Skip to content

Merge pull request #437 from matrix-org/kegan/device-data-table #319

Merge pull request #437 from matrix-org/kegan/device-data-table

Merge pull request #437 from matrix-org/kegan/device-data-table #319

Workflow file for this run

# Based on https://github.com/docker/build-push-action
name: "Docker"
on:
push:
branches: ["main"]
tags: ["v*"]
workflow_dispatch: # A build was manually requested
workflow_call: # Another pipeline called us
env:
GHCR_NAMESPACE: matrix-org
PLATFORMS: "linux/amd64,linux/arm64"
jobs:
slidingsync:
name: Sliding Sync image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write # To upload Trivy sarif files
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Checkout
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Containers
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build main sliding sync image
if: github.ref_name == 'main'
id: docker_build_sliding_sync
uses: docker/build-push-action@v4
with:
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
- name: Build release Sliding Sync image
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
id: docker_build_sliding_sync_release
uses: docker/build-push-action@v4
with:
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
- name: Sign the images with GitHub OIDC Token
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
env:
DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:main
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"