Updated PostgreSQL client to 17 version on Alpine #1457
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build images (DockerHub) | |
on: | |
release: | |
types: | |
- published | |
push: | |
branches: | |
- '[0-9]+.[0-9]+' | |
- 'trunk' | |
paths: | |
- 'Dockerfiles/**' | |
- 'build.json' | |
- '!**/README.md' | |
- '!Dockerfiles/*/rhel/*' | |
- '!Dockerfiles/*/windows/*' | |
- '.github/workflows/images_build.yml' | |
schedule: | |
- cron: '50 02 * * *' | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
env: | |
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} | |
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} | |
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} | |
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} | |
LATEST_BRANCH: ${{ github.event.repository.default_branch }} | |
TRUNK_GIT_BRANCH: "refs/heads/trunk" | |
IMAGES_PREFIX: "zabbix-" | |
BASE_BUILD_NAME: "build-base" | |
BASE_CACHE_FILE_NAME: "base_image_metadata.json" | |
BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json" | |
MATRIX_FILE: "build.json" | |
DOCKERFILES_DIRECTORY: "./Dockerfiles" | |
OIDC_ISSUER: "https://token.actions.githubusercontent.com" | |
IDENTITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" | |
DOCKER_REGISTRY_TEST: "ghcr.io" | |
DOCKER_REPOSITORY_TEST: "zabbix" | |
jobs: | |
init_build: | |
name: Initialize build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
outputs: | |
os: ${{ steps.os.outputs.list }} | |
database: ${{ steps.database.outputs.list }} | |
components: ${{ steps.components.outputs.list }} | |
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} | |
current_branch: ${{ steps.branch_info.outputs.current_branch }} | |
sha_short: ${{ steps.branch_info.outputs.sha_short }} | |
steps: | |
- name: Block egress traffic | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} | |
fetch-depth: 1 | |
sparse-checkout: ${{ env.MATRIX_FILE }} | |
- name: Check ${{ env.MATRIX_FILE }} file | |
id: build_exists | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
if [[ ! -f "$MATRIX_FILE" ]]; then | |
echo "::error::File $MATRIX_FILE is missing" | |
exit 1 | |
fi | |
- name: Prepare Operating System list | |
id: os | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
os_list=$(jq -r '.["os-linux"] | keys | map(select(. != "rhel")) | [ .[] | tostring ] | @json' "$MATRIX_FILE") | |
echo "::group::Operating System List" | |
echo "$os_list" | |
echo "::endgroup::" | |
echo "list=$os_list" >> $GITHUB_OUTPUT | |
- name: Prepare Database engine list | |
id: database | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
database_list=$(jq -r '[.components | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE") | |
echo "::group::Database List" | |
echo "$database_list" | |
echo "::endgroup::" | |
echo "list=$database_list" >> $GITHUB_OUTPUT | |
- name: Prepare Zabbix component list | |
id: components | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE") | |
echo "::group::Zabbix Component List" | |
echo "$component_list" | |
echo "::endgroup::" | |
echo "list=$component_list" >> $GITHUB_OUTPUT | |
- name: Get branch info | |
id: branch_info | |
env: | |
LATEST_BRANCH: ${{ env.LATEST_BRANCH }} | |
github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} | |
run: | | |
result=false | |
sha_short=$(git rev-parse --short HEAD) | |
if [[ "$github_ref" == "refs/tags/"* ]]; then | |
github_ref=${github_ref%.*} | |
fi | |
github_ref=${github_ref##*/} | |
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then | |
result=true | |
fi | |
echo "::group::Branch data" | |
echo "is_default_branch - $result" | |
echo "current_branch - $github_ref" | |
echo "sha_short - $sha_short" | |
echo "::endgroup::" | |
echo "is_default_branch=$result" >> $GITHUB_OUTPUT | |
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT | |
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT | |
build_base: | |
timeout-minutes: 30 | |
name: Build base on ${{ matrix.os }} | |
needs: init_build | |
strategy: | |
fail-fast: false | |
matrix: | |
os: ${{ fromJson(needs.init_build.outputs.os) }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
attestations: write | |
steps: | |
