name: CI on: release: types: - published push: branches: - master paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum pull_request: branches: - master paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum jobs: verify: # Only run if it's a push event or if it's a PR from this repository, and it is not dependabot. if: | github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)) runs-on: ubuntu-latest env: DOCKER_BUILDKIT: "1" steps: - uses: actions/checkout@v2.4.0 - name: Linting run: docker build --target lint . - name: Go mod tidy check run: docker build --target tidy . - name: Build test image run: docker build --target test -t test-container . - name: Run tests in test container run: | touch coverage.txt docker run --rm \ -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \ test-container - name: Code security analysis uses: snyk/actions/golang@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Build final image run: docker build -t final-image . # - name: Image security analysis # uses: snyk/actions/docker@master # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # with: # image: final-image publish: # Only run if it's a push event or if it's a PR from this repository if: | github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) needs: [verify] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2.4.0 - uses: docker/setup-qemu-action@v1 - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: username: qmcgaw password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Check for semver tag id: semvercheck run: | if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then MATCH=true else MATCH=false fi if [[ ! ${{ github.ref }} =~ ^refs/tags/v0\. ]]; then MATCH=$MATCH_nonzero fi echo ::set-output name=match::$MATCH # extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v3 with: flavor: | latest=${{ github.ref == 'refs/heads/master' }} images: | qmcgaw/gluetun qmcgaw/private-internet-access tags: | type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master' }} type=ref,event=pr type=ref,event=tag,enable=${{ !startsWith(steps.semvercheck.outputs.match, 'true') }} type=semver,pattern=v{{major}}.{{minor}}.{{patch}},enable=${{ startsWith(steps.semvercheck.outputs.match, 'true') }} type=semver,pattern=v{{major}}.{{minor}},enable=${{ startsWith(steps.semvercheck.outputs.match, 'true') }} type=semver,pattern=v{{major}},enable=${{ startsWith(steps.semvercheck.outputs.match, 'true_nonzero') }} type=raw,value=latest,enable=${{ !startsWith(steps.semvercheck.outputs.match, 'true') }} - name: Short commit id: shortcommit run: echo "::set-output name=value::$(git rev-parse --short HEAD)" - name: Build and push final image uses: docker/build-push-action@v2.7.0 with: platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le labels: ${{ steps.meta.outputs.labels }} build-args: | CREATED=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} COMMIT=${{ steps.shortcommit.outputs.value }} VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} tags: ${{ steps.meta.outputs.tags }} push: true