Skip to content

Bump alpine from 3.20 to 3.20.3 #1287

Bump alpine from 3.20 to 3.20.3

Bump alpine from 3.20 to 3.20.3 #1287

Workflow file for this run

name: Docker
on:
push:
branches:
- master
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- master
env:
PLATFORMS: "linux/arm,linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
concurrency:
group: ${{ github.ref_name }}-docker
cancel-in-progress: true
jobs:
build-docker:
name: Build Docker Image
runs-on: ubuntu-22.04
services:
registry:
image: registry:2
ports:
- 5000:5000
strategy:
fail-fast: false
matrix:
os: [debian, alpine]
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Output Variables
id: var
run: |
echo "nginx_version=$(grep -m1 'FROM nginx:' <Dockerfile | awk -F'[: ]' '{print $3}')" >> $GITHUB_OUTPUT
- name: Nginx version
run: echo "${{ steps.var.outputs.nginx_version }}"
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm,arm64,ppc64le,s390x
- name: Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: DockerHub Login
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
name=opentracing/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }}
name=ghcr.io/opentracing-contrib/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }}
name=localhost:5000/opentracing/nginx-opentracing
flavor: suffix=${{ matrix.os != 'debian' && '-' || '' }}${{ matrix.os != 'debian' && matrix.os || '' }},onlatest=true
tags: |
type=edge
type=ref,event=pr
type=semver,pattern={{version}}
type=raw,value=nginx-${{ steps.var.outputs.nginx_version }},enable=${{ contains(github.ref, 'refs/tags/') }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Build and push
uses: docker/build-push-action@v6
with:
pull: true
push: true
platforms: "linux/arm,linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha,scope=${{ matrix.os }}
cache-to: type=gha,scope=${{ matrix.os }},mode=max
target: final
sbom: true
provenance: mode=max
build-args: BUILD_OS=${{ matrix.os }}
- name: Inspect SBOM and output manifest
run: |
docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json
docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64").SLSA }}' > provenance.json
docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --raw
- name: Scan SBOM
id: scan
uses: anchore/scan-action@v4
with:
sbom: "sbom.json"
only-fixed: true
add-cpes-if-none: true
fail-build: false
- name: Upload scan result to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
continue-on-error: true
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
if: always()
- name: Upload Scan Results
uses: actions/upload-artifact@v4
continue-on-error: true
with:
name: scan-results-${{ matrix.os }}
path: |
${{ steps.scan.outputs.sarif }}
*.json
if: always()