Skip to content

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re… #1674

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re…

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re… #1674

Workflow file for this run

name: Build and publish Docker images
on:
push:
branches: [ "**" ]
paths-ignore:
- "Website/**"
- "*.md"
pull_request_target:
paths-ignore:
- "Website/**"
- "*.md"
workflow_dispatch:
env:
REGISTRY: ghcr.io
jobs:
build:
runs-on: "ubuntu-latest"
if: github.repository == 'SaptarshiSarkar12/Drifty'
strategy:
matrix:
docker_context: [CLI, GUI]
image_name: [ drifty-cli, drifty-gui ]
exclude:
- docker_context: CLI
image_name: drifty-gui
- docker_context: GUI
image_name: drifty-cli
fail-fast: false
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Get Drifty version
run: echo "VERSION=$(jq .version version.json | sed -r 's/"//g')" >> $GITHUB_ENV
- name: Split up Version into semantic parts
run: |
echo "VERSION_NUMBER=$(echo $VERSION | cut -d '-' -f1)" >> $GITHUB_ENV
if [[ $VERSION == *-* ]]; then
RELEASE_STAGE_SHORT=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f1)
REVISION_NUMBER=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f2)
else
RELEASE_STAGE_SHORT="Stable"
REVISION_NUMBER=0
fi
echo "RELEASE_STAGE_SHORT=$RELEASE_STAGE_SHORT" >> $GITHUB_ENV
echo "REVISION_NUMBER=$REVISION_NUMBER" >> $GITHUB_ENV
if [[ $RELEASE_STAGE_SHORT == "alpha" ]]; then
echo "RELEASE_STAGE=Alpha" >> $GITHUB_ENV
elif [[ $RELEASE_STAGE_SHORT == "beta" ]]; then
echo "RELEASE_STAGE=Beta" >> $GITHUB_ENV
elif [[ $RELEASE_STAGE_SHORT == "rc" ]]; then
echo "RELEASE_STAGE=Release Candidate" >> $GITHUB_ENV
else
echo "RELEASE_STAGE=Stable" >> $GITHUB_ENV
fi
- name: Update system packages
if: matrix.docker_context == 'GUI'
run: sudo apt-get update
- name: Install build dependencies
if: matrix.docker_context == 'GUI'
run: |
sudo apt-get install libasound2-dev libavcodec-dev libavformat-dev libavutil-dev libfreetype6-dev
sudo apt-get install libgl-dev libglib2.0-dev libgtk-3-dev libpango1.0-dev libx11-dev libxtst-dev zlib1g-dev
- name: Update yt-dlp
if: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }}
run: |
chmod +x Core/src/main/resources/yt-dlp
Core/src/main/resources/yt-dlp -U
- name: Set up GraalVM JDK 21
uses: graalvm/setup-graalvm@v1
with:
java-version: '21'
distribution: 'graalvm'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: true
cache: 'maven'
- name: Package Drifty CLI with GraalVM
if: matrix.docker_context == 'CLI'
run: mvn -P build-drifty-cli-for-ubuntu-latest package
- name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used
if: matrix.docker_context == 'GUI'
uses: stCarolas/setup-maven@v5
with:
maven-version: 3.8.8
- name: Build platform-specific C object for missing jdk libraries
if: matrix.docker_context == 'GUI'
run: gcc -c config/missing_symbols.c -o config/missing_symbols-ubuntu-latest.o
- name: Install dependency modules for GUI
if: matrix.docker_context == 'GUI'
run: mvn -U clean install
- name: Package Drifty GUI with GraalVM
if: matrix.docker_context == 'GUI'
run: mvn -P build-drifty-gui-for-ubuntu-latest gluonfx:build gluonfx:package -rf :GUI
- name: Categorise build artifacts for CLI
if: matrix.docker_context == 'CLI'
run: |
mkdir build
mkdir build/CLI
mv "CLI/target/CLI/linux/Drifty CLI" "CLI/target/CLI/linux/Drifty_CLI"
mv "CLI/target/CLI/linux/Drifty_CLI" -t build/CLI
- name: Categorise build artifacts for GUI
if: matrix.docker_context == 'GUI'
run: |
mkdir build
mkdir build/GUI
mv "GUI/target/gluonfx/x86_64-linux/Drifty GUI" "GUI/target/gluonfx/x86_64-linux/Drifty_GUI"
mv "GUI/target/gluonfx/x86_64-linux/Drifty_GUI" -t build/GUI
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/[email protected]
# Login to GitHub Container Registry
# https://github.com/docker/login-action
- name: Log into registry
uses: docker/[email protected]
if: github.event_name != 'pull_request_target'
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/[email protected]
with:
images: |
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=raw,value=alpha,enable=${{ env.RELEASE_STAGE == 'Alpha' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=raw,value=beta,enable=${{ env.RELEASE_STAGE == 'Beta' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=raw,value=rc,enable=${{ env.RELEASE_STAGE == 'Release Candidate' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=raw,value=latest,enable=${{ env.RELEASE_STAGE == 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=raw,value=${{ env.VERSION }},enable=${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=raw,value=${{ env.VERSION_NUMBER }}-${{ env.RELEASE_STAGE_SHORT }},enable=${{ env.RELEASE_STAGE != 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
type=sha
flavor: |
latest=false
- name: Set Image Description prefix
run: |
if ${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}; then
echo "IMAGE_DESCRIPTION_PREFIX=The ${{ env.RELEASE_STAGE }}" >> $GITHUB_ENV
elif ${{ github.event_name == 'push' && github.repository == 'SaptarshiSarkar12/Drifty' }}; then
echo "IMAGE_DESCRIPTION_PREFIX=The Branch Preview" >> $GITHUB_ENV
else
echo "IMAGE_DESCRIPTION_PREFIX=The" >> $GITHUB_ENV
fi
- name: Pull runtime os image # to patch vulnerabilities
run: docker pull oraclelinux:9-slim
- name: Build latest version of Copa # to support Oracle Linux yum packages
run: |
git clone https://github.com/project-copacetic/copacetic
cd copacetic
make
sudo mv dist/linux_amd64/release/copa /usr/local/bin/
- name: Run Copa to patch vulnerabilities
continue-on-error: true # to handle cases where the image does not have vulnerabilities
uses: nick-fields/retry@v3 # Retry action to handle network issues
with:
timeout_minutes: 15
max_attempts: 3
retry_on: error
command: |
docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest
copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --timeout 10m
retry_wait_seconds: '10'
on_retry_command: |
docker stop buildkitd
# Build and push Docker image with Buildx (don't push on PR and branches created by Dependabot)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/[email protected]
with:
context: build/${{ matrix.docker_context }}
push: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: Docker/prod/${{ matrix.docker_context }}/Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
outputs: "type=image,name=target,\
annotation-index.org.opencontainers.image.source=https://github.com/SaptarshiSarkar12/Drifty,\
annotation-index.org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION_PREFIX }} docker image for Drifty ${{ matrix.docker_context }},\
annotation-index.org.opencontainers.image.licenses=Apache-2.0"
- name: Build same image with different name # cached build, so, will be faster, and it will be used for security scan
run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.docker_context }}/Dockerfile build/${{ matrix.docker_context }}
- name: Run Trivy security scan
uses: aquasecurity/[email protected]
continue-on-error: true
with:
image-ref: ${{ matrix.image_name }}
format: 'sarif'
exit-code: 1
vuln-type: os,library
ignore-unfixed: true
output: 'trivy-report.sarif'
hide-progress: false
scanners: vuln,secret,misconfig
- name: Upload Trivy security scan results
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: trivy-report.sarif