Ghost V5 alpine #1410
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The beauty of our CI setup is that it will build Dockerfile and set variables from the Dockerfile | |
# by https://pascalandy.com at https://firepress.org | |
# GNU v3 https://github.com/firepress-org/ghostfire/blob/master/LICENSE | |
name: Ghost V5 alpine | |
on: | |
schedule: | |
- cron: "0 5 * * *" # everyday at 7am | |
pull_request: | |
branches: [master, main] | |
paths: | |
- "v5/**" | |
- ".github/workflows/**" | |
push: | |
tags: | |
- "5.*.*" | |
paths-ignore: | |
- "**.md" | |
# branches: [master, main] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
env: | |
# needed to define path within 'uses' | |
SUB_DIR: "v5" | |
permissions: | |
contents: read | |
packages: write # if you're pushing to GitHub Packages | |
pull-requests: write # allows Dependabot to auto-merge its PRs if you've configured it to do so | |
defaults: | |
run: | |
shell: "bash -Eeuo pipefail -x {0}" | |
# works within 'run' but not with 'uses' | |
working-directory: "v5" | |
jobs: | |
# ---------------------------------------------- | |
# SET VARIABLES | |
# More context about the way we set variables https://github.com/firepress-org/ghostfire/issues/46 | |
# ---------------------------------------------- | |
myvars: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: "0" | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Github Actions system status | |
uses: crazy-max/[email protected] | |
with: | |
actions_threshold: operational | |
git_threshold: degraded_performance | |
- name: Create dir for our varz | |
run: mkdir -pv ~/varz | |
# Build Logic | |
# By default, every builds uses 'edge' workflow | |
# Commits from a PR, it uses 'edge' workflow | |
# When a PR is merge/rebase into master, it uses 'edge' workflow | |
# When a schedule build rund, it uses 'edge' workflow | |
# Commits on master/main uses, it uses 'edge' workflow (I do this all the time to test ci yaml) | |
# Once everything is clean .. | |
# I TAG a commit (i.e. 5.19.1), then the CI uses 'stable' workflow and push the OFFICIAL docker image | |
- name: edge | Set BRANCH_NAME | |
if: github.ref_type != 'tag' | |
run: echo "edge" > ~/varz/BRANCH_NAME | |
- name: stable | Set BRANCH_NAME | |
if: github.ref_type == 'tag' | |
run: echo "stable" > ~/varz/BRANCH_NAME | |
- name: Define and save variables to disk | |
run: | | |
cat Dockerfile | grep APP_NAME= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/APP_NAME | |
cat Dockerfile | grep VERSION= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/VERSION_TMP | |
echo "— — — DO NOT MIX alpine vs debian Tags! — — — " | |
echo "$(cat ~/varz/VERSION_TMP)" > ~/varz/VERSION | |
cat Dockerfile | grep DOCKERHUB_USER= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/DOCKERHUB_USER | |
cat Dockerfile | grep GITHUB_ORG= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_ORG | |
cat Dockerfile | grep GITHUB_REGISTRY= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_REGISTRY | |
echo "$(cat ~/varz/DOCKERHUB_USER)/$(cat ~/varz/APP_NAME)" > ~/varz/DKR_PREFIX | |
echo "ghcr.io/$(cat ~/varz/GITHUB_ORG)/$(cat ~/varz/GITHUB_REGISTRY)/$(cat ~/varz/APP_NAME)" > ~/varz/GPR_PREFIX | |
git rev-parse --short HEAD > ~/varz/SHORT_HASH_COMMIT | |
date "+%Y-%m-%d_%HH%M" > ~/varz/DATE | |
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/VERSION_HASH_ONLY | |
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)_$(cat ~/varz/DATE)" > ~/varz/VERSION_HASH_DATE | |
echo "$(cat ~/varz/APP_NAME):$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/_NOTI_MESSAGE | |
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_DKR_VERSION | |
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_DKR_BRANCH_NAME | |
