chore(deps): bump docker/metadata-action from 5 to 6 #98
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PingPanda CI Pipeline | |
| on: | |
| push: | |
| paths: | |
| - 'Dockerfile' | |
| - 'pingpanda.py' | |
| - 'requirements.txt' | |
| - 'pingpanda_core/**' | |
| - '.github/workflows/docker-image.yml' | |
| pull_request: | |
| paths: | |
| - 'Dockerfile' | |
| - 'pingpanda.py' | |
| - 'requirements.txt' | |
| - 'pingpanda_core/**' | |
| - '.github/workflows/docker-image.yml' | |
| release: | |
| types: [published] | |
| # Allow manual runs | |
| workflow_dispatch: | |
| jobs: | |
| lint-and-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.11' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install flake8 pytest pytest-timeout pytest-asyncio | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| - name: Run tests | |
| run: | | |
| export PYTHONPATH="${PYTHONPATH}:${GITHUB_WORKSPACE}" | |
| pytest -q | |
| - name: Lint with flake8 | |
| run: | | |
| # Stop the build if there are Python syntax errors or undefined names | |
| flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics | |
| # Exit-zero treats all errors as warnings | |
| flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| needs: lint-and-test | |
| permissions: | |
| contents: write | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # Fetch all history for proper versioning | |
| # Set environment variable for build info | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: amd64,arm64,arm | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log into GitHub Container Registry | |
| if: github.ref == 'refs/heads/main' || github.event_name == 'release' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Prepare image metadata | |
| id: repo | |
| run: | | |
| owner_lower=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]') | |
| short_sha=$(echo '${{ github.sha }}' | cut -c1-7) | |
| echo "owner_lower=$owner_lower" >> "$GITHUB_OUTPUT" | |
| echo "short_sha=$short_sha" >> "$GITHUB_OUTPUT" | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ghcr.io/${{ steps.repo.outputs.owner_lower }}/pingpanda | |
| tags: | | |
| # Always add the git SHA | |
| type=sha,format=short | |
| # Add 'latest' tag for main branch | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | |
| # Add PR tag for pull requests | |
| type=ref,event=pr | |
| # Add branch tag | |
| type=ref,event=branch | |
| # Add semver tags for releases | |
| type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }} | |
| type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'release' }} | |
| type=semver,pattern={{major}},enable=${{ github.event_name == 'release' }} | |
| flavor: | | |
| latest=false # Explicitly control 'latest' tag separately | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
| push: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # Generate short SHA for use in Trivy scanner | |
| - name: Run Trivy vulnerability scanner | |
| if: github.ref == 'refs/heads/main' || github.event_name == 'release' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: image | |
| image-ref: ghcr.io/${{ steps.repo.outputs.owner_lower }}/pingpanda:sha-${{ steps.repo.outputs.short_sha }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'MEDIUM,CRITICAL,HIGH' | |
| hide-progress: false | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: github.ref == 'refs/heads/main' || github.event_name == 'release' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |