------------------------------------------
cd_edge:
needs: [build_edge]
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: cd edge
uses: appleboy/[email protected]
with:
host: ${{ secrets.NODE1 }}
port: ${{ secrets.SSH_PORT }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_KEY_ACTIONS }}
passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }}
script: |
${{ secrets.SSH_CMD__UPDATE_DKR_IMG_EDGE }}
hostname
#sync: true
#host: "${{ secrets.NODE1 }},${{ secrets.NODE2 }},${{ secrets.NODE3 }}"
# alt projet: fifsky/ssh-action@master https://github.com/appleboy/ssh-action/issues/80#issuecomment-759473472
- name: Add a comment (from a PR)
run: |
echo "## For reference (from a PR)" >> $GITHUB_STEP_SUMMARY
echo "Docker image: ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}" >> $GITHUB_STEP_SUMMARY
echo "Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265" >> $GITHUB_STEP_SUMMARY
cd_stable:
needs: [build_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: cd stable
uses: appleboy/[email protected]
with:
host: ${{ secrets.NODE1 }}
port: ${{ secrets.SSH_PORT }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_KEY_ACTIONS }}
passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }}
script: |
${{ secrets.SSH_CMD__UPDATE_DKR_IMG_STABLE }}
hostname
- name: Add a comment (from a tag)
run: |
echo "## For reference (from a tag)" >> $GITHUB_STEP_SUMMARY
echo "Docker image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}" >> $GITHUB_STEP_SUMMARY
echo "Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265" >> $GITHUB_STEP_SUMMARY
# ----------------------------------------------
# Reviews
# ----------------------------------------------
review_myvars:
needs: [myvars]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Show variables
run: |
echo "Final Docker image name:"
echo "= = = = = = = = = ="
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION }}
echo ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION }}
echo ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
echo "---"
echo "Core environment variables:"
echo "---"
echo "${{ env.SUB_DIR }} << SUB_DIR"
echo "${{ needs.myvars.outputs.APP_NAME }} << APP_NAME"
echo "${{ needs.myvars.outputs.DOCKERHUB_USER }} << DOCKERHUB_USER"
echo "${{ needs.myvars.outputs.GITHUB_ORG }} << GITHUB_ORG"
echo "${{ needs.myvars.outputs.GITHUB_REGISTRY }} << GITHUB_REGISTRY"
echo "${{ needs.myvars.outputs.DKR_PREFIX }} << DKR_PREFIX"
echo "${{ needs.myvars.outputs.GPR_PREFIX }} << GPR_PREFIX"
echo "${{ needs.myvars.outputs.VERSION }} << VERSION"
echo "${{ needs.myvars.outputs.SHORT_HASH_COMMIT }} << SHORT_HASH_COMMIT"
echo "${{ needs.myvars.outputs.DATE }} << DATE"
echo "${{ needs.myvars.outputs.BRANCH_NAME }} << BRANCH_NAME"
echo "${{ needs.myvars.outputs.VERSION_HASH_ONLY }} << VERSION_HASH_ONLY"
echo "${{ needs.myvars.outputs.VERSION_HASH_DATE }} << VERSION_HASH_DATE"
echo "${{ needs.myvars.outputs._NOTI_MESSAGE }} << _NOTI_MESSAGE"
echo "---"
echo "Environment variables provided Github Actions :"
echo "---"
echo "${GITHUB_WORKFLOW} << GITHUB_WORKFLOW"
echo "${GITHUB_RUN_ID} << GITHUB_RUN_ID"
echo "${GITHUB_RUN_NUMBER} << GITHUB_RUN_NUMBER"
echo "${GITHUB_JOB} << GITHUB_JOB"
echo "${GITHUB_ACTION} << GITHUB_ACTION"
echo "${GITHUB_ACTOR} << GITHUB_ACTOR"
echo "${GITHUB_REPOSITORY} << GITHUB_REPOSITORY"
echo "${GITHUB_EVENT_NAME} << GITHUB_EVENT_NAME"
echo "${GITHUB_EVENT_PATH} << GITHUB_EVENT_PATH"
echo "${GITHUB_WORKSPACE} << GITHUB_WORKSPACE"
echo "${GITHUB_SHA} << GITHUB_SHA"
echo "${GITHUB_REF} << GITHUB_REF"
echo "${GITHUB_SERVER_URL} << GITHUB_SERVER_URL"
echo "${GITHUB_API_URL} << GITHUB_API_URL"
echo "${GITHUB_GRAPHQL_URL} << GITHUB_GRAPHQL_URL"
echo "${RUNNER_OS} << RUNNER_OS"
echo "${RUNNER_TEMP} << RUNNER_TEMP"
echo "${RUNNER_TOOL_CACHE} << RUNNER_TOOL_CACHE"
echo "${GITHUB_ACTIONS} << GITHUB_ACTIONS"
# review_snyk_opt:
review_trivy_opt:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Checkpoint | Scanner Trivy for HIGH,CRITICAL CVEs and report (blocking)
continue-on-error: true
uses: aquasecurity/[email protected]
with:
image-ref: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
exit-code: 0
format: table
ignore-unfixed: true
vuln-type: "os,library"
severity: "HIGH,CRITICAL"
#output: "trivy-results.sarif"
#- name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# if: always()
# with:
# sarif_file: "trivy-results.sarif"
review_dockle:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Checkpoint | Scanner by Dockle
run: |
docker run --rm goodwithtech/dockle:latest ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
# review_superlinter_call:
# needs: [myvars, build]
# uses: firepress-org/reusable_workflows/.github/workflows/super-linter.yaml@master
review_linter_opt:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Checkpoint | Linter
continue-on-error: true
uses: docker://ghcr.io/github/super-linter:slim-v4
# github/super-linter@v4
# docker://ghcr.io/github/super-linter:slim-v4
env:
DISABLE_ERRORS: true # Flag to have the linter complete with exit code 0 even if errors were detected.