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_DKR_VERSION_HASH_ONLY | |
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_DKR_VERSION_HASH_DATE | |
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_GPR_VERSION | |
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_GPR_BRANCH_NAME | |
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_GPR_VERSION_HASH_ONLY | |
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_GPR_VERSION_HASH_DATE | |
- name: Upload variables as artifact | |
uses: actions/upload-artifact@master | |
with: | |
name: variables_on_disk | |
path: ~/varz | |
- name: Expose variables to all jobs | |
id: myvars | |
run: | | |
echo "APP_NAME=$(cat ~/varz/APP_NAME)" >> "$GITHUB_OUTPUT" | |
echo "VERSION=$(cat ~/varz/VERSION)" >> "$GITHUB_OUTPUT" | |
echo "DOCKERHUB_USER=$(cat ~/varz/DOCKERHUB_USER)" >> "$GITHUB_OUTPUT" | |
echo "GITHUB_ORG=$(cat ~/varz/GITHUB_ORG)" >> "$GITHUB_OUTPUT" | |
echo "GITHUB_REGISTRY=$(cat ~/varz/GITHUB_REGISTRY)" >> "$GITHUB_OUTPUT" | |
echo "DKR_PREFIX=$(cat ~/varz/DKR_PREFIX)" >> "$GITHUB_OUTPUT" | |
echo "GPR_PREFIX=$(cat ~/varz/GPR_PREFIX)" >> "$GITHUB_OUTPUT" | |
echo "SUB_DIR=$(cat ~/varz/SUB_DIR)" >> "$GITHUB_OUTPUT" | |
echo "SHORT_HASH_COMMIT=$(cat ~/varz/SHORT_HASH_COMMIT)" >> "$GITHUB_OUTPUT" | |
echo "DATE=$(cat ~/varz/DATE)" >> "$GITHUB_OUTPUT" | |
echo "BRANCH_NAME=$(cat ~/varz/BRANCH_NAME)" >> "$GITHUB_OUTPUT" | |
echo "VERSION_HASH_ONLY=$(cat ~/varz/VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT" | |
echo "VERSION_HASH_DATE=$(cat ~/varz/VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT" | |
echo "_NOTI_MESSAGE=$(cat ~/varz/_NOTI_MESSAGE)" >> "$GITHUB_OUTPUT" | |
echo "TAG_DKR_VERSION=$(cat ~/varz/TAG_DKR_VERSION)" >> "$GITHUB_OUTPUT" | |
echo "TAG_DKR_BRANCH_NAME=$(cat ~/varz/TAG_DKR_BRANCH_NAME)" >> "$GITHUB_OUTPUT" | |
echo "TAG_DKR_VERSION_HASH_ONLY=$(cat ~/varz/TAG_DKR_VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT" | |
echo "TAG_DKR_VERSION_HASH_DATE=$(cat ~/varz/TAG_DKR_VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT" | |
echo "TAG_GPR_VERSION=$(cat ~/varz/TAG_GPR_VERSION)" >> "$GITHUB_OUTPUT" | |
echo "TAG_GPR_BRANCH_NAME=$(cat ~/varz/TAG_GPR_BRANCH_NAME)" >> "$GITHUB_OUTPUT" | |
echo "TAG_GPR_VERSION_HASH_ONLY=$(cat ~/varz/TAG_GPR_VERSION_HASH_ONLY)" >> "$GITHUB_OUTPUT" | |
echo "TAG_GPR_VERSION_HASH_DATE=$(cat ~/varz/TAG_GPR_VERSION_HASH_DATE)" >> "$GITHUB_OUTPUT" | |
outputs: | |
APP_NAME: ${{ steps.myvars.outputs.APP_NAME }} | |
VERSION: ${{ steps.myvars.outputs.VERSION }} | |
SUB_DIR: ${{ steps.myvars.outputs.SUB_DIR }} | |
DOCKERHUB_USER: ${{ steps.myvars.outputs.DOCKERHUB_USER }} | |
GITHUB_ORG: ${{ steps.myvars.outputs.GITHUB_ORG }} | |
GITHUB_REGISTRY: ${{ steps.myvars.outputs.GITHUB_REGISTRY }} | |
DKR_PREFIX: ${{ steps.myvars.outputs.DKR_PREFIX }} | |
GPR_PREFIX: ${{ steps.myvars.outputs.GPR_PREFIX }} | |
SHORT_HASH_COMMIT: ${{ steps.myvars.outputs.SHORT_HASH_COMMIT }} | |
DATE: ${{ steps.myvars.outputs.DATE }} | |
BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }} | |
VERSION_HASH_ONLY: ${{ steps.myvars.outputs.VERSION_HASH_ONLY }} | |
VERSION_HASH_DATE: ${{ steps.myvars.outputs.VERSION_HASH_DATE }} | |
_NOTI_MESSAGE: ${{ steps.myvars.outputs._NOTI_MESSAGE }} | |
TAG_DKR_VERSION: ${{ steps.myvars.outputs.TAG_DKR_VERSION }} | |
TAG_DKR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
TAG_DKR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} | |
TAG_DKR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
TAG_GPR_VERSION: ${{ steps.myvars.outputs.TAG_GPR_VERSION }} | |
TAG_GPR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_GPR_BRANCH_NAME }} | |