- name: Block egress traffic | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
allowed-endpoints: > | |
api.github.com:443 | |
archive.ubuntu.com:80 | |
atl.mirrors.knownhost.com:443 | |
atl.mirrors.knownhost.com:80 | |
auth.docker.io:443 | |
cdn03.quay.io:443 | |
centos-stream-distro.1gservers.com:443 | |
centos-stream-distro.1gservers.com:80 | |
dfw.mirror.rackspace.com:443 | |
dfw.mirror.rackspace.com:80 | |
dl-cdn.alpinelinux.org:443 | |
download.cf.centos.org:443 | |
download.cf.centos.org:80 | |
epel.mirror.constant.com:443 | |
ftp-nyc.osuosl.org:443 | |
ftp-nyc.osuosl.org:80 | |
ftp-osl.osuosl.org:443 | |
ftp-osl.osuosl.org:80 | |
ftp.plusline.net:443 | |
ftp.plusline.net:80 | |
ftpmirror.your.org:80 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
ghcr.io:443 | |
iad.mirror.rackspace.com:443 | |
iad.mirror.rackspace.com:80 | |
index.docker.io:443 | |
lesnet.mm.fcix.net:443 | |
mirror-mci.yuki.net.uk:443 | |
mirror-mci.yuki.net.uk:80 | |
mirror.arizona.edu:443 | |
mirror.arizona.edu:80 | |
mirror.dogado.de:443 | |
mirror.dogado.de:80 | |
mirror.facebook.net:443 | |
mirror.facebook.net:80 | |
mirror.fcix.net:443 | |
mirror.hoobly.com:443 | |
mirror.math.princeton.edu:443 | |
mirror.netzwerge.de:443 | |
mirror.pilotfiber.com:443 | |
mirror.pilotfiber.com:80 | |
mirror.rackspace.com:443 | |
mirror.rackspace.com:80 | |
mirror.scaleuptech.com:443 | |
mirror.scaleuptech.com:80 | |
mirror.servaxnet.com:443 | |
mirror.servaxnet.com:80 | |
mirror.siena.edu:80 | |
mirror.stream.centos.org:443 | |
mirror.stream.centos.org:80 | |
mirror.team-cymru.com:443 | |
mirror.team-cymru.com:80 | |
mirror1.hs-esslingen.de:443 | |
mirrors.centos.org:443 | |
mirrors.fedoraproject.org:443 | |
mirrors.fedoraproject.org:80 | |
mirrors.iu13.net:80 | |
mirrors.mit.edu:443 | |
mirrors.ocf.berkeley.edu:443 | |
mirrors.ocf.berkeley.edu:80 | |
mirrors.sonic.net:443 | |
mirrors.wcupa.edu:443 | |
mirrors.wcupa.edu:80 | |
mirrors.xtom.de:80 | |
na.edge.kernel.org:443 | |
nocix.mm.fcix.net:443 | |
oauth2.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
ports.ubuntu.com:80 | |
production.cloudflare.docker.com:443 | |
quay.io:443 | |
registry-1.docker.io:443 | |
rekor.sigstore.dev:443 | |
repo.ialab.dsu.edu:443 | |
repos.eggycrew.com:443 | |
repos.eggycrew.com:80 | |
security.ubuntu.com:80 | |
tuf-repo-cdn.sigstore.dev:443 | |
uvermont.mm.fcix.net:443 | |
yum.oracle.com:443 | |
ziply.mm.fcix.net:443 | |
pkg-containers.githubusercontent.com:443 | |
raw.githubusercontent.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} | |
fetch-depth: 1 | |
- name: Install cosign | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Check cosign version | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: cosign version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: all | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | |
with: | |
driver-opts: image=moby/buildkit:master | |
- name: Prepare Platform list | |
id: platform | |
env: | |
MATRIX_OS: ${{ matrix.os }} | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") | |
platform_list="${platform_list%,}" | |
echo "::group::Platform List" | |
echo "$platform_list" | |
echo "::endgroup::" | |
echo "list=$platform_list" >> $GITHUB_OUTPUT | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} | |
tags: | | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest | |
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} | |
flavor: | | |
latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} | |
- name: Prepare cache data | |
id: cache_data | |
env: | |
IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: | | |
cache_from=() | |
cache_to=() | |
cache_from+=("type=gha,scope=${IMAGE_TAG}") | |
#cache_from+=("type=registry,ref=${IMAGE_TAG}") | |
cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") | |
echo "::group::Cache from data" | |
echo "${cache_from[*]}" | |
echo "::endgroup::" | |
echo "::group::Cache to data" | |
echo "${cache_to[*]}" | |
echo "::endgroup::" | |
cache_from=$(printf '%s\n' "${cache_from[@]}") | |
cache_to=$(printf '%s\n' "${cache_to[@]}") | |
echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT" | |
echo "$cache_from" >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT" | |
