Skip to content

Publish official Docker container #139

Publish official Docker container

Publish official Docker container #139

Workflow file for this run

on:
push:
branches:
- release/**
- develop
- feature/**
pull_request:
types: [opened, synchronize, reopened]
branches:
- release/**
- develop
- feature/**
merge_group:
workflow_dispatch:
inputs:
linkcheck_fail_on_error:
description: 'a boolean flag that determines if bad links found by the link checker fail fast and stop a complete build'
required: false
default: true
type: boolean
linkcheck_create_issue:
description: 'create new GitHub issue if broken links found'
required: false
default: false
type: boolean
name: Build and Test
env:
HOME_REPO: aj-stein-gsa/oscal-cli
IMAGE_NAME: aj-stein-gsa/oscal-cli-extended
REGISTRY: ghcr.io
# Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
DOCKER_METADATA_PR_HEAD_SHA: true
# https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
INPUT_FAIL_ON_ERROR: ${{ github.event.inputs.linkcheck_fail_on_error || 'true' }}
INPUT_ISSUE_ON_ERROR: ${{ github.event.inputs.linkcheck_create_issue || 'false' }}
MAVEN_VERSION: 3.9.8
JAVA_DISTRO: 'temurin'
JAVA_VERSION_FILE: .java-version
jobs:
build-code:
name: Code
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
with:
submodules: recursive
filter: tree:0
# -------------------------
# Java Environment Setup
# -------------------------
- name: Set up Maven
uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1
with:
maven-version: ${{ env.MAVEN_VERSION }}
- name: Set up JDK
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73
with:
java-version-file: ${{ env.JAVA_VERSION_FILE }}
distribution: ${{ env.JAVA_DISTRO }}
cache: 'maven'
- name: Initialize CodeQL
if: github.event_name == 'push'
uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b
with:
languages: java
# -------------------------
# Maven Build
# -------------------------
- name: Build and Test Code
run: |
mvn -B -e -Prelease package
- name: Perform CodeQL Analysis
if: github.event_name == 'push'
uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b
with:
upload: ${{ github.ref_name == 'develop' && 'always' || 'never' }}
- if: github.repository == env.HOME_REPO
name: Container image QEMU setup for cross-arch builds
id: image_setup_qemu
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- if: github.repository == env.HOME_REPO
name: Container image buildx setup for cross-arch builds
id: image_setup_buildx
with:
platforms: |
linux/amd64
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- if: github.repository == env.HOME_REPO
name: Container image login
id: image_login
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- if: github.repository == env.HOME_REPO
name: Container image metadata and tag generation
id: image_metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images:
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=,suffix=,format=long
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
# flavor: |
# latest=true
annotations: |
maintainers="Metaschema Community Admin <admin@metaschema.dev>"
org.opencontainers.image.authors="Metaschema Community Admin <admin@metaschema.dev>"
org.opencontainers.image.documentation="https://metaschema.dev"
org.opencontainers.image.source="https://github.com/metaschema-framework/oscal-cli"
org.opencontainers.image.vendor="Metaschema Community"
org.opencontainers.image.title="oscal-cli-extended"
org.opencontainers.image.description="Metaschema-powered CLI tool for processing OSCAL""
org.opencontainers.image.licenses="CC0-1.0"
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image registry push
id: image_registry_push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
build-args: |
CONTAINER_BUILD=no
push: true
tags: ${{ steps.image_metadata.outputs.tags }}
labels: ${{ steps.image_metadata.outputs.annotations }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image push attestations
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.image_registry_push.outputs.digest }}
push-to-registry: false
build-website:
name: Website
runs-on: ubuntu-20.04
permissions:
actions: read
contents: write
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
with:
submodules: recursive
filter: tree:0
# -------------------------
# Java Environment Setup
# -------------------------
- name: Set up Maven
uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1
with:
maven-version: ${{ env.MAVEN_VERSION }}
- name: Set up JDK
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73
with:
java-version-file: ${{ env.JAVA_VERSION_FILE }}
distribution: ${{ env.JAVA_DISTRO }}
cache: 'maven'
# -------------------------
# Maven Build
# -------------------------
- name: Build and Test Website
run: |
mvn -B -e -Prelease install site site:stage -Dmaven.test.skip=true
- name: Zip Artifacts for Upload
run: |
zip ${{ runner.temp }}/website.zip -r target/staging
- name: Upload generated site
uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097
with:
name: website
path: |
${{ runner.temp }}/website.zip
retention-days: 5
- id: linkchecker
name: Link Checker
uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621
with:
args: --verbose --no-progress --accept 200,206,429 './target/staging/**/*.html' --remap "https://github.com/metaschema-framework/oscal-cli/tree/develop/ file://${GITHUB_WORKSPACE}/" --remap "https://oscal-cli.metaschema.dev/ file://${GITHUB_WORKSPACE}/target/staging/" --exclude-mail
format: markdown
output: html-link-report.md
debug: true
fail: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
- name: Upload link check report
uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097
with:
name: html-link-report
path: html-link-report.md
retention-days: 5
- name: Create issue if bad links detected
if: ${{ !cancelled() && env.lychee_exit_code != 0 && env.INPUT_ISSUE_ON_ERROR == 'true' }}
uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd
with:
title: Scheduled Check of Website Content Found Bad Hyperlinks
content-filepath: ./lychee/out.md
labels: |
bug
documentation
- name: Fail on link check error
if: ${{ !cancelled() && env.lychee_exit_code != 0 && env.INPUT_FAIL_ON_ERROR == 'true' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
script: |
core.setFailed('Link checker detected broken or invalid links, read attached report.')