TAG_GPR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} | |
TAG_GPR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} | |
# ---------------------------------------------- | |
# build / edge OR stable | |
# tags are not the same between edge or stable | |
# ---------------------------------------------- | |
build_edge: | |
needs: [myvars] | |
if: github.ref_type != 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- uses: docker/setup-qemu-action@v3 | |
- uses: docker/setup-buildx-action@v3 | |
with: | |
version: v0.6.0 | |
- uses: docker/[email protected] | |
with: | |
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }} | |
- uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ needs.myvars.outputs.GITHUB_ORG }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }} | |
- name: Build and push image (edge) | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./${{ env.SUB_DIR }}/Dockerfile | |
platforms: | | |
linux/amd64 | |
# linux/arm64/v8 | |
# linux/arm/v8 | |
# linux/arm/v7 | |
push: true | |
tags: | | |
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} | |
# The order for <docker push -tag> matters for our CD down the line | |
cache-from: type=gha, scope=${{ github.workflow }} | |
cache-to: type=gha, scope=${{ github.workflow }}, mode=max | |
- name: UAT run edge | Wait for container to run | |
timeout-minutes: 2 | |
# These two VAR are here to force SQLite over Mysql | |
# database__client=s | |
# database__connection__filename= | |
run: | | |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
echo "--- Wait for ghostUAT --->" | |
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do | |
echo "--- ghostUAT is starting..." | |
sleep 1 | |
done; | |
echo "--- ghostUAT is running! --->" | |
- name: UAT docker test edge | docker-library tests | |
# Ghost V5 grep "Thoughts, stories and ideas" | |
# Ghost V4 grep "Thoughts, stories and ideas" | |
# Ghost V3 grep "The professional publishing platform" | |
run: | | |
curl http://localhost:2368 | grep "Thoughts, stories and ideas" | |
git clone --depth 1 https://github.com/docker-library/official-images.git official-images | |
cp ./test/config.sh official-images/test/config.sh | |
official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
- name: Checkpoint edge | image ls | |
run: docker image ls | |
- name: Docker Scout edge | |
id: docker-scout-edge | |
uses: docker/scout-action@v1 | |
with: | |
command: compare | |
image: node:20.18.1-alpine3.20 | |
to: ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
ignore-unchanged: true | |
only-severities: critical,high,medium,low | |
write-comment: true | |
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment | |
build_stable: | |
needs: [myvars] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- uses: docker/setup-qemu-action@v3 | |
- uses: docker/setup-buildx-action@v3 | |
with: | |
version: v0.6.0 | |
- uses: docker/[email protected] | |
with: | |
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }} | |
- uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ needs.myvars.outputs.GITHUB_ORG }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }} | |
- name: Build and push image (stable) | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./${{ env.SUB_DIR }}/Dockerfile | |
platforms: | | |
linux/amd64 | |
# linux/arm64/v8 | |
# linux/arm/v8 | |
# linux/arm/v7 | |
push: true | |
tags: | | |
${{ needs.myvars.outputs.TAG_DKR_VERSION }} | |
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} | |
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION }} | |
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} | |
# The order for <docker push -tag> matters for our CD down the line | |
cache-from: type=gha, scope=${{ github.workflow }} | |
