mirror of
https://github.com/element-hq/dendrite.git
synced 2025-03-14 14:15:35 +00:00
ceeef81210
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/build-push-action/releases">docker/build-push-action's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <ul> <li>Export build record and generate <a href="https://docs.docker.com/build/ci/github-actions/build-summary/">build summary</a> by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1120">docker/build-push-action#1120</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.24.0 to 0.26.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1132">docker/build-push-action#1132</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1136">docker/build-push-action#1136</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1138">docker/build-push-action#1138</a></li> <li>Bump braces from 3.0.2 to 3.0.3 in <a href="https://redirect.github.com/docker/build-push-action/pull/1137">docker/build-push-action#1137</a></li> </ul> <blockquote> <p>[!NOTE] This major release adds support for generating <a href="https://docs.docker.com/build/ci/github-actions/build-summary/">Build summary</a> and exporting build record for your build. You can disable this feature by setting <a href="https://docs.docker.com/build/ci/github-actions/build-summary/#disable-job-summary"> <code>DOCKER_BUILD_SUMMARY: false</code> environment variable in your workflow</a>.</p> </blockquote> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.4.0...v6.0.0">https://github.com/docker/build-push-action/compare/v5.4.0...v6.0.0</a></p> <h2>v5.4.0</h2> <ul> <li>Show builder information before building by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1128">docker/build-push-action#1128</a></li> <li>Handle attestations correctly with provenance and sbom inputs by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1086">docker/build-push-action#1086</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.19.0 to 0.24.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1088">docker/build-push-action#1088</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1105">docker/build-push-action#1105</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1121">docker/build-push-action#1121</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1127">docker/build-push-action#1127</a></li> <li>Bump undici from 5.28.3 to 5.28.4 in <a href="https://redirect.github.com/docker/build-push-action/pull/1090">docker/build-push-action#1090</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.3.0...v5.4.0">https://github.com/docker/build-push-action/compare/v5.3.0...v5.4.0</a></p> <h2>v5.3.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.18.0 to 0.19.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1080">docker/build-push-action#1080</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.2.0...v5.3.0">https://github.com/docker/build-push-action/compare/v5.2.0...v5.3.0</a></p> <h2>v5.2.0</h2> <ul> <li>Disable quotes detection for <code>outputs</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1074">docker/build-push-action#1074</a></li> <li>Warn about ignored inputs by <a href="https://github.com/favonia"><code>@favonia</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1019">docker/build-push-action#1019</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.14.0 to 0.18.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1070">docker/build-push-action#1070</a></li> <li>Bump undici from 5.26.3 to 5.28.3 in <a href="https://redirect.github.com/docker/build-push-action/pull/1057">docker/build-push-action#1057</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.1.0...v5.2.0">https://github.com/docker/build-push-action/compare/v5.1.0...v5.2.0</a></p> <h2>v5.1.0</h2> <ul> <li>Add <code>annotations</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/992">docker/build-push-action#992</a></li> <li>Add <code>secret-envs</code> input by <a href="https://github.com/elias-lundgren"><code>@elias-lundgren</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/980">docker/build-push-action#980</a></li> <li>Bump <code>@babel/traverse</code> from 7.17.3 to 7.23.2 in <a href="https://redirect.github.com/docker/build-push-action/pull/991">docker/build-push-action#991</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.13.0-rc.1 to 0.14.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/990">docker/build-push-action#990</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1006">docker/build-push-action#1006</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.0.0...v5.1.0">https://github.com/docker/build-push-action/compare/v5.0.0...v5.1.0</a></p> <h2>v5.0.0</h2> <ul> <li>Node 20 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.308.0">Actions Runner v2.308.0</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/954">docker/build-push-action#954</a></li> <li>Bump <code>@actions/core</code> from 1.10.0 to 1.10.1 in <a href="https://redirect.github.com/docker/build-push-action/pull/959">docker/build-push-action#959</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.2.1...v5.0.0">https://github.com/docker/build-push-action/compare/v4.2.1...v5.0.0</a></p> <h2>v4.2.1</h2> <blockquote> <p><strong>Note</strong></p> <p>Buildx v0.10 enables support for a minimal <a href="https://slsa.dev/provenance/">SLSA Provenance</a> attestation, which requires support for <a href="https://github.com/opencontainers/image-spec">OCI-compliant</a> multi-platform images. This may introduce issues with registry and runtime support (e.g. <a href="https://redirect.github.com/docker/buildx/issues/1533">Google Cloud Run and AWS Lambda</a>). You can optionally disable the default provenance attestation functionality using <code>provenance: false</code>.</p> </blockquote> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="48aba3b46d"><code>48aba3b</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1268">#1268</a> from docker/dependabot/npm_and_yarn/docker/actions-t...