echo "$cache_to" >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
- name: Login to DockerHub | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }} | |
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
registry: ${{ env.DOCKER_REGISTRY_TEST }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and publish image | |
id: docker_build | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} | |
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} | |
platforms: ${{ steps.platform.outputs.list }} | |
push: true | |
provenance: mode=max | |
sbom: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: | | |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
cache-from: ${{ steps.cache_data.outputs.cache_from }} | |
cache-to: ${{ steps.cache_data.outputs.cache_to }} | |
- name: Sign the images with GitHub OIDC Token | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
DIGEST: ${{ steps.docker_build.outputs.digest }} | |
TAGS: ${{ steps.meta.outputs.tags }} | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
echo "::group::Images to sign" | |
echo "$images" | |
echo "::endgroup::" | |
echo "::group::Signing" | |
echo "cosign sign --yes $images" | |
cosign sign --yes ${images} | |
echo "::endgroup::" | |
- name: Attest images | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
id: attest | |
uses: actions/attest-build-provenance@v2 | |
with: | |
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }} | |
subject-digest: ${{ steps.docker_build.outputs.digest }} | |
push-to-registry: true | |
- name: Image metadata | |
env: | |
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} | |
METADATA: ${{ steps.docker_build.outputs.metadata }} | |
run: | | |
echo "::group::Image metadata" | |
echo "${METADATA}" | |
echo "::endgroup::" | |
echo "::group::Cache file name" | |
echo "${CACHE_FILE_NAME}" | |
echo "::endgroup::" | |
echo "${METADATA}" > "$CACHE_FILE_NAME" | |
- name: Cache image metadata | |
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: ${{ env.BASE_CACHE_FILE_NAME }} | |
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} | |
build_base_database: | |
timeout-minutes: 180 | |
needs: [ "build_base", "init_build"] | |
name: Build ${{ matrix.build }} base on ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
build: ${{ fromJson(needs.init_build.outputs.database) }} | |
os: ${{ fromJson(needs.init_build.outputs.os) }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
attestations: write | |
steps: | |
- name: Block egress traffic | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
git.zabbix.com:443 | |
github.com:443 | |
go.googlesource.com:443 | |
go.mongodb.org:443 | |
golang.org:443 | |
google.golang.org:443 | |
golang.zabbix.com:443 | |
gopkg.in:443 | |
ghcr.io:443 | |
index.docker.io:443 | |
noto-website-2.storage.googleapis.com:443 | |
production.cloudflare.docker.com:443 | |
proxy.golang.org:443 | |
registry-1.docker.io:443 | |
storage.googleapis.com:443 | |
fulcio.sigstore.dev:443 | |
oauth2.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
pkg-containers.githubusercontent.com:443 | |
raw.githubusercontent.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} | |
fetch-depth: 1 | |
- name: Install cosign | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Check cosign version | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: cosign version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: all | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | |
with: | |
driver-opts: image=moby/buildkit:master | |
- name: Prepare Platform list | |
id: platform | |
env: | |
MATRIX_OS: ${{ matrix.os }} | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") | |
platform_list="${platform_list%,}" | |
echo "::group::Platform List" | |
echo "$platform_list" | |
echo "::endgroup::" | |
echo "list=$platform_list" >> $GITHUB_OUTPUT | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} | |
tags: | | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest | |
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} | |
flavor: | | |
latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} | |
- name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} | |
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: ${{ env.BASE_CACHE_FILE_NAME }} | |
