Updated GitHub Actions Trigger Rules #56
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: nwm-verf CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [main, nwm-main, development, release-candidate] | |
| pull_request: | |
| branches: [main, nwm-main, development, release-candidate] | |
| release: | |
| types: [published] | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| env: | |
| REGISTRY: "ghcr.io" | |
| DOCKER_IMAGE_NAME: "ngwpc/nwm-verf" | |
| DOCKER_IMAGE_TAG: ${{ github.ref_name }} | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_base: ${{ steps.vars.outputs.image_base }} | |
| tag: ${{ steps.vars.outputs.tag }} | |
| steps: | |
| - name: Compute image base and safe tag | |
| id: vars | |
| shell: bash | |
| env: | |
| RAW_TAG_INPUT: ${{ github.event_name == 'release' | |
| && github.event.release.tag_name | |
| || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) | |
| || github.ref_name }} | |
| run: | | |
| ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" | |
| REPO="$(basename "${GITHUB_REPOSITORY}")" | |
| IMAGE_BASE="ghcr.io/${ORG}/${REPO}" | |
| RAW_TAG="${RAW_TAG_INPUT}" | |
| SAFE_TAG="$(echo "${RAW_TAG}" \ | |
| | tr '[:upper:]' '[:lower:]' \ | |
| | tr -c '[:alnum:]._-' '-' \ | |
| | cut -c1-128)" | |
| SAFE_TAG="${SAFE_TAG%-}" # trim trailing '-' | |
| [ -n "$SAFE_TAG" ] || SAFE_TAG="build" | |
| echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT" | |
| echo "tag=${SAFE_TAG}" >> "$GITHUB_OUTPUT" | |
| build: | |
| name: build | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image with tag (release) | |
| if: github.event_name == 'release' && github.event.action == 'published' | |
| uses: docker/build-push-action@v6+ | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}-build | |
| build-args: | | |
| NWM_EVAL_MGR_TAG=${{ github.event.release.tag_name }} | |
| - name: Build Docker image with tag (branch push/PR) | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.tag }}-test | |
| container_scanning: | |
| name: container_scanning | |
| needs: [setup, build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull image to scan | |
| run: docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.tag }}-test | |
| - name: Container Scanning | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.tag }}-test | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results | |
| if: github.repository_visibility == 'public' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| deploy: | |
| name: deploy | |
| if: github.event_name == 'pull_request' && github.base_ref == 'development' && github.event.pull_request.merged == true | |
| needs: [setup, build, container_scanning] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Tag and push :latest | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.tag }}-test | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.tag }}-test ${{ needs.setup.outputs.image_base }}:latest | |
| docker push ${{ needs.setup.outputs.image_base }}:latest | |
| release: | |
| name: release | |
| if: github.event_name == 'release' && github.event.action == 'published' | |
| needs: [setup, build, container_scanning] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Ensure image is tagged with release tag | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}-test | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}-test ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} | |
| docker push ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} | |