</li> <li><a href="678328cf8e"><code>678328c</code></a> chore: update generated content</li> <li><a href="cdf0a37e6f"><code>cdf0a37</code></a> chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.39.0 to 0.46.0</li> <li><a href="d719b79de1"><code>d719b79</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1238">#1238</a> from docker/dependabot/npm_and_yarn/actions/core-1.11.1</li> <li><a href="c333dfd43d"><code>c333dfd</code></a> chore: update generated content</li> <li><a href="6b56a4c3f8"><code>6b56a4c</code></a> chore(deps): Bump <code>@actions/core</code> from 1.10.1 to 1.11.1</li> <li><a href="92fb0d73b6"><code>92fb0d7</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1259">#1259</a> from docker/dependabot/github_actions/codecov/codeco...</li> <li><a href="40532c5d6f"><code>40532c5</code></a> ci: fix deprecated input for codecov-action</li> <li><a href="70dd953427"><code>70dd953</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1267">#1267</a> from crazy-max/fix-allow</li> <li><a href="41b4e8020e"><code>41b4e80</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1261">#1261</a> from docker/dependabot/npm_and_yarn/cross-spawn-7.0.6</li> <li>Additional commits viewable in <a href="https://github.com/docker/build-push-action/compare/v3...v6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> [skip CI]
223 lines
8.4 KiB
YAML
223 lines
8.4 KiB
YAML
# Based on https://github.com/docker/build-push-action
|
|
|
|
name: "Docker"
|
|
|
|
on:
|
|
release: # A GitHub release was published
|
|
types: [published]
|
|
workflow_dispatch: # A build was manually requested
|
|
workflow_call: # Another pipeline called us
|
|
secrets:
|
|
DOCKER_TOKEN:
|
|
required: true
|
|
|
|
env:
|
|
DOCKER_NAMESPACE: matrixdotorg
|
|
DOCKER_HUB_USER: dendritegithub
|
|
GHCR_NAMESPACE: element-hq
|
|
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
|
|
|
|
jobs:
|
|
monolith:
|
|
name: Monolith image
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write # To upload Trivy sarif files
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Get release tag & build flags
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
run: |
|
|
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ env.DOCKER_HUB_USER }}
|
|
password: ${{ secrets.DOCKER_TOKEN }}
|
|
- name: Login to GitHub Containers
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# Build until the "build" stage, this then can be used by other steps.
|
|
- name: Build "build" image
|
|
if: github.ref_name == 'main' || github.event_name == 'release'
|
|
id: docker_build_cache
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
target: build
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
cache-to: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache,mode=max
|
|
context: .
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:binaries
|
|
|
|
- name: Build main monolith image
|
|
if: github.ref_name == 'main'
|
|
id: docker_build_monolith
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
context: .
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-monolith:${{ github.ref_name }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:${{ github.ref_name }}
|
|
|
|
- name: Build release monolith image
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
id: docker_build_monolith_release
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-monolith:latest
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-monolith:${{ env.RELEASE_VERSION }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:latest
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:${{ env.RELEASE_VERSION }}
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:${{ github.ref_name }}
|
|
format: "sarif"
|
|
output: "trivy-results.sarif"
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
demo-pinecone:
|
|
name: Pinecone demo image
|
|
runs-on: ubuntu-latest
|
|
needs: monolith
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Get release tag & build flags
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
run: |
|
|
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ env.DOCKER_HUB_USER }}
|
|
password: ${{ secrets.DOCKER_TOKEN }}
|
|
- name: Login to GitHub Containers
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build main Pinecone demo image
|
|
if: github.ref_name == 'main'
|
|
id: docker_build_demo_pinecone
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
context: .
|
|
file: ./build/docker/Dockerfile.demo-pinecone
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:${{ github.ref_name }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:${{ github.ref_name }}
|
|
|
|
- name: Build release Pinecone demo image
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
id: docker_build_demo_pinecone_release
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
context: .
|
|
file: ./build/docker/Dockerfile.demo-pinecone
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:latest
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:${{ env.RELEASE_VERSION }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:latest
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:${{ env.RELEASE_VERSION }}
|
|
|
|
demo-yggdrasil:
|
|
name: Yggdrasil demo image
|
|
runs-on: ubuntu-latest
|
|
needs: monolith
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Get release tag & build flags
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
run: |
|
|
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ env.DOCKER_HUB_USER }}
|
|
password: ${{ secrets.DOCKER_TOKEN }}
|
|
- name: Login to GitHub Containers
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build main Yggdrasil demo image
|
|
if: github.ref_name == 'main'
|
|
id: docker_build_demo_yggdrasil
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
context: .
|
|
file: ./build/docker/Dockerfile.demo-yggdrasil
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:${{ github.ref_name }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:${{ github.ref_name }}
|
|
|
|
- name: Build release Yggdrasil demo image
|
|
if: github.event_name == 'release' # Only for GitHub releases
|
|
id: docker_build_demo_yggdrasil_release
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
cache-from: type=registry,ref=ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:buildcache
|
|
context: .
|
|
file: ./build/docker/Dockerfile.demo-yggdrasil
|
|
platforms: ${{ env.PLATFORMS }}
|
|
push: true
|
|
tags: |
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:latest
|
|
${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:latest
|
|
ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
|