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} | |
- name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata | |
id: base_build | |
env: | |
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} | |
run: | | |
echo "::group::Base image metadata" | |
cat "${CACHE_FILE_NAME}" | |
echo "::endgroup::" | |
IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") | |
IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) | |
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} | |
OIDC_ISSUER: ${{ env.OIDC_ISSUER }} | |
IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} | |
run: | | |
echo "::group::Image sign data" | |
echo "OIDC issuer=$OIDC_ISSUER" | |
echo "Identity=$IDENTITY_REGEX" | |
echo "Image to verify=$BASE_IMAGE" | |
echo "::endgroup::" | |
echo "::group::Verify signature" | |
cosign verify \ | |
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ | |
--certificate-identity-regexp "$IDENTITY_REGEX" \ | |
"$BASE_IMAGE" | jq | |
echo "::endgroup::" | |
- name: Prepare cache data | |
id: cache_data | |
env: | |
BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} | |
IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: | | |
cache_from=() | |
cache_to=() | |
cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") | |
cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") | |
cache_from+=("type=gha,scope=${IMAGE_TAG}") | |
cache_from+=("type=registry,ref=${IMAGE_TAG}") | |
cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") | |
echo "::group::Cache from data" | |
echo "${cache_from[*]}" | |
echo "::endgroup::" | |
echo "::group::Cache to data" | |
echo "${cache_to[*]}" | |
echo "::endgroup::" | |
cache_from=$(printf '%s\n' "${cache_from[@]}") | |
cache_to=$(printf '%s\n' "${cache_to[@]}") | |
echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT" | |
echo "$cache_from" >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT" | |
echo "$cache_to" >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
- name: Login to DockerHub | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }} | |
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
registry: ${{ env.DOCKER_REGISTRY_TEST }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push | |
id: docker_build | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} | |
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} | |
platforms: ${{ steps.platform.outputs.list }} | |
push: true | |
provenance: mode=max | |
sbom: true | |
tags: ${{ steps.meta.outputs.tags }} | |
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} | |
labels: | | |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
- name: Sign the images with GitHub OIDC Token | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
DIGEST: ${{ steps.docker_build.outputs.digest }} | |
TAGS: ${{ steps.meta.outputs.tags }} | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
echo "::group::Images to sign" | |
echo "$images" | |
echo "::endgroup::" | |
echo "::group::Signing" | |
echo "cosign sign --yes $images" | |
cosign sign --yes ${images} | |
echo "::endgroup::" | |
- name: Attest images | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
id: attest | |
uses: actions/attest-build-provenance@v2 | |
with: | |
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} | |
subject-digest: ${{ steps.docker_build.outputs.digest }} | |
push-to-registry: true | |
- name: Image metadata | |
env: | |
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} | |
METADATA: ${{ steps.docker_build.outputs.metadata }} | |
run: | | |
echo "::group::Image metadata" | |
echo "${METADATA}" | |
echo "::endgroup::" | |
echo "::group::Cache file name" | |
echo "${CACHE_FILE_NAME}" | |
echo "::endgroup::" | |
echo "${METADATA}" > "$CACHE_FILE_NAME" | |
- name: Cache image metadata | |
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: ${{ env.BUILD_CACHE_FILE_NAME }} | |
key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} | |
build_images: | |
timeout-minutes: 90 | |
needs: [ "build_base_database", "init_build"] | |
name: Build ${{ matrix.build }} on ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
build: ${{ fromJson(needs.init_build.outputs.components) }} | |