cache-to: type=gha, scope=${{ github.workflow }}, mode=max | |
- name: UAT run stable | Wait for container to run | |
timeout-minutes: 2 | |
# These two VAR are here to force SQLite over Mysql | |
# database__client=s | |
# database__connection__filename= | |
run: | | |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
echo "--- Wait for ghostUAT --->" | |
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do | |
echo "--- ghostUAT is starting..." | |
sleep 1 | |
done; | |
echo "--- ghostUAT is running! --->" | |
- name: UAT docker test stable | docker-library tests | |
# Ghost V5 grep "0o0o" | |
# Ghost V4 grep "Thoughts, stories and ideas" | |
# Ghost V3 grep "The professional publishing platform" | |
run: | | |
curl http://localhost:2368 | grep "Thoughts, stories and ideas" | |
git clone --depth 1 https://github.com/docker-library/official-images.git official-images | |
cp ./test/config.sh official-images/test/config.sh | |
official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
- name: Checkpoint | image ls | |
run: docker image ls | |
# ---------------------------------------------- | |
# UAT / edge OR stable | |
# This job is bypassed: weird bug on the uat job. Ci complain about docker login. So the UAT is under the build job. | |
# ---------------------------------------------- | |
# ---------------------------------------------- | |
# Continuous Deployment / edge OR stable | |
# I duplicate this in two jobs to have a better visual representation | |
# ---------------------------------------------- | |
# cd_edge: | |
# see unused_workflow/cd_edge.yml | |
cd_stable: | |
needs: [build_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: cd stable | |
uses: appleboy/[email protected] | |
with: | |
host: ${{ secrets.NODE1 }} | |
port: ${{ secrets.SSH_PORT }} | |
username: ${{ secrets.SSH_USERNAME }} | |
key: ${{ secrets.SSH_KEY_ACTIONS }} | |
passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }} | |
script: | | |
${{ secrets.SSH_CMD__UPDATE_DKR_IMG_STABLE }} | |
hostname | |
- name: Add a comment (from a tag) | |
run: | | |
echo "## For reference (from a tag)" >> $GITHUB_STEP_SUMMARY | |
echo "Docker image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}" >> $GITHUB_STEP_SUMMARY | |
echo "Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265" >> $GITHUB_STEP_SUMMARY | |
# ---------------------------------------------- | |
# Reviews | |
# ---------------------------------------------- | |
review_myvars: | |
needs: [myvars] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Show variables | |
run: | | |
echo "Final Docker image name:" | |
echo "= = = = = = = = = =" | |
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION }} | |
echo ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} | |
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION }} | |
echo ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} | |
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} | |
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} | |
echo "---" | |
echo "Core environment variables:" | |
echo "---" | |
echo "${{ env.SUB_DIR }} << SUB_DIR" | |
echo "${{ needs.myvars.outputs.APP_NAME }} << APP_NAME" | |
echo "${{ needs.myvars.outputs.DOCKERHUB_USER }} << DOCKERHUB_USER" | |
echo "${{ needs.myvars.outputs.GITHUB_ORG }} << GITHUB_ORG" | |
echo "${{ needs.myvars.outputs.GITHUB_REGISTRY }} << GITHUB_REGISTRY" | |
echo "${{ needs.myvars.outputs.DKR_PREFIX }} << DKR_PREFIX" | |
echo "${{ needs.myvars.outputs.GPR_PREFIX }} << GPR_PREFIX" | |
echo "${{ needs.myvars.outputs.VERSION }} << VERSION" | |
echo "${{ needs.myvars.outputs.SHORT_HASH_COMMIT }} << SHORT_HASH_COMMIT" | |
echo "${{ needs.myvars.outputs.DATE }} << DATE" | |
