Release to GHCR #77
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Release to GHCR | |
| on: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: write # Needed to create new releases | |
| packages: write # Needed to push to GHCR | |
| id-token: write # Needed to create an ephemeral cross-repo token | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| # Expose semantic-release outputs so downstream jobs can gate on and read the version | |
| outputs: | |
| new-release-published: ${{ steps.release.outputs.new_release_published }} | |
| new-release-version: ${{ steps.release.outputs.new_release_version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Release | |
| id: release | |
| run: npx semantic-release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Report skipped release | |
| if: steps.release.outputs.new_release_published != 'true' | |
| run: echo "No releasable commits found — skipping Docker build" | |
| trivy-scan: | |
| name: Security - Trivy Scan | |
| needs: release | |
| if: ${{ needs.release.outputs.new-release-published == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'table' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| scanners: 'vuln' | |
| build-and-push: | |
| name: Build and push image to GHCR | |
| needs: [release, trivy-scan] | |
| if: ${{ needs.release.outputs.new-release-published == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: | | |
| ghcr.io/bitgo/advanced-wallets:${{ needs.release.outputs.new-release-version }} | |
| ghcr.io/bitgo/advanced-wallets:latest | |
| build-args: | | |
| BUILD_VERSION=${{ needs.release.outputs.new-release-version }} | |
| BUILD_DATE=${{ github.event.repository.updated_at }} | |
| VCS_REF=${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |