diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml new file mode 100644 index 00000000..dabdabd7 --- /dev/null +++ b/.github/workflows/artifacts.yaml @@ -0,0 +1,112 @@ +name: Artifacts + +on: + push: + branches: + - master + tags: + - v[0-9]+.[0-9]+.[0-9]+ + pull_request: + +jobs: + container-images: + name: Container images + runs-on: ubuntu-latest + strategy: + matrix: + platform: + - linux/amd64 + - linux/arm/v7 + - linux/arm64 + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Calculate container image details + id: details + env: + CONTAINER_IMAGES: "ghcr.io/dexidp/dex dexidp/dex" + run: | + case $GITHUB_REF in + refs/tags/*) VERSION=${GITHUB_REF#refs/tags/};; + refs/heads/*) VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g');; + refs/pull/*) VERSION=pr-${{ github.event.number }};; + *) VERSION=sha-${GITHUB_SHA::8};; + esac + + TAGS=() + for image in $CONTAINER_IMAGES; do + TAGS+=("${image}:${VERSION}") + + if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then + TAGS+=("${image}:latest") + fi + done + + echo ::set-output name=version::${VERSION} + echo ::set-output name=tags::$(IFS=,; echo "${TAGS[*]}") + echo ::set-output name=commit_hash::${GITHUB_SHA::8} + echo ::set-output name=build_date::$(git show -s --format=%cI) + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ github.token }} + if: github.event_name == 'push' + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + if: github.event_name == 'push' + + - name: Build and push + uses: docker/build-push-action@v2 + with: + context: . + platforms: ${{ matrix.platform }} + cache-from: type=gha + cache-to: type=gha,mode=max + push: ${{ github.event_name == 'push' }} + tags: ${{ steps.details.outputs.tags }} + build-args: | + VERSION=${{ steps.details.outputs.version }} + COMMIT_HASH=${{ steps.details.outputs.commit_hash }} + BUILD_DATE=${{ steps.details.outputs.build_date }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.source=${{ github.event.repository.clone_url }} + org.opencontainers.image.version=${{ steps.details.outputs.version }} + org.opencontainers.image.created=${{ steps.details.outputs.build_date }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} + org.opencontainers.image.documentation=https://dexidp.io/docs/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.2.3 + with: + image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + if: github.event_name == 'push' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: "trivy-results.sarif" + if: github.event_name == 'push'