Skip to content
Build and publish a Docker image

Build and publish a Docker image #105

Sign in to view logs

Build and publish a Docker image

Build and publish a Docker image #105

Workflow file for this run

.github/workflows/build_publish.yml at e78971c
name: Build and publish a Docker image
on:
workflow_dispatch:
inputs:
mautic_version:
description: 'Mautic version (has to be a valid version from `mautic/recommended-project`)'
required: true
overwrite_latest_major:
type: boolean
description: "Overwrite latest major tag (e.g.`5`). This should only be checked if you're releasing the latest release."
overwrite_latest_minor:
type: boolean
description: "Overwrite latest minor tag (e.g.`5.0`). This should only be checked if you're releasing the latest release within the minor release."
tag_as_latest:
type: boolean
description: "Tag this release as latest"
env:
REGISTRY: ghcr.io
DOCKERHUB_USERNAME: molluxmollux
IMAGE_NAME: ${{ github.repository }}
jobs:
test-build:
runs-on: ubuntu-latest
strategy:
matrix:
image_type: [apache, fpm]
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Compute BASE_TAG from Mautic version
id: phpver
run: |
MAJOR=$(echo "${{ inputs.mautic_version }}" | cut -d. -f1)
if [ "$MAJOR" = "5" ]; then PHPVER="8.2";
elif [ "$MAJOR" = "6" ]; then PHPVER="8.3";
elif [ "$MAJOR" = "7" ]; then PHPVER="8.4";
else echo "Unsupported Mautic major version: $MAJOR"; exit 1; fi
echo "PHPVER=$PHPVER" >> $GITHUB_ENV
- name: Build image and export locally (for SCA scan)
uses: docker/build-push-action@v6
with:
file: Dockerfile
tags: mautic-${{ matrix.image_type }}
load: true
platforms: linux/amd64
build-args: |
BASE_TAG=${{ env.PHPVER }}-${{ matrix.image_type }}-bookworm
MAUTIC_VERSION=${{ inputs.mautic_version }}
FLAVOUR=${{ matrix.image_type }}
- name: Save image to tar file
run: docker save mautic-${{ matrix.image_type }} -o image.tar
- name: Upload image as artifact
uses: actions/upload-artifact@v4
with:
name: mautic-${{ matrix.image_type }}
path: image.tar
sast:
runs-on: ubuntu-latest
needs: test-build
strategy:
matrix:
image_type: [apache, fpm]
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download Docker image artifact
uses: actions/download-artifact@v4
with:
name: mautic-${{ matrix.image_type }}
- name: Load Docker image
run: docker load -i image.tar
- name: Run Trivy
uses: aquasecurity/[email protected]
with:
image-ref: 'mautic-${{ matrix.image_type }}'
format: 'sarif'
exit-code: '0' # Won't fail on vulns found
ignore-unfixed: true # Won't flag if there isn't a fix to the CVE
output: 'trivy-results-${{ matrix.image_type }}.sarif'
- name: Upload Trivy SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-${{ matrix.image_type }}.sarif'
sbom:
runs-on: ubuntu-latest
needs: test-build
strategy:
matrix:
image_type: [apache, fpm]
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download Docker image artifact
uses: actions/download-artifact@v4
with:
name: mautic-${{ matrix.image_type }}
- name: Load Docker image
run: docker load -i image.tar
- name: Run Trivy
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: 'mautic-${{ matrix.image_type }}'
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: ${{ secrets.GITHUB_TOKEN }}
build-and-push-image:
runs-on: ubuntu-latest
strategy:
matrix:
image_type: [apache, fpm]
permissions:
contents: read
packages: write
steps:
- name: Set BUILD_DATE
run: echo "BUILD_DATE=$(date +%Y%m%d)" >> $GITHUB_ENV
- name: Checkout repository
uses: actions/checkout@v4
- name: Docker meta
uses: docker/metadata-action@v5
id: meta
with:
# list of Docker images to use as base name for tags
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
mautic/mautic
# generate Docker tags based on the following events/attributes
tags: |
type=semver,pattern={{version}},value=${{ inputs.mautic_version }}
type=raw,value=${{ inputs.mautic_version }}-${{ env.BUILD_DATE }}
type=semver,pattern={{major}}.{{minor}},value=${{ inputs.mautic_version }},enable=${{ inputs.overwrite_latest_minor }}
type=semver,pattern={{major}},value=${{ inputs.mautic_version }},enable=${{ inputs.overwrite_latest_major }}
type=raw,value=latest,enable=${{ inputs.tag_as_latest && matrix.image_type == 'apache' }},suffix=
flavor: |
latest=false
prefix=
suffix=-${{ matrix.image_type }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Dockerhub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Log in to the Github Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compute BASE_TAG from Mautic version
id: phpver
run: |
MAJOR=$(echo "${{ inputs.mautic_version }}" | cut -d. -f1)
if [ "$MAJOR" = "5" ]; then PHPVER="8.2";
elif [ "$MAJOR" = "6" ]; then PHPVER="8.3";
elif [ "$MAJOR" = "7" ]; then PHPVER="8.4";
else echo "Unsupported Mautic major version: $MAJOR"; exit 1; fi
echo "PHPVER=$PHPVER" >> $GITHUB_ENV
- name: Build and Push Docker image
uses: docker/build-push-action@v5
with:
file: Dockerfile
context: .
platforms: linux/amd64,linux/arm64
build-args: |
BASE_TAG=${{ env.PHPVER }}-${{ matrix.image_type }}-bookworm
MAUTIC_VERSION=${{ inputs.mautic_version }}
FLAVOUR=${{ matrix.image_type }}
push: true
sbom: true
provenance: true
tags: ${{ steps.meta.outputs.tags }}