Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re… #1674
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and publish Docker images | |
on: | |
push: | |
branches: [ "**" ] | |
paths-ignore: | |
- "Website/**" | |
- "*.md" | |
pull_request_target: | |
paths-ignore: | |
- "Website/**" | |
- "*.md" | |
workflow_dispatch: | |
env: | |
REGISTRY: ghcr.io | |
jobs: | |
build: | |
runs-on: "ubuntu-latest" | |
if: github.repository == 'SaptarshiSarkar12/Drifty' | |
strategy: | |
matrix: | |
docker_context: [CLI, GUI] | |
image_name: [ drifty-cli, drifty-gui ] | |
exclude: | |
- docker_context: CLI | |
image_name: drifty-gui | |
- docker_context: GUI | |
image_name: drifty-cli | |
fail-fast: false | |
permissions: | |
contents: read | |
packages: write | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Get Drifty version | |
run: echo "VERSION=$(jq .version version.json | sed -r 's/"//g')" >> $GITHUB_ENV | |
- name: Split up Version into semantic parts | |
run: | | |
echo "VERSION_NUMBER=$(echo $VERSION | cut -d '-' -f1)" >> $GITHUB_ENV | |
if [[ $VERSION == *-* ]]; then | |
RELEASE_STAGE_SHORT=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f1) | |
REVISION_NUMBER=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f2) | |
else | |
RELEASE_STAGE_SHORT="Stable" | |
REVISION_NUMBER=0 | |
fi | |
echo "RELEASE_STAGE_SHORT=$RELEASE_STAGE_SHORT" >> $GITHUB_ENV | |
echo "REVISION_NUMBER=$REVISION_NUMBER" >> $GITHUB_ENV | |
if [[ $RELEASE_STAGE_SHORT == "alpha" ]]; then | |
echo "RELEASE_STAGE=Alpha" >> $GITHUB_ENV | |
elif [[ $RELEASE_STAGE_SHORT == "beta" ]]; then | |
echo "RELEASE_STAGE=Beta" >> $GITHUB_ENV | |
elif [[ $RELEASE_STAGE_SHORT == "rc" ]]; then | |
echo "RELEASE_STAGE=Release Candidate" >> $GITHUB_ENV | |
else | |
echo "RELEASE_STAGE=Stable" >> $GITHUB_ENV | |
fi | |
- name: Update system packages | |
if: matrix.docker_context == 'GUI' | |
run: sudo apt-get update | |
- name: Install build dependencies | |
if: matrix.docker_context == 'GUI' | |
run: | | |
sudo apt-get install libasound2-dev libavcodec-dev libavformat-dev libavutil-dev libfreetype6-dev | |
sudo apt-get install libgl-dev libglib2.0-dev libgtk-3-dev libpango1.0-dev libx11-dev libxtst-dev zlib1g-dev | |
- name: Update yt-dlp | |
if: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }} | |
run: | | |
chmod +x Core/src/main/resources/yt-dlp | |
Core/src/main/resources/yt-dlp -U | |
- name: Set up GraalVM JDK 21 | |
uses: graalvm/setup-graalvm@v1 | |
with: | |
java-version: '21' | |
distribution: 'graalvm' | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
set-java-home: true | |
cache: 'maven' | |
- name: Package Drifty CLI with GraalVM | |
if: matrix.docker_context == 'CLI' | |
run: mvn -P build-drifty-cli-for-ubuntu-latest package | |
- name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used | |
if: matrix.docker_context == 'GUI' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: 3.8.8 | |
- name: Build platform-specific C object for missing jdk libraries | |
if: matrix.docker_context == 'GUI' | |
run: gcc -c config/missing_symbols.c -o config/missing_symbols-ubuntu-latest.o | |
- name: Install dependency modules for GUI | |
if: matrix.docker_context == 'GUI' | |
run: mvn -U clean install | |
- name: Package Drifty GUI with GraalVM | |
if: matrix.docker_context == 'GUI' | |
run: mvn -P build-drifty-gui-for-ubuntu-latest gluonfx:build gluonfx:package -rf :GUI | |
- name: Categorise build artifacts for CLI | |
if: matrix.docker_context == 'CLI' | |
run: | | |
mkdir build | |
mkdir build/CLI | |
mv "CLI/target/CLI/linux/Drifty CLI" "CLI/target/CLI/linux/Drifty_CLI" | |
mv "CLI/target/CLI/linux/Drifty_CLI" -t build/CLI | |
- name: Categorise build artifacts for GUI | |
if: matrix.docker_context == 'GUI' | |
run: | | |
mkdir build | |
mkdir build/GUI | |
mv "GUI/target/gluonfx/x86_64-linux/Drifty GUI" "GUI/target/gluonfx/x86_64-linux/Drifty_GUI" | |
mv "GUI/target/gluonfx/x86_64-linux/Drifty_GUI" -t build/GUI | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
