Merge branch 'secure-and-more-better'

.github/workflows/dev.yml

@@ -0,0 +1,162 @@
+name: Docker images dev build
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  IMAGE_BASE_NAME: 'throwtheswitch/madsciencelab'
+
+
+jobs:
+  # Jobs organized for concurrent Docker image builds
+  # Jobs only build :latest images without pushing to Docker Hub
+
+  madsciencelab:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab
+      # Note: standard/ directory maps to madsciencelab image (no variants)
+      - name: 'Build Docker image ${{ env.IMAGE_BASE_NAME }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/standard/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          tags: ${{ env.IMAGE_BASE_NAME }}:latest
+
+  madsciencelab-plugins:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env: 
+      VARIANT: plugins
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-plugins
+      - name: 'Build Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+
+  madsciencelab-arm-none-eabi:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      VARIANT: arm-none-eabi
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-arm-none-eabi
+      - name: 'Build Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+
+  madsciencelab-arm-none-eabi-plugins:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      VARIANT: arm-none-eabi-plugins
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-arm-none-eabi-plugins
+      - name: 'Build Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+

.github/workflows/release.yml

@@ -0,0 +1,163 @@
+name: Docker images release build + Docker Hub push
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - '*'
+
+env:
+  IMAGE_BASE_NAME: 'throwtheswitch/madsciencelab'
+
+
+jobs:
+  # Jobs organized for concurrent Docker image builds
+  # Jobs build tagged and :latest images and push to Docker Hub
+
+  madsciencelab:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab
+      # Note: standard/ directory maps to madsciencelab image (no variants)
+      - name: 'Build and push Docker image ${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/standard/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}, ${{ env.IMAGE_BASE_NAME }}:latest
+
+  madsciencelab-plugins:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env: 
+      VARIANT: plugins
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-plugins
+      - name: 'Build and push Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}, ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+
+  madsciencelab-arm-none-eabi:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      VARIANT: arm-none-eabi
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-arm-none-eabi
+      - name: 'Build and push Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}, ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+
+  madsciencelab-arm-none-eabi-plugins:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      VARIANT: arm-none-eabi-plugins
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Set up QEMU'
+        uses: docker/setup-qemu-action@v3
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to Docker Hub'
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Docker image: madsciencelab-arm-none-eabi-plugins
+      - name: 'Build and push Docker image ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}'
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          file: build/${{ env.VARIANT }}/docker/Dockerfile
+          build-args: CONTAINER_VERSION=${{ github.ref_name }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:${{ github.ref_name }}, ${{ env.IMAGE_BASE_NAME }}-${{ env.VARIANT }}:latest
+