CD #186

Workflow file for this run

	name: CD

	on:
	push:
	branches: [master]
	schedule:
	- cron: '30 4 * * *'
	workflow_dispatch:
	inputs:
	force_rebuild:
	description: 'Force image rebuild'
	required: true
	type: choice
	options: [yes, no]

	permissions:
	packages: write
	contents: read

	env:
	REGISTRY: ghcr.io

	jobs:
	Build:
	name: Build & Push
	runs-on: ubuntu-latest
	timeout-minutes: 10

	strategy:
	matrix:
	version: [ 'alpine3.15', 'alpine3.16', 'alpine3.17', 'alpine3.18', 'alpine3.19', 'alpine3.20', 'ol8', 'ol9' ]

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Login to DockerHub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Check for rebuild
	id: rebuild_check
	run : \|
	# [rebuild-check]

	echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"

	if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
	echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
	echo "build=true" >> $GITHUB_OUTPUT
	exit 0
	else
	if ! docker pull "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" ; then
	echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
	echo "build=true" >> $GITHUB_OUTPUT
	exit 0
	fi
	fi

	base_image=$(grep 'FROM ' "${{matrix.version}}.docker" \| sed 's#${REGISTRY}/##' \| tail -1 \| cut -f2 -d' ')

	echo ""
	echo "Base image: $base_image"
	echo ""

	docker pull "${{env.REGISTRY}}/$base_image"

	orig_dig=$(docker inspect "${{env.REGISTRY}}/$base_image" \| jq -r '.[0].RootFS.Layers[0]')
	our_dig=$(docker inspect "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}" \| jq -r '.[0].RootFS.Layers[0]')

	echo ""
	echo "Original: ${orig_dig}"
	echo "Our: ${our_dig}"

	if [[ "$orig_dig" != "$our_dig" ]] ; then
	echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
	echo "build=true" >> $GITHUB_OUTPUT
	exit 0
	fi

	echo "::endgroup::"

	- name: Rebuild and push image
	if: ${{ steps.rebuild_check.outputs.build == 'true' }}
	uses: docker/build-push-action@v5
	with:
	context: .
	push: true
	file: ${{matrix.version}}.docker
	tags: \|
	${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}
	${{github.repository}}:${{matrix.version}}

	- name: Show info about image
	uses: essentialkaos/docker-info-action@v1
	with:
	image: ${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}

	- name: Scan final image with Trivy
	uses: aquasecurity/trivy-action@master
	env:
	TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
	with:
	image-ref: "${{env.REGISTRY}}/${{github.repository}}:${{matrix.version}}"
	format: "table"
	ignore-unfixed: true
	severity: "LOW,MEDIUM,HIGH,CRITICAL"
	scanners: "vuln"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CD #186

Workflow file

CD #186

Jobs

Run details

Workflow file for this run