Docker Image CI #367
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Docker Image CI | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| push: | |
| branches: | |
| - main | |
| env: | |
| DOCKER_REPO_NAME: rogerrum | |
| DOCKER_IMAGE_NAME: docker-openttd | |
| jobs: | |
| # Get list of versions | |
| get-latest-version: | |
| name: Get Latest Release Version for OpenTTD/OpenGFX | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get TTD Version | |
| id: get_ttd_version | |
| run: | | |
| # Fetch the latest stable release (exclude beta versions) | |
| echo "version=$(curl -s -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/OpenTTD/OpenTTD/releases | jq -cMr '([.[]|select(all(.tag_name; contains("beta")|not))])|.[:1]|.[].tag_name')" >> "${GITHUB_OUTPUT}" | |
| - name: Get GFX Version | |
| id: get_gfx_version | |
| run: | | |
| # Fetch the latest stable release of OpenGFX (exclude beta versions) | |
| echo "version=$(curl -s -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/OpenTTD/OpenGFX/releases | jq -cMr '([.[]|select(all(.tag_name; contains("beta")|not))])|.[:1]|.[].tag_name')" >> "${GITHUB_OUTPUT}" | |
| - name: Output Versions | |
| run: | | |
| # Output the versions for further use | |
| echo "Latest OpenTTD Release: ${{ steps.get_ttd_version.outputs.version }}" | |
| echo "Latest OpenGFX Release: ${{ steps.get_gfx_version.outputs.version }}" | |
| outputs: | |
| openttd: ${{ steps.get_ttd_version.outputs.version }} | |
| opengfx: ${{ steps.get_gfx_version.outputs.version }} | |
| check-image-version: | |
| needs: get-latest-version | |
| name: Check if Image Version Exists | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check if image exists | |
| id: check_image | |
| run: | | |
| # Replace 'your-container-registry' and 'your-repo' with your actual container registry and repository names | |
| if docker pull rogerrum/docker-openttd:${{ needs.get-latest-version.outputs.openttd }}; then | |
| echo "Image version already exists. Skipping build." | |
| echo "skip_build=true" >> "${GITHUB_OUTPUT}" | |
| else | |
| echo "Image version does not exist. Proceeding with the build." | |
| echo "skip_build=false" >> "${GITHUB_OUTPUT}" | |
| fi | |
| continue-on-error: true # Allow failure as we want to proceed with the build even if the image doesn't exist | |
| - name: Output | |
| run: | | |
| echo "Skip Build: ${{ steps.check_image.outputs.skip_build }}" | |
| outputs: | |
| skip: ${{ steps.check_image.outputs.skip_build }} | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - check-image-version | |
| - get-latest-version | |
| if: ${{ needs.check-image-version.outputs.skip == 'false' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Docker login - docker hub | |
| uses: azure/docker-login@v2 | |
| with: | |
| username: ${{ secrets.USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Docker login - ghcr | |
| uses: azure/docker-login@v2 | |
| with: | |
| login-server: ghcr.io | |
| username: ${{ secrets.USERNAME }} | |
| password: ${{ secrets.PASSWORD }} | |
| - name: Set up Qemu | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Output platforms | |
| run: | | |
| echo "Platforms: ${{ steps.buildx.outputs.platforms }}" | |
| - name: Build and push with latest tag | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| pull: true | |
| platforms: linux/arm64,linux/amd64 | |
| build-args: | | |
| OPENTTD_VERSION=${{ needs.get-latest-version.outputs.openttd }} | |
| OPENGFX_VERSION=${{ needs.get-latest-version.outputs.opengfx }} | |
| tags: | | |
| rogerrum/docker-openttd:${{ needs.get-latest-version.outputs.openttd }} | |
| rogerrum/docker-openttd:latest | |
| ghcr.io/rogerrum/docker-openttd:latest | |
| ghcr.io/rogerrum/docker-openttd:${{ needs.get-latest-version.outputs.openttd }} | |
| - name: Docker Hub Description | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| username: ${{ secrets.USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| repository: rogerrum/docker-openttd | |
| # Trivy test | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| id: trivy | |
| with: | |
| image-ref: 'ghcr.io/rogerrum/docker-openttd:${{ needs.get-latest-version.outputs.openttd }}' | |
| format: 'sarif' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| output: results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'results.sarif' |