name: Docker on: push: branches: [ main, beta ] # Publish semver tags as releases. release: types: [published] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} concurrency: group: ${{ github.ref }} cancel-in-progress: true jobs: docker: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write strategy: matrix: flavor: [main, sandbox] steps: - name: Checkout repository uses: actions/checkout@v2 - name: "Populate frontend version information" run: "cd frontend && ./git.version.sh" - name: Set up depot.dev multi-arch runner uses: depot/setup-action@v1 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: flavor: | # only latest if push has a tag and we're building the "main" flavor latest=${{ github.event_name == 'release' && matrix.flavor == 'main' && github.ref_type == 'tag' }} tags: | # if this is a tag'd build, prefix it with the flavor (eg. main-v1.2.3 and sandbox-v1.2.3) type=ref,event=tag,prefix=${{ matrix.flavor }}- # if this is a main branch build, just tag it with the flavor (eg. main and sandbox) type=raw,value=${{ matrix.flavor }},enable=${{ github.ref_name == 'main' }} # if this is a (non main) branch build, tag it with the flavor and branch name (eg. main-branch and sandbox-branch) type=ref,event=branch,prefix=${{ matrix.flavor }}-,enable=${{ github.ref_name != 'main' }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image uses: depot/build-push-action@v1 with: project: vhwr5r7tw1 platforms: linux/amd64,linux/arm64,linux/arm/v7 context: . file: Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | FASTEN_ENV=${{ matrix.flavor == 'sandbox' && 'sandbox' || 'prod' }} # sbom: true # sbom-dir: ./sbom-output # - name: upload SBOM directory as a build artifact # uses: actions/upload-artifact@v3.1.0 # with: # path: ./sbom-output # name: 'SBOM' # # - name: upload spdx dependency # uses: advanced-security/spdx-dependency-submission-action@v0.0.1 # with: # filePath: ./sbom-output/