# Set up BuildKit Docker container builder to be able to build | |
# multi-platform images and export cache | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
# Login to GitHub Container Registry | |
# https://github.com/docker/login-action | |
- name: Log into registry | |
uses: docker/[email protected] | |
if: github.event_name != 'pull_request_target' | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Extract metadata (tags, labels) for Docker | |
# https://github.com/docker/metadata-action | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: | | |
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=raw,value=alpha,enable=${{ env.RELEASE_STAGE == 'Alpha' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=raw,value=beta,enable=${{ env.RELEASE_STAGE == 'Beta' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=raw,value=rc,enable=${{ env.RELEASE_STAGE == 'Release Candidate' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=raw,value=latest,enable=${{ env.RELEASE_STAGE == 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=raw,value=${{ env.VERSION }},enable=${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=raw,value=${{ env.VERSION_NUMBER }}-${{ env.RELEASE_STAGE_SHORT }},enable=${{ env.RELEASE_STAGE != 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} | |
type=sha | |
flavor: | | |
latest=false | |
- name: Set Image Description prefix | |
run: | | |
if ${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}; then | |
echo "IMAGE_DESCRIPTION_PREFIX=The ${{ env.RELEASE_STAGE }}" >> $GITHUB_ENV | |
elif ${{ github.event_name == 'push' && github.repository == 'SaptarshiSarkar12/Drifty' }}; then | |
echo "IMAGE_DESCRIPTION_PREFIX=The Branch Preview" >> $GITHUB_ENV | |
else | |
echo "IMAGE_DESCRIPTION_PREFIX=The" >> $GITHUB_ENV | |
fi | |
- name: Pull runtime os image # to patch vulnerabilities | |
run: docker pull oraclelinux:9-slim | |
- name: Build latest version of Copa # to support Oracle Linux yum packages | |
run: | | |
git clone https://github.com/project-copacetic/copacetic | |
cd copacetic | |
make | |
sudo mv dist/linux_amd64/release/copa /usr/local/bin/ | |
- name: Run Copa to patch vulnerabilities | |
continue-on-error: true # to handle cases where the image does not have vulnerabilities | |
uses: nick-fields/retry@v3 # Retry action to handle network issues | |
with: | |
timeout_minutes: 15 | |
max_attempts: 3 | |
retry_on: error | |
command: | | |
docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest | |
copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --timeout 10m | |
retry_wait_seconds: '10' | |
on_retry_command: | | |
docker stop buildkitd | |
# Build and push Docker image with Buildx (don't push on PR and branches created by Dependabot) | |
# https://github.com/docker/build-push-action | |
- name: Build and push Docker image | |
id: build-and-push | |
uses: docker/[email protected] | |
with: | |
context: build/${{ matrix.docker_context }} | |
push: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
file: Docker/prod/${{ matrix.docker_context }}/Dockerfile | |
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 | |
outputs: "type=image,name=target,\ | |
annotation-index.org.opencontainers.image.source=https://github.com/SaptarshiSarkar12/Drifty,\ | |
annotation-index.org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION_PREFIX }} docker image for Drifty ${{ matrix.docker_context }},\ | |
annotation-index.org.opencontainers.image.licenses=Apache-2.0" | |
- name: Build same image with different name # cached build, so, will be faster, and it will be used for security scan | |
run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.docker_context }}/Dockerfile build/${{ matrix.docker_context }} | |
- name: Run Trivy security scan | |
uses: aquasecurity/[email protected] | |
continue-on-error: true | |
with: | |
image-ref: ${{ matrix.image_name }} | |
format: 'sarif' | |
exit-code: 1 | |
vuln-type: os,library | |
ignore-unfixed: true | |
output: 'trivy-report.sarif' | |
hide-progress: false | |
scanners: vuln,secret,misconfig | |
- name: Upload Trivy security scan results | |
uses: github/codeql-action/upload-sarif@main | |
with: | |
sarif_file: trivy-report.sarif |