echo "${{ needs.myvars.outputs.BRANCH_NAME }} << BRANCH_NAME" | |
echo "${{ needs.myvars.outputs.VERSION_HASH_ONLY }} << VERSION_HASH_ONLY" | |
echo "${{ needs.myvars.outputs.VERSION_HASH_DATE }} << VERSION_HASH_DATE" | |
echo "${{ needs.myvars.outputs._NOTI_MESSAGE }} << _NOTI_MESSAGE" | |
echo "---" | |
echo "Environment variables provided Github Actions :" | |
echo "---" | |
echo "${GITHUB_WORKFLOW} << GITHUB_WORKFLOW" | |
echo "${GITHUB_RUN_ID} << GITHUB_RUN_ID" | |
echo "${GITHUB_RUN_NUMBER} << GITHUB_RUN_NUMBER" | |
echo "${GITHUB_JOB} << GITHUB_JOB" | |
echo "${GITHUB_ACTION} << GITHUB_ACTION" | |
echo "${GITHUB_ACTOR} << GITHUB_ACTOR" | |
echo "${GITHUB_REPOSITORY} << GITHUB_REPOSITORY" | |
echo "${GITHUB_EVENT_NAME} << GITHUB_EVENT_NAME" | |
echo "${GITHUB_EVENT_PATH} << GITHUB_EVENT_PATH" | |
echo "${GITHUB_WORKSPACE} << GITHUB_WORKSPACE" | |
echo "${GITHUB_SHA} << GITHUB_SHA" | |
echo "${GITHUB_REF} << GITHUB_REF" | |
echo "${GITHUB_SERVER_URL} << GITHUB_SERVER_URL" | |
echo "${GITHUB_API_URL} << GITHUB_API_URL" | |
echo "${GITHUB_GRAPHQL_URL} << GITHUB_GRAPHQL_URL" | |
echo "${RUNNER_OS} << RUNNER_OS" | |
echo "${RUNNER_TEMP} << RUNNER_TEMP" | |
echo "${RUNNER_TOOL_CACHE} << RUNNER_TOOL_CACHE" | |
echo "${GITHUB_ACTIONS} << GITHUB_ACTIONS" | |
# review_snyk_opt: | |
review_trivy_opt: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Checkpoint | Scanner Trivy for HIGH,CRITICAL CVEs and report (blocking) | |
continue-on-error: true | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
exit-code: 0 | |
format: table | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "HIGH,CRITICAL" | |
#output: "trivy-results.sarif" | |
#- name: Upload Trivy scan results to GitHub Security tab | |
# uses: github/codeql-action/upload-sarif@v3 | |
# if: always() | |
# with: | |
# sarif_file: "trivy-results.sarif" | |
review_dockle: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Checkpoint | Scanner by Dockle | |
run: | | |
docker run --rm goodwithtech/dockle:latest ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
# review_superlinter_call: | |
# needs: [myvars, build] | |
# uses: firepress-org/reusable_workflows/.github/workflows/super-linter.yaml@master | |
review_linter_opt: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Checkpoint | Linter | |
continue-on-error: true | |
uses: docker://ghcr.io/github/super-linter:slim-v4 | |
# github/super-linter@v4 | |
# docker://ghcr.io/github/super-linter:slim-v4 | |
env: | |
DISABLE_ERRORS: true # Flag to have the linter complete with exit code 0 even if errors were detected. | |
VALIDATE_ALL_CODEBASE: false | |
VALIDATE_MARKDOWN: false | |
VALIDATE_DOCKERFILE: false | |
VALIDATE_JSCPD: false | |
DEFAULT_BRANCH: edge | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
review_inspect: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Login to DockerHub registry | |
uses: docker/[email protected] | |
with: | |
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }} | |
- name: Login to GitHub registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ needs.myvars.outputs.GITHUB_ORG }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.TOKEN_GPR || secrets.TOKEN_GPR }} | |
- name: Checkpoint | docker pull | |
run: | | |
docker pull ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
- name: Checkpoint | See platforms | |
run: | | |
docker run --rm mplatform/mquery ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
- name: Checkpoint | docker history | |
run: | | |
docker history --human ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
- name: Checkpoint | docker image inspect | |
run: | | |
docker image inspect ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
