-
Notifications
You must be signed in to change notification settings - Fork 8
103 lines (88 loc) · 4.28 KB
/
docker-publish.yml
File metadata and controls
103 lines (88 loc) · 4.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Publish Docker Image
on:
release:
types: [published]
jobs:
docker:
name: Build and Push Docker Image
runs-on: ubuntu-latest
environment: dockerhub
permissions:
contents: write # to update release notes
steps:
- uses: actions/checkout@v4
- name: Extract version
id: version
run: |
TAG="${{ github.event.release.tag_name }}"
echo "CLEANCLOUD_VERSION=${TAG#v}" >> $GITHUB_OUTPUT
- name: Wait for PyPI availability
run: |
CLEANCLOUD_VERSION="${{ steps.version.outputs.CLEANCLOUD_VERSION }}"
echo "Waiting for cleancloud==${CLEANCLOUD_VERSION} to appear on PyPI..."
for i in $(seq 1 20); do
curl -sf --retry 3 --retry-delay 5 "https://pypi.org/pypi/cleancloud/${CLEANCLOUD_VERSION}/json" > /dev/null && echo "Found on PyPI" && exit 0
echo "Not yet available (attempt $i/20), retrying in 30s..."
sleep 30
done
echo "Timed out waiting for PyPI" && exit 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: getcleancloud/cleancloud
tags: |
type=semver,pattern={{version}}
type=semver,pattern=v{{version}}
type=raw,value=latest,enable=${{ !github.event.release.prerelease }}
labels: |
org.opencontainers.image.description=Read-only cloud hygiene scanner for AWS, Azure, and GCP
org.opencontainers.image.licenses=MIT
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
build-args: |
CLEANCLOUD_VERSION=${{ steps.version.outputs.CLEANCLOUD_VERSION }}
CLEANCLOUD_EXTRAS=all
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true
sbom: true
- name: Log image digest
run: echo "Image digest ${{ steps.build.outputs.digest }}"
- name: Update release notes with Docker info
uses: actions/github-script@v7
with:
script: |
const version = '${{ steps.version.outputs.CLEANCLOUD_VERSION }}';
const digest = '${{ steps.build.outputs.digest }}';
const currentBody = context.payload.release.body || '';
// Idempotent: skip if Docker section already present (workflow rerun guard)
if (currentBody.includes('🐳 **Docker Image**')) {
console.log('Docker section already present, skipping update.');
return;
}
const safeBody = currentBody.endsWith('\n') ? currentBody : currentBody + '\n';
const dockerInfo = `\n🐳 **Docker Image**\n\n\`\`\`bash\n# AWS\ndocker run --rm -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_REGION getcleancloud/cleancloud scan --provider aws --all-regions\n\n# Azure\ndocker run --rm -e AZURE_CLIENT_ID -e AZURE_TENANT_ID -e AZURE_SUBSCRIPTION_ID -e AZURE_FEDERATED_TOKEN_FILE -v "\${AZURE_FEDERATED_TOKEN_FILE}:\${AZURE_FEDERATED_TOKEN_FILE}:ro" getcleancloud/cleancloud scan --provider azure\n\n# GCP (WIF or service account key)\ndocker run --rm -e GOOGLE_APPLICATION_CREDENTIALS=/gcp-creds.json -v "\${GOOGLE_APPLICATION_CREDENTIALS}:/gcp-creds.json:ro" getcleancloud/cleancloud scan --provider gcp --all-projects\n\`\`\`\n\n📦 Pull: \`docker pull getcleancloud/cleancloud:${version}\`\n🔗 Docker Hub: https://hub.docker.com/r/getcleancloud/cleancloud\n🔏 Digest: \`${digest}\``;
await github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: context.payload.release.id,
body: safeBody + dockerInfo
});