-
Notifications
You must be signed in to change notification settings - Fork 13
131 lines (114 loc) · 3.79 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
on:
pull_request:
paths-ignore:
- 'cli'
- 'cloud'
- 'frontend'
push:
branches:
- 'main'
- 'next'
paths-ignore:
- 'cli'
- 'cloud'
- 'frontend'
tags:
- 'v*'
jobs:
build:
runs-on: ubuntu-latest
permissions:
security-events: write
packages: write
contents: read
env:
PNPM_VERSION: 9
NODE_VERSION: 20
CARTESI_MACHINE_IMAGE_NAME: bug-buster-machine
CARTESI_NODE_IMAGE_NAME: bug-buster-node
REGISTRY: ghcr.io/${{ github.repository_owner }}
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: setup_buildx
uses: docker/setup-buildx-action@v3
- name: Extract metadata from Git refs and GitHub events
id: extract_metadata
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.CARTESI_MACHINE_IMAGE_NAME }}
tags: |
type=semver,pattern={{version}}
type=ref,event=branch
type=ref,event=pr
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build machine image
id: build_machine
uses: docker/build-push-action@v6
with:
context: .
load: true
platforms: linux/riscv64
builder: ${{ steps.setup_buildx.outputs.name }}
tags: ${{ steps.extract_metadata.outputs.tags }}
labels: ${{ steps.extract_metadata.outputs.labels }}
annotations: ${{ steps.extract_metadata.outputs.annotations }}
cache-from: type=gha,scope=cartesi-machine-image
cache-to: type=gha,mode=max,scope=cartesi-machine-image
- name: Setup pnpm
uses: pnpm/action-setup@v3
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: pnpm
- name: Install Node.js dependencies
run: pnpm i
- name: Scan image
id: scan
uses: anchore/scan-action@v4
with:
image: ${{ steps.build_machine.outputs.imageid }}
fail-build: false
- name: Inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Build Cartesi Machine image
env:
IMAGE_ID: ${{ steps.build_machine.outputs.imageid }}
run: |
pnpm exec cartesi build --from-image "$IMAGE_ID"
- name: Build Cartesi Node image
id: build_node
run: |
pnpm exec cartesi deploy build --json | \
jq -r '"image=\(.image)"' >> "$GITHUB_OUTPUT"
- name: Create tags for Cartesi Node image
env:
METADATA_JSON: ${{ steps.extract_metadata.outputs.json }}
CARTESI_NODE_IMAGE: ${{ steps.build_node.outputs.image }}
run: |
echo "$METADATA_JSON" | \
jq -r '.tags[]' | \
sed "s/${{ env.CARTESI_MACHINE_IMAGE_NAME }}/${{ env.CARTESI_NODE_IMAGE_NAME }}/" | \
xargs -d '\n' -n1 docker image tag "$CARTESI_NODE_IMAGE"
- name: Push Cartesi Machine image
run: |
docker image push --all-tags "${{ env.REGISTRY }}/${{ env.CARTESI_MACHINE_IMAGE_NAME }}"
- name: Push Cartesi Node image
run: |
docker image push --all-tags "${{ env.REGISTRY }}/${{ env.CARTESI_NODE_IMAGE_NAME }}"