Fix protoc install vulnerability #877
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: kuksa_val_docker | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
branches: [ master ] | |
paths-ignore: | |
- ".github/workflows/kuksa_databroker_build.yml" | |
- "kuksa_databroker/**" | |
- "kuksa_go_client/**" | |
- "kuksa_client/**" | |
- "Cargo.*" | |
- "Cross.toml" | |
workflow_dispatch: | |
jobs: | |
checkrights: | |
uses: ./.github/workflows/check_push_rights.yml | |
secrets: inherit | |
build: | |
runs-on: [ self-hosted ] | |
needs: checkrights | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
# list of Docker images to use as base name for tags | |
images: | | |
ghcr.io/eclipse/kuksa.val/kuksa-val | |
# generate Docker tags based on the following events/attributes | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
- name: Log in to the Container registry | |
if: needs.checkrights.outputs.have_secrets == 'true' | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
#push to ghcr if we have rights, AND thisis not a PR (current settings in Eclipse orga do not | |
#seem to allow us to ever delete pushed images, so try not to push PR images | |
- name: Build kuksa.val server container and push to ghcr.io | |
if: ${{ needs.checkrights.outputs.have_secrets == 'true' && github.event_name != 'pull_request' }} | |
uses: docker/build-push-action@v4 | |
with: | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
file: ./kuksa-val-server/docker/Dockerfile | |
context: . | |
push: true | |
tags: | | |
${{ steps.meta.outputs.tags }} | |
ttl.sh/kuksa.val/kuksa-server-${{github.sha}} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Build ephemereal kuksa-val docker and push to ttl.sh | |
if: ${{ needs.checkrights.outputs.have_secrets == 'false' || github.event_name == 'pull_request' }} | |
uses: docker/build-push-action@v4 | |
with: | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
file: ./kuksa-val-server/docker/Dockerfile | |
context: . | |
push: true | |
tags: ttl.sh/kuksa.val/kuksa-server-${{github.sha}} | |
labels: ${{ steps.meta.outputs.labels }} |