mirror of
https://github.com/shenxn/protonmail-bridge-docker.git
synced 2026-03-26 21:35:58 +00:00
f65449c585
Split build.yaml into separate workflows for clearer separation of concerns: - ci.yaml: PR builds push to staging tag (:pr-N), runs Trivy scan - deploy.yaml: on merge retags staging to :latest + :version, on direct push runs full pipeline - scheduled-update.yaml: daily cron checks for new upstream releases Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
80 lines
2.3 KiB
YAML
80 lines
2.3 KiB
YAML
name: Scheduled Update
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write
|
|
|
|
env:
|
|
IMAGE: ghcr.io/${{ github.repository_owner }}/protonmail-bridge
|
|
|
|
jobs:
|
|
check:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
version: ${{ steps.check.outputs.version }}
|
|
needed: ${{ steps.check.outputs.needed }}
|
|
steps:
|
|
- name: Compare upstream to registry
|
|
id: check
|
|
run: |
|
|
version=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name')
|
|
echo "version=$version" >> $GITHUB_OUTPUT
|
|
|
|
token=$(curl -s "https://ghcr.io/token?scope=repository:${{ github.repository_owner }}/protonmail-bridge:pull" | jq -r '.token')
|
|
exists=$(curl -s -o /dev/null -w '%{http_code}' \
|
|
-H "Authorization: Bearer $token" \
|
|
"https://ghcr.io/v2/${{ github.repository_owner }}/protonmail-bridge/manifests/$version")
|
|
|
|
if [ "$exists" = "200" ]; then
|
|
echo "needed=false" >> $GITHUB_OUTPUT
|
|
echo "$version already exists in registry"
|
|
else
|
|
echo "needed=true" >> $GITHUB_OUTPUT
|
|
echo "New version $version — building"
|
|
fi
|
|
|
|
build:
|
|
needs: check
|
|
if: needs.check.outputs.needed == 'true'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: docker/setup-buildx-action@v3
|
|
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ./build
|
|
push: true
|
|
tags: |
|
|
${{ env.IMAGE }}:latest
|
|
${{ env.IMAGE }}:${{ needs.check.outputs.version }}
|
|
build-args: |
|
|
version=${{ needs.check.outputs.version }}
|
|
|
|
- name: Trivy scan
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: ${{ env.IMAGE }}:${{ needs.check.outputs.version }}
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
severity: CRITICAL,HIGH
|
|
|
|
- name: Upload Trivy results
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: trivy-results.sarif
|