os: ${{ fromJson(needs.init_build.outputs.os) }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
attestations: write | |
steps: | |
- name: Block egress traffic | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
dl-cdn.alpinelinux.org:443 | |
github.com:443 | |
index.docker.io:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
fulcio.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
api.github.com:443 | |
atl.mirrors.knownhost.com:443 | |
atl.mirrors.knownhost.com:80 | |
auth.docker.io:443 | |
cdn03.quay.io:443 | |
centos-stream-distro.1gservers.com:443 | |
centos-stream-distro.1gservers.com:80 | |
download.cf.centos.org:443 | |
download.cf.centos.org:80 | |
d2lzkl7pfhq30w.cloudfront.net:443 | |
epel.mirror.constant.com:80 | |
forksystems.mm.fcix.net:80 | |
ftp-nyc.osuosl.org:443 | |
ftp-nyc.osuosl.org:80 | |
ftp-osl.osuosl.org:443 | |
ftp-osl.osuosl.org:80 | |
ftp.plusline.net:80 | |
ftpmirror.your.org:80 | |
github.com:443 | |
iad.mirror.rackspace.com:443 | |
index.docker.io:443 | |
ix-denver.mm.fcix.net:443 | |
mirror-mci.yuki.net.uk:443 | |
mirror.23m.com:80 | |
mirror.arizona.edu:80 | |
mirror.dal.nexril.net:80 | |
mirror.de.leaseweb.net:80 | |
mirror.dogado.de:80 | |
mirror.facebook.net:80 | |
mirror.hoobly.com:80 | |
mirror.math.princeton.edu:80 | |
mirror.netcologne.de:443 | |
mirror.netzwerge.de:443 | |
mirror.pilotfiber.com:443 | |
mirror.pilotfiber.com:80 | |
mirror.rackspace.com:443 | |
mirror.rackspace.com:80 | |
mirror.scaleuptech.com:443 | |
mirror.servaxnet.com:443 | |
mirror.servaxnet.com:80 | |
mirror.sfo12.us.leaseweb.net:80 | |
mirror.siena.edu:80 | |
mirror.steadfastnet.com:80 | |
mirror.team-cymru.com:443 | |
mirror.team-cymru.com:80 | |
mirror.umd.edu:443 | |
mirror1.hs-esslingen.de:443 | |
mirrors.centos.org:443 | |
mirrors.fedoraproject.org:443 | |
mirrors.iu13.net:443 | |
mirrors.iu13.net:80 | |
mirrors.ocf.berkeley.edu:443 | |
mirrors.sonic.net:80 | |
mirrors.syringanetworks.net:80 | |
mirrors.vcea.wsu.edu:80 | |
mirrors.wcupa.edu:80 | |
mirrors.xtom.de:80 | |
na.edge.kernel.org:443 | |
nnenix.mm.fcix.net:80 | |
ohioix.mm.fcix.net:80 | |
production.cloudflare.docker.com:443 | |
pubmirror1.math.uh.edu:443 | |
pubmirror3.math.uh.edu:80 | |
quay.io:443 | |
ghcr.io:443 | |
registry-1.docker.io:443 | |
repo.ialab.dsu.edu:80 | |
repos.eggycrew.com:80 | |
uvermont.mm.fcix.net:80 | |
ziply.mm.fcix.net:443 | |
fulcio.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
oauth2.sigstore.dev:443 | |
api.github.com:443 | |
auth.docker.io:443 | |
github.com:443 | |
index.docker.io:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
yum.oracle.com:443 | |
fulcio.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
api.github.com:443 | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
deb.debian.org:80 | |
github.com:443 | |
index.docker.io:443 | |
keyserver.ubuntu.com:11371 | |
nginx.org:443 | |
nginx.org:80 | |
ports.ubuntu.com:80 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
security.ubuntu.com:80 | |
fulcio.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
pkg-containers.githubusercontent.com:443 | |
raw.githubusercontent.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} | |
fetch-depth: 1 | |
- name: Install cosign | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Check cosign version | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: cosign version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: all | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | |
with: | |
driver-opts: image=moby/buildkit:master | |
- name: Prepare Platform list | |
id: platform | |
env: | |
MATRIX_OS: ${{ matrix.os }} | |
MATRIX_BUILD: ${{ matrix.build }} | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms | |
if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then | |
platform_list="linux/amd64,linux/arm64" | |
# Chromium on Ubuntu is not available on s390x and armhf platform | |
elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then | |
platform_list="linux/amd64,linux/arm64" | |
else | |
platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") | |
fi | |
# Build only Agent and Agent2 on 386 | |
if [ "$MATRIX_BUILD" != "agent"* ]; then | |
platform_list="${platform_list#linux/386,}" | |
