Skip to content
PingPanda CI Pipeline

chore: Update Docker CI workflow to enhance build info handling and t… #11

Sign in to view logs

chore: Update Docker CI workflow to enhance build info handling and t…

chore: Update Docker CI workflow to enhance build info handling and t… #11

Workflow file for this run

.github/workflows/docker-image.yml at 67d20ee
name: PingPanda CI Pipeline
on:
push:
paths:
- 'Dockerfile'
- 'pingpanda.py'
- 'requirements.txt'
- '.github/workflows/docker-image.yml'
pull_request:
paths:
- 'Dockerfile'
- 'pingpanda.py'
- 'requirements.txt'
- '.github/workflows/docker-image.yml'
release:
types: [published]
# Allow manual runs
workflow_dispatch:
jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8 pytest
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
pip install pythonping requests slack-sdk
- name: Lint with flake8
run: |
# Stop the build if there are Python syntax errors or undefined names
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
# Exit-zero treats all errors as warnings
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
build-and-push:
runs-on: ubuntu-latest
needs: lint-and-test
permissions:
contents: write
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for proper versioning
# Set environment variable for build info
- name: Set build info
run: |
echo "SHOULD_PUSH=${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}" >> $GITHUB_ENV
echo "BUILD_SOURCE=${{ github.event_name == 'pull_request' && 'PR' || 'COMMIT' }}" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: amd64,arm64,arm
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log into GitHub Container Registry
if: env.SHOULD_PUSH == 'true'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/pingpanda
tags: |
# Always add the git SHA
type=sha,format=short
# Add 'latest' tag for main branch
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
# Add PR tag for pull requests
type=ref,event=pr
# Add branch tag
type=ref,event=branch
# Add semver tags for releases
type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }}
type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'release' }}
type=semver,pattern={{major}},enable=${{ github.event_name == 'release' }}
flavor: |
latest=false # Explicitly control 'latest' tag separately
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
if: github.ref == 'refs/heads/main' || github.event_name == 'release'
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ghcr.io/${{ github.repository_owner }}/pingpanda:sha-${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,CRITICAL,HIGH'
hide-progress: false
- name: Upload Trivy scan results to GitHub Security tab
if: github.ref == 'refs/heads/main' || github.event_name == 'release'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'