etherpad-lite/.github/workflows/docker.yml
naveen 2929a3c0bd chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-05-02 20:48:01 -04:00

91 lines
2.5 KiB
YAML

name: Docker
on:
pull_request:
push:
branches:
- 'develop'
tags:
- 'v?[0-9]+.[0-9]+.[0-9]+'
env:
TEST_TAG: etherpad/etherpad:test
permissions:
contents: read
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Check out
uses: actions/checkout@v3
-
name: Set up QEMU
if: github.event_name == 'push'
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
-
name: Build and export to Docker
uses: docker/build-push-action@v2
with:
context: .
load: true
tags: ${{ env.TEST_TAG }}
cache-from: type=gha
cache-to: type=gha,mode=max
-
name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: 'lts/*'
cache: 'npm'
cache-dependency-path: |
src/package-lock.json
src/bin/doc/package-lock.json
-
name: Test
run: |
docker run --rm -d -p 9001:9001 --name test ${{ env.TEST_TAG }}
docker logs -f test &
./src/bin/installDeps.sh
while true; do
echo "Waiting for Docker container to start..."
status=$(docker container inspect -f '{{.State.Health.Status}}' test) || exit 1
case ${status} in
healthy) break;;
starting) sleep 2;;
*) printf %s\\n "unexpected status: ${status}" >&2; exit 1;;
esac
done
(cd src && npm run test-container)
git clean -dxf .
-
name: Docker meta
if: github.event_name == 'push'
id: meta
uses: docker/metadata-action@v3
with:
images: etherpad/etherpad
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
-
name: Log in to Docker Hub
if: github.event_name == 'push'
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
if: github.event_name == 'push'
uses: docker/build-push-action@v2
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}