homelab/image-renovate
homelab/image-renovate
0
0
Fork 0
Code Issues 1 Pull requests Packages 1 Activity Actions
image-renovate/.forgejo/workflows/Build Image.yml

122 lines
4.8 KiB
YAML
Raw Permalink Blame History

# git.auengun.net/homelab/image-renovate
# Copyright (C) 2024 GregoryDosh
---
name: Build Image
on:
push:
branches:
- main
pull_request:
# Variables used primarily for easier version handling w/ Renovate
# See `.renovaterc.json5` for more information on how that works.
env:
# renovate: datasource=docker depName=ghcr.io/renovatebot/renovate versioning=docker
RENOVATE_VERSION: 41.146.0-full@sha256:5b54426b25549be898dd3b7077236ecb0f9b2802339d139a7246a432cd3beafd
# Other parts of the homelab CI use a Makefile to run an
# ansible playbook. In this workflow we'll be building an
# OCI compatible image (think Docker/Podman/Colima) for use
# within the homelab. Adding SSL Certs to trust internal CA
# is one of the most common scenarios. See the `Dockerfile`
# for more info on this particular image.
jobs:
build-image:
name: Build Image
# This image may look generic enough, but it's an image
# that is continuously changing and managed specifically for
# the homelab required alterations in the internal Forgejo repo.
# See:
# - https://git.auengun.net/homelab/image-forgejo-runner
runs-on: ubuntu-act-latest
steps:
# There is probably a more convenient way of having
# Renovate keep this updated in the `env` section above,
# but this is easy enough. In a shell it will take
# a value like `v1.2.3@sha256:abc...890` and set
# `RENOVATE_TAG` as an env var for later steps to use
# with a value like `v1.2.3` (without the digest)
- name: Set RENOVATE_TAG environmental variable from RENOVATE_VERSION
env:
VER: ${{ env.RENOVATE_VERSION }}
run: |
{
printf "RENOVATE_TAG="
echo ${VER} | cut -f1 -d"@"
} >> "$GITHUB_ENV"
# My own composite clone/workspace prep action. It will generally
# do not much, but if the base image isn't prepared or is missing
# something, this step will clone the repo, setup the Step CLI and
# the SSH Agent with a short-lived SSH certificate (if configured).
- name: Clone Repo into Workspace
uses: https://git.auengun.net/homelab/action-common-setup@3e92f643023a84a6b2bdc495a271846c5e98c949 # 1.5.0
# The OCI Image Registry I use is actually Forgejo's internal registry.
# The registry prefix URL is `git.auengun.net`.
# See:
# - https://forgejo.org/docs/latest/user/packages/container/
# - https://git.auengun.net/homelab/host-git
- name: Login to OCI Image Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: git.auengun.net
username: ${{ secrets.PACKAGES_USERNAME }}
password: ${{ secrets.PACKAGES_TOKEN }}
- name: Build OCI Image & Load for Testing
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
push: false
load: true
tags: |
git.auengun.net/${{ github.repository }}:latest
git.auengun.net/${{ github.repository }}:${{ github.sha }}
git.auengun.net/${{ github.repository }}:${{ env.RENOVATE_TAG }}
build-args: |
RENOVATE_VERSION=${{ env.RENOVATE_VERSION }}
# - name: Grype Vulnerability Scanning
# if: ${{ github.event_name == 'pull_request' && !cancelled() }}
# shell: bash
# run: |
# set +e
# grype \
# --fail-on critical \
# --platform linux/amd64 \
# git.auengun.net/${{ github.repository }}:${{ github.sha }} \
# -o table \
# 2>&1 | tee grype.log
# RESULT="$?"
# set -e
# {
# echo "# Grype Output"
# echo ""
# echo "\`\`\`plaintext"
# cat grype.log
# echo "\`\`\`"
# } 2>&1 >> "${{github.workspace}}/.pr-comment.md"
# echo "Saved to '${{github.workspace}}/.pr-comment.md'"
# exit $RESULT
- name: Push Image
if: ${{ success() && github.ref == 'refs/heads/main' }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
push: true
tags: |
git.auengun.net/${{ github.repository }}:latest
git.auengun.net/${{ github.repository }}:${{ github.sha }}
git.auengun.net/${{ github.repository }}:${{ env.RENOVATE_TAG }}
build-args: |
RENOVATE_VERSION=${{ env.RENOVATE_VERSION }}
# - name: Post/Update PR Comment
# if: ${{ github.event_name == 'pull_request' && !cancelled() }}
# continue-on-error: true
# uses: https://git.auengun.net/homelab/action-pr-comment@7ae22be5b182a8071309a936e1dd7bc4dd6ea1a4 # v1.1.2
Reference in a new issue View git blame Copy permalink