- name: Checkpoint | docker info | |
run: | | |
docker info | |
- name: Checkpoint | docker version | |
run: | | |
docker version | |
- name: Checkpoint | uname | |
run: | | |
uname -a && echo && echo | |
review_lighthouse: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Checkpoint | Lighthouse | |
uses: treosh/[email protected] | |
with: | |
urls: | | |
https://firepress.org/en/faq/#what-is-ghost | |
https://firepress.org/en/our-mission/ | |
#budgetPath: ./budget.json # test performance budgets | |
uploadArtifacts: true # save results as an action artifacts | |
temporaryPublicStorage: true # upload lighthouse report to the temporary storage | |
# https://github.com/firepress-org/ghostfire/issues/408 | |
review_slack: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Notify on Slack | |
run: | | |
docker run --rm \ | |
--name noti \ | |
-e NOTI_MESSAGE='${{ needs.myvars.outputs._NOTI_MESSAGE }}' \ | |
-e SLACK_CHANNEL="github-actions" \ | |
-e SLACK_TOKEN_CRON="${{ secrets.TOKEN_SLACK }}" \ | |
devmtl/noti:stable sh -c \ | |
' NOTI_SLACK_TOKEN="$SLACK_TOKEN_CRON" \ | |
NOTI_SLACK_CHANNEL="$SLACK_CHANNEL" \ | |
noti -k -m "$NOTI_MESSAGE" ' | |
# ---------------------------------------------- | |
# Actions after continuous_deployment | |
# ---------------------------------------------- | |
update_readme: | |
needs: [myvars, build_stable, cd_stable] | |
if: github.ref_type == 'tag' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Update README on Dockerhub | |
run: | | |
docker run --rm \ | |
-v $(pwd)/README.md:/data/README.md \ | |
-e DOCKERHUB_USERNAME=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ | |
-e DOCKERHUB_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }} \ | |
-e DOCKERHUB_REPO_PREFIX=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ | |
-e DOCKERHUB_REPO_NAME=${{ needs.myvars.outputs.APP_NAME }} \ | |
devmtl/readme-to-dockerhub:stable | |
comment_within_pr: | |
needs: [myvars, build_stable, cd_stable] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Find comment for image tags | |
# If PR, put image tags in the PR comments | |
# from https://github.com/marketplace/actions/create-or-update-comment | |
uses: peter-evans/find-comment@v3 | |
if: github.event_name == 'pull_request' | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: Docker image tag(s) pushed | |
# If PR, put image tags in the PR comments | |
- name: Create or update comment for image tags | |
uses: peter-evans/create-or-update-comment@v4 | |
if: github.event_name == 'pull_request' | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
Docker image tag(s) pushed: | |
```text | |
${{ needs.myvars.outputs.TAG_DKR_VERSION }} | |
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} | |
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} | |
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION }} | |
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} | |
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} | |
``` | |
edit-mode: replace | |
pr_label: | |
needs: [myvars, build_stable, cd_stable] | |
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions | |
if: ${{ github.actor == 'dependabot[bot]' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: zcong1993/[email protected] | |
with: | |
timezone: America/Montreal | |
- name: Login to DockerHub registry | |
if: github.actor != 'dependabot[bot]' | |
uses: docker/[email protected] | |
with: | |
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} | |
password: ${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_DOCKERHUB_PASSWORD || secrets.DOCKERHUB_PASSWORD }} | |
- name: Add a label for PR opened by dependabot | |
run: gh pr edit "$PR_URL" --add-label "dependabot" |