fi | |
platform_list="${platform_list%,}" | |
echo "::group::Platform List" | |
echo "$platform_list" | |
echo "::endgroup::" | |
echo "list=$platform_list" >> $GITHUB_OUTPUT | |
- name: Detect Build Base Image | |
id: build_base_image | |
env: | |
MATRIX_BUILD: ${{ matrix.build }} | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") | |
echo "::group::Base Build Image" | |
echo "$BUILD_BASE" | |
echo "::endgroup::" | |
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} | |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} | |
tags: | | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- | |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest | |
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- | |
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} | |
flavor: | | |
latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} | |
- name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} | |
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
if: ${{ matrix.build != 'snmptraps' }} | |
with: | |
path: ${{ env.BUILD_CACHE_FILE_NAME }} | |
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} | |
- name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata | |
id: base_build | |
if: ${{ matrix.build != 'snmptraps' }} | |
env: | |
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} | |
run: | | |
echo "::group::Base build image metadata" | |
cat "${CACHE_FILE_NAME}" | |
echo "::endgroup::" | |
IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") | |
IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) | |
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign | |
if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} | |
OIDC_ISSUER: ${{ env.OIDC_ISSUER }} | |
IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} | |
run: | | |
echo "::group::Image sign data" | |
echo "OIDC issuer=${OIDC_ISSUER}" | |
echo "Identity=${IDENTITY_REGEX}" | |
echo "Image to verify=${BASE_IMAGE}" | |
echo "::endgroup::" | |
echo "::group::Verify signature" | |
cosign verify \ | |
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ | |
--certificate-identity-regexp "${IDENTITY_REGEX}" \ | |
"${BASE_IMAGE}" | jq | |
echo "::endgroup::" | |
- name: Prepare cache data | |
if: ${{ matrix.build != 'snmptraps' }} | |
id: cache_data | |
env: | |
BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} | |
run: | | |
cache_from=() | |
cache_to=() | |
cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") | |
echo "::group::Cache from data" | |
echo "${cache_from[*]}" | |
echo "::endgroup::" | |
cache_from=$(printf '%s\n' "${cache_from[@]}") | |
echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT" | |
echo "$cache_from" >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
- name: Login to DockerHub | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Build and push image | |
id: docker_build | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} | |
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} | |
platforms: ${{ steps.platform.outputs.list }} | |
push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
provenance: mode=max | |
sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} | |
labels: | | |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
- name: Sign the images with GitHub OIDC Token | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
DIGEST: ${{ steps.docker_build.outputs.digest }} | |
TAGS: ${{ steps.meta.outputs.tags }} | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
echo "::group::Images to sign" | |
echo "$images" | |
echo "::endgroup::" | |
echo "::group::Signing" | |
echo "cosign sign --yes $images" | |
cosign sign --yes ${images} | |
echo "::endgroup::" | |
- name: Attest images | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
id: attest | |
uses: actions/attest-build-provenance@v2 | |
with: | |
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} | |
subject-digest: ${{ steps.docker_build.outputs.digest }} | |
push-to-registry: true | |
- name: Image metadata | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
METADATA: ${{ steps.docker_build.outputs.metadata }} | |
run: | | |
echo "::group::Image metadata" | |
echo "${METADATA}" | |
echo "::endgroup::" |