Bump docker/build-push-action from 5 to 6 #79
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: DevOps | |
| on: | |
| [push, pull_request] | |
| env: | |
| pythonLastVersion: '3.12' | |
| GHCR_REGISTRY: ghcr.io | |
| IMAGE_NAME: llaumgui/seedboxsync | |
| jobs: | |
| ############################################################################## | |
| # Test python application | |
| # | |
| test_python: | |
| runs-on: ubuntu-latest | |
| name: Test Python | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Dependencies | |
| run: pip install -r requirements-dev.txt | |
| - name: Make all tests with make | |
| run: | | |
| make comply | |
| python -m pytest -v --cov=seedboxsync --cov-report=term --cov-report=xml --capture=sys tests/ | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-${{ matrix.python-version }} | |
| path: coverage.xml | |
| ############################################################################## | |
| # Markdownlint | |
| # | |
| test_markdownlint: | |
| runs-on: ubuntu-latest | |
| name: MarkdownLint | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| - name: markdownlint-cli | |
| uses: nosborn/[email protected] | |
| with: | |
| files: "*.md docs/*.md" | |
| config_file: ".markdownlint.yaml" | |
| ############################################################################## | |
| # Dockerfile tests | |
| # | |
| test_dockerfiles: | |
| if: ${{ github.event.schedule == '' }} | |
| runs-on: ubuntu-latest | |
| name: Linters for Dockerfile | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| - name: hadolint | |
| uses: hadolint/[email protected] | |
| with: | |
| recursive: true | |
| ############################################################################## | |
| # SonarCloud job | |
| # | |
| test_sonar: | |
| if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} | |
| needs: [ | |
| test_python, | |
| test_markdownlint, | |
| test_dockerfiles | |
| ] | |
| runs-on: ubuntu-latest | |
| name: SonarCloud analyse | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| # https://docs.sonarsource.com/sonarqube/latest/project-administration/analysis-scope/#sonarqube-respects-ignored-files | |
| - name: Remove .gitignore because SonarQube respects ignored files | |
| run: rm .gitignore | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: coverage-${{ env.pythonLastVersion }} | |
| - name: Display structure of downloaded files | |
| run: | | |
| pwd | |
| ls -R | |
| cat coverage.xml | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| args: > | |
| -Dsonar.verbose=true | |
| ############################################################################## | |
| # Package job | |
| # | |
| package: | |
| needs: [ | |
| test_sonar | |
| ] | |
| runs-on: ubuntu-latest | |
| name: Build package | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python ${{ env.pythonLastVersion }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.pythonLastVersion }} | |
| cache: 'pip' | |
| - name: Install Dependencies | |
| run: pip install -r requirements-dev.txt | |
| - name: Package | |
| run: make dist | |
| - name: Archive package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: seedboxsync-${{ github.sha }}.tar.gz | |
| path: dist/*.tar.gz | |
| ############################################################################## | |
| # Build and tests Docker image | |
| # | |
| test_docker: | |
| needs: [ | |
| test_sonar | |
| ] | |
| runs-on: ubuntu-latest | |
| name: Build and test docker images | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| # Extract metadata (tags, labels) for Docker | |
| # https:/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | |
| ${{ env.IMAGE_NAME }} | |
| # Build and push Docker image with Buildx (don't push on PR) | |
| # https:/docker/build-push-action | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| tags: | | |
| ${{ env.IMAGE_NAME }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=registry,ref=${{ env.IMAGE_NAME }} | |
| cache-to: type=inline | |
| # Test with Trivy | |
| # https:/aquasecurity/trivy-action | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }} | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| ############################################################################## | |
| # Build and deploy job (only on main) | |
| # | |
| docker_build_deploy: | |
| if: ${{ github.event_name != 'pull_request' && ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} | |
| needs: [ | |
| test_docker | |
| ] | |
| runs-on: ubuntu-latest | |
| name: Build and deploy docker images | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| # Login against 2 Docker registries except on PR | |
| # https:/docker/login-action | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Log into registry ${{ env.GHCR_REGISTRY }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Extract metadata (tags, labels) for Docker | |
| # https:/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.IMAGE_NAME }} | |
| ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # Build and push Docker image with Buildx (don't push on PR) | |
| # https:/docker/build-push-action | |
| - name: Build and push Docker image | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: | | |
| ${{ env.IMAGE_NAME }}:main | |
| ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:main | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:main | |
| cache-to: type=inline | |
| - name: Set env | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| run: echo "RELEASE_VERSION=${GITHUB_REF:11}" >> $GITHUB_ENV | |
| - name: Build and push Docker image | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: | | |
| ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} | |
| ${{ env.IMAGE_NAME }}:latest | |
| ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} | |
| ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:latest | |
| cache-to: type=inline | |
| ############################################################################## | |
| # Release job | |
| # | |
| release: | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| needs: [ | |
| package, | |
| ] | |
| runs-on: ubuntu-latest | |
| name: Release on GitHub and PyPi | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| - name: Set env | |
| run: echo "RELEASE_VERSION=${GITHUB_REF:11}" >> $GITHUB_ENV | |
| - name: Set up Python ${{ env.pythonLastVersion }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.pythonLastVersion }} | |
| cache: 'pip' | |
| - name: Install Dependencies | |
| run: pip install -r requirements-dev.txt | |
| - name: Package | |
| run: make dist | |
| - name: Create GitHub release | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: Release ${{ github.ref }} | |
| body: | | |
| Changes in this Release | |
| - First Change | |
| - Second Change | |
| draft: true | |
| prerelease: false | |
| - name: Upload asset in GitHub release | |
| id: upload-release-asset | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
| asset_path: dist/seedboxsync-${{ env.RELEASE_VERSION }}.tar.gz | |
| asset_name: seedboxsync-${{ env.RELEASE_VERSION }}.tar.gz | |
| asset_content_type: application/tar+gzip | |
| - name: Publish package | |
| uses: pypa/gh-action-pypi-publish@master | |
| with: | |
| user: __token__ | |
| password: ${{ secrets.PYPI_PASSWORD }} |