Update Images #204
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Images | |
| on: | |
| push: | |
| branches: | |
| - master | |
| schedule: | |
| # At 12:00 on Tuesday. | |
| - cron: '0 12 * * 2' | |
| jobs: | |
| rebase_images: | |
| name: Update Images | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| strategy: | |
| matrix: | |
| spa_server_major_version: [ "latest", "1" ] | |
| # "{0}" will be replaced by the latest pushed nginx version | |
| nginx: [ "mainline", "stable", "{0}" ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get latest nginx tag | |
| id: latest_nginx_tag | |
| uses: ./.github/actions/latest-docker-repository-version | |
| with: | |
| repository: "nginxinc/nginx-unprivileged" | |
| - name: Set target nginx tag | |
| id: target_nginx_tag | |
| run: | | |
| NGINX_VERSION="${{ format(matrix.nginx, steps.latest_nginx_tag.outputs.version) }}-alpine" | |
| echo "::set-output name=tag::${NGINX_VERSION}" | |
| echo "NGINX_VERSION=${NGINX_VERSION}" | |
| - name: Set target image name | |
| id: target_image_name | |
| run: | | |
| IMAGE_TAG="${{ matrix.spa_server_major_version }}-nginx-${{ steps.target_nginx_tag.outputs.tag }}" | |
| IMAGE_NAME="${{ vars.DOCKER_REPOSITORY }}:${IMAGE_TAG}" | |
| echo "::set-output name=image_name::${IMAGE_NAME}" | |
| echo "IMAGE_NAME=${IMAGE_NAME}" | |
| TAGS="${{ vars.DOCKER_REPOSITORY }}:${IMAGE_TAG}" | |
| if [ "latest" = "${{ matrix.spa_server_major_version }}" ] && [ "stable" = "${{ matrix.nginx }}" ]; then | |
| TAGS="${TAGS},${{ vars.DOCKER_REPOSITORY }}:${{ matrix.spa_server_major_version }},${{ vars.DOCKER_REPOSITORY }}:latest" | |
| fi | |
| echo "::set-output name=tags::${TAGS}" | |
| echo "TAGS=${TAGS}" | |
| - name: Check if update is necessary | |
| id: check_if_update_is_necessary | |
| uses: ./.github/actions/check-docker-image-needs-update | |
| with: | |
| base-image: "nginxinc/nginx-unprivileged:${{ steps.target_nginx_tag.outputs.tag }}" | |
| target-image: "${{ steps.target_image_name.outputs.image_name }}" | |
| - name: Find latest SPA-Server release for major version ${{ matrix.spa_server_major_version }} | |
| id: latest_release | |
| uses: PSanetra/git-semver-actions/latest@v1 | |
| with: | |
| major-version: ${{ matrix.spa_server_major_version }} | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - name: Fix https://github.com/actions/checkout/issues/164 on tag checkout | |
| run: sudo chmod -R ugo+rwX . | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - name: Checkout latest SPA-Server version for major version ${{ matrix.spa_server_major_version }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: "v${{ steps.latest_release.outputs.version }}" | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - run: "./.github/workflows/install-dependencies.sh" | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - uses: actions/setup-java@v1 | |
| with: | |
| java-version: '11' | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - run: "make test NGINX_TAG=\"${{ steps.target_nginx_tag.outputs.tag }}\"" | |
| if: steps.check_if_update_is_necessary.outputs.needs_update == 'true' | |
| - uses: docker/setup-qemu-action@v3 | |
| name: Set up QEMU | |
| - uses: docker/setup-buildx-action@v3 | |
| name: Set up Docker Buildx | |
| - uses: docker/login-action@v3 | |
| name: Login to Docker Hub | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - uses: docker/build-push-action@v6 | |
| name: Build and push | |
| id: build-and-push | |
| if: ${{ steps.check_if_update_is_necessary.outputs.needs_update == 'true' && steps.target_image_name.outputs.tags != '' }} | |
| with: | |
| context: . | |
| platforms: linux/arm/v7,linux/amd64,linux/arm64 | |
| push: true | |
| pull: true | |
| tags: ${{ steps.target_image_name.outputs.tags }} | |
| build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }} | |
| provenance: mode=max | |
| sbom: true | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign the images with GitHub OIDC Token | |
| if: ${{ steps.check_if_update_is_necessary.outputs.needs_update == 'true' && steps.target_image_name.outputs.tags != '' }} | |
| env: | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| TAGS: ${{ steps.target_image_name.outputs.tags }} | |
| run: | | |
| images="" | |
| for tag in ${TAGS//,/ }; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.HELM_REGISTRY }} --username '${{ secrets.DOCKER_USERNAME }}' --password-stdin | |
| cosign sign --yes ${images} |