docs: update README version references to 1.1.1, add missing document… #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build and Push | |
| on: | |
| push: | |
| branches: [ main ] | |
| tags: | |
| - 'v*.*.*' | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| inputs: | |
| push_image: | |
| description: 'Push image to registry' | |
| required: false | |
| default: 'false' | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| # Build and optionally push Docker image | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha,prefix=sha-,enable={{is_default_branch}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Get version from __init__.py | |
| id: version | |
| run: | | |
| VERSION=$(grep -oP '__version__\s*=\s*"\K[^"]+' MakerMatrix/__init__.py) | |
| echo "app_version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "📦 Application version: $VERSION" | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.app_version }} | |
| BUILD_DATE=${{ github.event.head_commit.timestamp }} | |
| VCS_REF=${{ github.sha }} | |
| - name: Test Docker image | |
| run: | | |
| echo "🧪 Testing Docker image..." | |
| # Get the first tag from metadata | |
| IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) | |
| echo "Testing image: $IMAGE_TAG" | |
| # Run basic health check | |
| docker run --rm $IMAGE_TAG python -c "import MakerMatrix; print(f'MakerMatrix v{MakerMatrix.__version__}')" || exit 1 | |
| echo "✅ Docker image test passed" | |
| - name: Push Docker image | |
| if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| VERSION=${{ steps.version.outputs.app_version }} | |
| BUILD_DATE=${{ github.event.head_commit.timestamp }} | |
| VCS_REF=${{ github.sha }} | |
| - name: Image digest | |
| if: github.event_name != 'pull_request' | |
| run: echo ${{ steps.build-and-push.outputs.digest }} | |
| - name: Comment on PR with image info | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const version = '${{ steps.version.outputs.app_version }}'; | |
| const tags = `${{ steps.meta.outputs.tags }}`.split('\n'); | |
| let comment = '## 🐳 Docker Build Successful\n\n'; | |
| comment += `**Application Version:** v${version}\n\n`; | |
| comment += '**Image Tags:**\n'; | |
| tags.forEach(tag => { | |
| if (tag) comment += `- \`${tag}\`\n`; | |
| }); | |
| comment += '\n_Note: Image was built but not pushed for PR builds_\n'; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: comment | |
| }); | |
| # Security scan with Trivy | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| # Only run if image was actually pushed (not on PRs, only on main or tags) | |
| if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Determine image tag | |
| id: image_tag | |
| run: | | |
| if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| echo "tag=main" >> $GITHUB_OUTPUT | |
| elif [[ "${{ github.ref }}" =~ refs/tags/v.* ]]; then | |
| echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=latest" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image_tag.outputs.tag }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| continue-on-error: true | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| continue-on-error: true | |
| - name: Generate Trivy report | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image_tag.outputs.tag }} | |
| format: 'table' | |
| output: 'trivy-report.txt' | |
| continue-on-error: true | |
| - name: Upload Trivy report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: trivy-security-report | |
| path: trivy-report.txt | |
| retention-days: 30 |