Build and publish a Docker image #78
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and publish a Docker image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| mautic_version: | |
| description: 'Mautic version (has to be a valid version from `mautic/recommended-project`)' | |
| required: true | |
| overwrite_latest_major: | |
| type: boolean | |
| description: "Overwrite latest major tag (e.g.`5`). This should only be checked if you're releasing the latest release." | |
| overwrite_latest_minor: | |
| type: boolean | |
| description: "Overwrite latest minor tag (e.g.`5.0`). This should only be checked if you're releasing the latest release within the minor release." | |
| tag_as_latest: | |
| type: boolean | |
| description: "Tag this release as latest" | |
| env: | |
| REGISTRY: ghcr.io | |
| DOCKERHUB_USERNAME: molluxmollux | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| test-build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_type: [apache, fpm] | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build image and export locally (for SAST scan) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| file: ${{ matrix.image_type }}/Dockerfile | |
| tags: mautic-${{ matrix.image_type }} | |
| load: true | |
| platforms: linux/amd64 | |
| build-args: | | |
| MAUTIC_VERSION=${{ inputs.mautic_version }} | |
| - name: Save image to tar file | |
| run: docker save mautic-${{ matrix.image_type }} -o image.tar | |
| - name: Upload image as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: mautic-${{ matrix.image_type }} | |
| path: image.tar | |
| sast: | |
| runs-on: ubuntu-latest | |
| needs: test-build | |
| strategy: | |
| matrix: | |
| image_type: [apache, fpm] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: mautic-${{ matrix.image_type }} | |
| - name: Load Docker image | |
| run: docker load -i image.tar | |
| - name: Run Trivy | |
| uses: aquasecurity/trivy-action@0.31.0 | |
| with: | |
| image-ref: 'mautic-${{ matrix.image_type }}' | |
| format: 'sarif' | |
| exit-code: '0' # Won't fail on vulns found | |
| ignore-unfixed: true # Won't flag if there isn't a fix to the CVE | |
| output: 'trivy-results-${{ matrix.image_type }}.sarif' | |
| - name: Upload Trivy SARIF to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results-${{ matrix.image_type }}.sarif' | |
| sbom: | |
| runs-on: ubuntu-latest | |
| needs: test-build | |
| strategy: | |
| matrix: | |
| image_type: [apache, fpm] | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: mautic-${{ matrix.image_type }} | |
| - name: Load Docker image | |
| run: docker load -i image.tar | |
| - name: Run Trivy | |
| uses: aquasecurity/trivy-action@0.31.0 | |
| with: | |
| scan-type: 'image' | |
| image-ref: 'mautic-${{ matrix.image_type }}' | |
| format: 'github' | |
| output: 'dependency-results.sbom.json' | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} | |
| build-and-push-image: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_type: [apache, fpm] | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Set BUILD_DATE | |
| run: echo "BUILD_DATE=$(date +%Y%m%d)" >> $GITHUB_ENV | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Docker meta | |
| uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| # list of Docker images to use as base name for tags | |
| images: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| mautic/mautic | |
| # generate Docker tags based on the following events/attributes | |
| tags: | | |
| type=semver,pattern={{version}},value=${{ inputs.mautic_version }} | |
| type=raw,value=${{ inputs.mautic_version }}-${{ env.BUILD_DATE }} | |
| type=semver,pattern={{major}}.{{minor}},value=${{ inputs.mautic_version }},enable=${{ inputs.overwrite_latest_minor }} | |
| type=semver,pattern={{major}},value=${{ inputs.mautic_version }},enable=${{ inputs.overwrite_latest_major }} | |
| type=raw,value=latest,enable=${{ inputs.tag_as_latest && matrix.image_type == 'apache' }},suffix= | |
| flavor: | | |
| latest=false | |
| prefix= | |
| suffix=-${{ matrix.image_type }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Dockerhub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Log in to the Github Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and Push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| file: ${{ matrix.image_type }}/Dockerfile | |
| context: . | |
| cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.image_type }} | |
| cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:cache-${{ matrix.image_type }},mode=max,image-manifest=true | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| MAUTIC_VERSION=${{ inputs.mautic_version }} | |
| push: true | |
| sbom: true | |
| provenance: true | |
| tags: ${{ steps.meta.outputs.tags }} |