Mouws/protonmail-bridge-nextcoud-podman
1
0
Fork 1
mirror of https://github.com/shenxn/protonmail-bridge-docker.git synced 2026-03-26 21:35:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
8c485e4b65
protonmail-bridge-nextcoud-.../.github/workflows/build.yaml
Dan C Williams 8c485e4b65 Fix CI gate for path-filtered workflows 
Remove paths: filters from pull_request triggers and add dorny/paths-filter
change detection jobs so workflows always trigger on PRs but conditionally
skip the heavy jobs. Add ci-required gate jobs that only fail on
failure/cancellation — skipped jobs report as success, unblocking PRs that
don't touch build-relevant files (e.g. PR #16).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 15:24:38 -06:00

248 lines
7.4 KiB
YAML
Raw Blame History

name: build from source
on:
push:
paths:
- .github/workflows/build.yaml
- build/*
- VERSION
pull_request:
workflow_dispatch:
env:
DOCKERHUB_REPO: dancwilliams/protonmail-bridge
GHCR_REPO: ghcr.io/dancwilliams/protonmail-bridge-docker
DOCKER_REPO_DEV: ghcr.io/dancwilliams/protonmail-bridge
PLATFORMS: linux/amd64,linux/arm64/v8,linux/riscv64
jobs:
changes:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
outputs:
build: ${{ steps.filter.outputs.build }}
steps:
- uses: actions/checkout@v6
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
build:
- '.github/workflows/build.yaml'
- 'build/**'
- 'VERSION'
test:
needs: changes
runs-on: ubuntu-latest
timeout-minutes: 30
if: github.event_name == 'pull_request' && needs.changes.outputs.build == 'true'
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set version
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Sanitize ref for Docker tag
run: echo "SAFE_TAG=$(echo "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" | tr '/' '-')" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKER_REPO_DEV }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
labels: ${{ steps.meta.outputs.labels }}
context: ./build
file: ./build/Dockerfile
tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ env.SAFE_TAG }}"
push: true
build-args: |
version=${{ env.version }}
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.34.1
with:
image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ env.SAFE_TAG }}"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan SARIF report
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
build:
runs-on: ${{ matrix.runner }}
timeout-minutes: 90
if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/master'
strategy:
fail-fast: false
matrix:
include:
- platform: linux/amd64
runner: ubuntu-latest
- platform: linux/arm64/v8
runner: ubuntu-24.04-arm # native arm64 runner, no QEMU needed
- platform: linux/riscv64
runner: ubuntu-latest # QEMU required; CGO compilation is slow
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
# debian:bookworm-slim has no riscv64 image; fall back to sid-slim for that platform
if [ "$platform" = "linux/riscv64" ]; then
echo "RUNTIME_IMAGE=debian:sid-slim@sha256:30128782ec2a5b0595723b21ee6be29adc2959a97fbff2b7cf5f582d28a5464b" >> $GITHUB_ENV
else
echo "RUNTIME_IMAGE=debian:bookworm-slim@sha256:74d56e3931e0d5a1dd51f8c8a2466d21de84a271cd3b5a733b803aa91abf4421" >> $GITHUB_ENV
fi
- name: Set version
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
outputs: type=image,name=${{ env.DOCKERHUB_REPO }},push-by-digest=true,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
provenance: false
sbom: false
build-args: |
version=${{ env.version }}
RUNTIME_IMAGE=${{ env.RUNTIME_IMAGE }}
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v7
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Download digests
uses: actions/download-artifact@v8
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Set version
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
tags: |
type=raw,value=${{ env.version }}
type=raw,value=latest
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *)
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.34.1
with:
image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan SARIF report
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ env.version }}
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ env.version }}
ci-required:
if: ${{ failure() || cancelled() }}
needs: [changes, test]
runs-on: ubuntu-latest
steps:
- run: exit 1
Reference in New Issue View Git Blame Copy Permalink