VALIDATE_ALL_CODEBASE: false
VALIDATE_MARKDOWN: false
VALIDATE_DOCKERFILE: false
VALIDATE_JSCPD: false
DEFAULT_BRANCH: edge
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
review_inspect:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Login to DockerHub registry
uses: docker/[email protected]
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }}
- name: Login to GitHub registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }}
- name: Checkpoint | docker pull
run: |
docker pull ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | See platforms
run: |
docker run --rm mplatform/mquery ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker history
run: |
docker history --human ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker image inspect
run: |
docker image inspect ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker info
run: |
docker info
- name: Checkpoint | docker version
run: |
docker version
- name: Checkpoint | uname
run: |
uname -a && echo && echo
review_lighthouse:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Checkpoint | Lighthouse
uses: treosh/[email protected]
with:
urls: |
https://trial.firepress.link/edge/welcome/
https://trial.firepress.link/edge/tag/getting-started/
#budgetPath: ./budget.json # test performance budgets
uploadArtifacts: true # save results as an action artifacts
temporaryPublicStorage: true # upload lighthouse report to the temporary storage
# https://github.com/firepress-org/ghostfire/issues/408
review_slack:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Notify on Slack
run: |
docker run --rm \
--name noti \
-e NOTI_MESSAGE='${{ needs.myvars.outputs._NOTI_MESSAGE }}' \
-e SLACK_CHANNEL="github-actions" \
-e SLACK_TOKEN_CRON="${{ secrets.TOKEN_SLACK }}" \
devmtl/noti:stable sh -c \
' NOTI_SLACK_TOKEN="$SLACK_TOKEN_CRON" \
NOTI_SLACK_CHANNEL="$SLACK_CHANNEL" \
noti -k -m "$NOTI_MESSAGE" '
# ----------------------------------------------
# Actions after continuous_deployment
# ----------------------------------------------
update_readme:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Update README on Dockerhub
run: |
docker run --rm \
-v $(pwd)/README.md:/data/README.md \
-e DOCKERHUB_USERNAME=${{ needs.myvars.outputs.DOCKERHUB_USER }} \
-e DOCKERHUB_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }} \
-e DOCKERHUB_REPO_PREFIX=${{ needs.myvars.outputs.DOCKERHUB_USER }} \
-e DOCKERHUB_REPO_NAME=${{ needs.myvars.outputs.APP_NAME }} \
devmtl/readme-to-dockerhub:stable
comment_within_pr:
needs: [myvars, build_stable, cd_stable]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Find comment for image tags
# If PR, put image tags in the PR comments
# from https://github.com/marketplace/actions/create-or-update-comment
uses: peter-evans/find-comment@v3
if: github.event_name == 'pull_request'
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: Docker image tag(s) pushed
# If PR, put image tags in the PR comments
- name: Create or update comment for image tags
uses: peter-evans/create-or-update-comment@v4
if: github.event_name == 'pull_request'
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Docker image tag(s) pushed:
```text
${{ needs.myvars.outputs.TAG_DKR_VERSION }}
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
${{ needs.myvars.outputs.TAG_GPR_VERSION }}
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
```
edit-mode: replace
pr_label:
needs: [myvars, build_stable, cd_stable]
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
if: ${{ github.actor == 'dependabot[bot]' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/[email protected]
with:
timezone: America/Montreal
- name: Login to DockerHub registry
if: github.actor != 'dependabot[bot]'
uses: docker/[email protected]
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }}
- name: Add a label for PR opened by dependabot
run: gh pr edit "$PR_URL" --add-label "dependabot"