v1.9.2 — Security fix (Docker CVEs) #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| release: | |
| types: [published] | |
| permissions: | |
| contents: write # upload release assets | |
| packages: write # push to ghcr.io | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # ── 1. Checkout ────────────────────────────────────────────────────── | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # gitleaks needs full history | |
| # ── 2. Secret scan (gate) ───────────────────────────────────────── | |
| - name: Secret scan | |
| run: | | |
| curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz" \ | |
| | tar -xz -C /usr/local/bin gitleaks | |
| gitleaks detect --source . --redact | |
| # ── 3. Docker setup ─────────────────────────────────────────────── | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # ── 4. Login to ghcr.io ─────────────────────────────────────────── | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # ── 5. Compute image tags ───────────────────────────────────────── | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=raw,value=latest,enable=${{ github.event.release.prerelease == false }} | |
| # ── 6. Build & push multi-arch manifest to ghcr.io ─────────────── | |
| - name: Build and push multi-arch image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # ── 7. Export amd64 tar.gz ──────────────────────────────────────── | |
| - name: Export amd64 image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| outputs: type=docker,dest=/tmp/visualizer-lite-amd64.tar | |
| tags: visualizer-lite:${{ github.event.release.tag_name }} | |
| push: false | |
| cache-from: type=gha | |
| - name: Compress amd64 image | |
| run: gzip /tmp/visualizer-lite-amd64.tar | |
| # ── 8. Export arm64 tar.gz ──────────────────────────────────────── | |
| - name: Export arm64 image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/arm64 | |
| outputs: type=docker,dest=/tmp/visualizer-lite-arm64.tar | |
| tags: visualizer-lite:${{ github.event.release.tag_name }} | |
| push: false | |
| cache-from: type=gha | |
| - name: Compress arm64 image | |
| run: gzip /tmp/visualizer-lite-arm64.tar | |
| # ── 9. Attach assets to GitHub Release ─────────────────────────── | |
| - name: Upload release assets | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| /tmp/visualizer-lite-amd64.tar.gz | |
| /tmp/visualizer-lite-arm64.tar.gz |