From aac8004a5106b4f5e3f0667bef925a577f94c865 Mon Sep 17 00:00:00 2001 From: Trent Maetzold Date: Wed, 11 Mar 2026 11:47:46 -0500 Subject: [PATCH] ci: update build workflow for GHCR, remove DockerHub --- .github/workflows/build.yaml | 68 +++++++++++------------------------- 1 file changed, 20 insertions(+), 48 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index defc7de..e52af44 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,9 +13,7 @@ on: workflow_dispatch: env: - GHCR_REPO: shenxn/protonmail-bridge-docker - DOCKERHUB_REPO: shenxn/protonmail-bridge - DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge + GHCR_REPO: ghcr.io/trent-maetzold/protonmail-bridge PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64 jobs: @@ -24,18 +22,16 @@ jobs: if: github.ref != 'refs/heads/master' steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@v4 - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV + run: echo "version=$(cat VERSION)" >> $GITHUB_ENV - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: | - ${{ env.DOCKER_REPO_DEV }} + images: ${{ env.GHCR_REPO }} - name: Login to GHCR uses: docker/login-action@v3 @@ -49,22 +45,21 @@ jobs: with: driver-opts: network=host - - name: Build and push by digest - id: build + - name: Build and push uses: docker/build-push-action@v6 with: labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true context: ./build file: ./build/Dockerfile - tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" + tags: "${{ env.GHCR_REPO }}:dev-${{ github.ref_name }}" + push: true build-args: | version=${{ env.version }} - name: Run Trivy vulnerability scan uses: aquasecurity/trivy-action@0.30.0 with: - image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" + image-ref: "${{ env.GHCR_REPO }}:dev-${{ github.ref_name }}" format: 'sarif' exit-code: 0 severity: 'CRITICAL,HIGH' @@ -88,7 +83,7 @@ jobs: - linux/riscv64 steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@v4 - name: Prepare run: | @@ -96,22 +91,13 @@ jobs: echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV + run: echo "version=$(cat VERSION)" >> $GITHUB_ENV - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + images: ${{ env.GHCR_REPO }} - name: Login to GHCR uses: docker/login-action@v3 @@ -132,14 +118,9 @@ jobs: with: platforms: ${{ matrix.platform }} labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=false + outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true context: ./build file: ./build/Dockerfile - tags: | - "${{ env.DOCKERHUB_REPO }}:build" - "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" - "${{ env.GHCR_REPO }}:build" - "${{ env.GHCR_REPO }}:${{ env.version }}-build" provenance: false sbom: false build-args: | @@ -159,12 +140,14 @@ jobs: if-no-files-found: error retention-days: 1 - merge: runs-on: ubuntu-latest needs: - build steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Download digests uses: actions/download-artifact@v4 with: @@ -173,14 +156,7 @@ jobs: merge-multiple: true - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "version=$(cat VERSION)" >> $GITHUB_ENV - name: Login to GHCR uses: docker/login-action@v3 @@ -198,29 +174,26 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} + images: ${{ env.GHCR_REPO }} tags: | type=raw,enable=true,value=${{ env.version }}-build - type=raw,enable=true,suffix=,value=build + type=raw,enable=true,value=build - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) - name: Run Trivy vulnerability scan uses: aquasecurity/trivy-action@0.30.0 with: - image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" + image-ref: "${{ env.GHCR_REPO }}:${{ env.version }}-build" format: 'sarif' exit-code: 0 severity: 'CRITICAL,HIGH' output: 'trivy-results.sarif' + - name: Upload Trivy scan SARIF report uses: github/codeql-action/upload-sarif@v3 with: @@ -228,5 +201,4 @@ jobs: - name: Inspect image run: | - docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }} docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }}