Add missing permissions #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| "on": | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| workflow_call: | |
| inputs: | |
| release: | |
| description: Indicates this workflow-call constitutes a release | |
| type: boolean | |
| required: false | |
| default: false | |
| jobs: | |
| build_push: | |
| name: Build and push Docker image | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| # On release, the version embedded in the shell-script should match the | |
| # release-tag; in all other cases, only pass along pre-release versions | |
| # (e.g. "1.3.0-dev") – as signified by a hyphen in the version string... | |
| - name: Retrieve sysmon-mqtt version | |
| env: | |
| RELEASE_VERSION: >- | |
| ${{ inputs.release && github.ref_name || '#NA' }} | |
| id: sysmon | |
| run: | | |
| semver=$( | |
| ./sysmon.sh --version | \ | |
| grep -oE '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+(-[-a-z0-9\.]+)?' | |
| ) | |
| if [ "$RELEASE_VERSION" == "#NA" ]; then | |
| if [[ $semver =~ .+-.+ ]]; then | |
| echo semver="v$semver" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| if [ "$RELEASE_VERSION" != "v$semver" ]; then | |
| printf "::warning::" | |
| printf "Invalid sysmon-mqtt version 'v$semver' " | |
| printf "(expected '$RELEASE_VERSION') – " | |
| printf "aborting...\n" | |
| exit 1 | |
| fi | |
| echo semver="v$semver" >> "$GITHUB_OUTPUT" | |
| fi | |
| # The following tags are generated: | |
| # * on release – "multi-stage" semantic version (for "release" semantic | |
| # version only), "latest" and SHA | |
| # * push to main-branch – SHA | |
| # * push to develop-branch – "edge" and SHA | |
| # * push to pull-request – "pr-123" (ie, the PR number) | |
| # By convention, releases are drafted from the main-branch. The SHA-based | |
| # tagging there is thus primarily a final smoke-test. Once a release is | |
| # published, the result of its "Build and push"-workflow is tagged with | |
| # the same SHA... | |
| # If a pre-release semantic version (e.g. "1.3.0-dev") is set in the | |
| # shell-script itself, the container is also tagged with that _exact_ | |
| # version string (_not_ including the "multi-stage" semantic version). | |
| - name: Generate Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: | | |
| thijsputman/sysmon-mqtt | |
| ghcr.io/thijsputman/sysmon-mqtt | |
| # yamllint disable rule:line-length | |
| tags: | | |
| type=semver,pattern={{version}},value=${{ steps.sysmon.outputs.semver }} | |
| type=semver,pattern={{major}}.{{minor}},value=${{ steps.sysmon.outputs.semver }} | |
| type=semver,pattern={{major}},value=${{ steps.sysmon.outputs.semver }} | |
| type=ref,event=pr | |
| type=edge,branch=develop | |
| type=raw,value=latest,enable=${{ inputs.release && true || false }} | |
| type=sha,enable=${{ contains(fromJSON('["main", "develop"]'), github.ref_name) || (inputs.release && true || false) }} | |
| # yamllint enable rule:line-length | |
| flavor: | | |
| latest=false | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| install: true | |
| - name: Login to GHCR | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v4 | |
| with: | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| # Force the Docker-action to use a local context – otherwise it'll | |
| # clone the repo again from GitHub. This is wasteful as we do a | |
| # checkout anyway to get sysmon's version number... | |
| # Also, this is relevant for local "gh act" runs where we want local/ | |
| # non-committed changes to be picked up (this is done in act by | |
| # overriding the default "Checkout code"-action). | |
| context: . | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 |