dotcloud/docker

View on GitHub
.github/workflows/ci.yml

Summary

Maintainability
Test Coverage
name: ci

# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  workflow_dispatch:
  push:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
  pull_request:

env:
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

  build:
    runs-on: ubuntu-20.04
    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
    strategy:
      fail-fast: false
      matrix:
        target:
          - binary
          - dynbinary
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
      -
        name: Build
        uses: docker/bake-action@v4
        with:
          targets: ${{ matrix.target }}
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  prepare-cross:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
      matrix: ${{ steps.platforms.outputs.matrix }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Create matrix
        id: platforms
        run: |
          matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')"
          echo "matrix=$matrix" >> $GITHUB_OUTPUT
      -
        name: Show matrix
        run: |
          echo ${{ steps.platforms.outputs.matrix }}

  cross:
    runs-on: ubuntu-20.04
    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare-cross
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
      -
        name: Build
        uses: docker/bake-action@v4
        with:
          targets: all
          set: |
            *.platform=${{ matrix.platform }}
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  govulncheck:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    permissions:
      # required to write sarif report
      security-events: write
      # required to check out the repository
      contents: read
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
      -
        name: Run
        uses: docker/bake-action@v5
        with:
          targets: govulncheck
        env:
          GOVULNCHECK_FORMAT: sarif
      -
        name: Upload SARIF report
        if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ env.DESTDIR }}/govulncheck.out