.github/workflows/ci.yml - third_party/github.com/moby/moby - Git at Google

 name: ci

 # Default to 'contents: read', which grants actions to read commits.
 #
 # If any permission is set, any permission not included in the list is
 # implicitly set to "none".
 #
 # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read

 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

 on:
   workflow_dispatch:
   push:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
       - '[0-9]+.x'
   pull_request:

 env:
   DESTDIR: ./build
   SETUP_BUILDX_VERSION: edge
   SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
   validate-dco:
     uses: ./.github/workflows/.dco.yml

   build:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
     needs:
       - validate-dco
     strategy:
       fail-fast: false
       matrix:
         target:
           - binary
           - dynbinary
     steps:
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Build
         uses: docker/bake-action@v6
         with:
           targets: ${{ matrix.target }}
       -
         name: List artifacts
         run: |
           tree -nh ${{ env.DESTDIR }}
       -
         name: Check artifacts
         run: |
           find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

   prepare-cross:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
     if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     outputs:
       matrix: ${{ steps.platforms.outputs.matrix }}
     steps:
       -
         name: Checkout
         uses: actions/checkout@v4
       -
         name: Create matrix
         id: platforms
         run: |
           matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')"
           echo "matrix=$matrix" >> $GITHUB_OUTPUT
       -
         name: Show matrix
         run: |
           echo ${{ steps.platforms.outputs.matrix }}

   cross:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
     if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
       - prepare-cross
     strategy:
       fail-fast: false
       matrix:
         platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
     steps:
       -
         name: Prepare
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Build
         uses: docker/bake-action@v6
         with:
           targets: all
           set: |
             *.platform=${{ matrix.platform }}
       -
         name: List artifacts
         run: |
           tree -nh ${{ env.DESTDIR }}
       -
         name: Check artifacts
         run: |
           find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

   govulncheck:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     # Always run security checks, even with 'ci/validate-only' label
     permissions:
       # required to write sarif report
       security-events: write
       # required to check out the repository
       contents: read
     steps:
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Run
         uses: docker/bake-action@v6
         with:
           targets: govulncheck
         env:
           GOVULNCHECK_FORMAT: sarif
       -
         name: Upload SARIF report
         if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ env.DESTDIR }}/govulncheck.out

   build-dind:
     runs-on: ubuntu-24.04
     if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     steps:
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Build dind image
         uses: docker/bake-action@v6
         with:
           targets: dind
           set: |
             *.output=type=cacheonly
	name: ci

	# Default to 'contents: read', which grants actions to read commits.
	#
	# If any permission is set, any permission not included in the list is
	# implicitly set to "none".
	#
	# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	on:
	workflow_dispatch:
	push:
	branches:
	- 'master'
	- '[0-9]+.[0-9]+'
	- '[0-9]+.x'
	pull_request:

	env:
	DESTDIR: ./build
	SETUP_BUILDX_VERSION: edge
	SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

	jobs:
	validate-dco:
	uses: ./.github/workflows/.dco.yml

	build:
	runs-on: ubuntu-24.04
	timeout-minutes: 20 # guardrails timeout for the whole job
	needs:
	- validate-dco
	strategy:
	fail-fast: false
	matrix:
	target:
	- binary
	- dynbinary
	steps:
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	version: ${{ env.SETUP_BUILDX_VERSION }}
	driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
	buildkitd-flags: --debug
	-
	name: Build
	uses: docker/bake-action@v6
	with:
	targets: ${{ matrix.target }}
	-
	name: List artifacts
	run: \|
	tree -nh ${{ env.DESTDIR }}
	-
	name: Check artifacts
	run: \|
	find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

	prepare-cross:
	runs-on: ubuntu-24.04
	timeout-minutes: 20 # guardrails timeout for the whole job
	if: ${{ github.event_name != 'pull_request' \|\| !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
	needs:
	- validate-dco
	outputs:
	matrix: ${{ steps.platforms.outputs.matrix }}
	steps:
	-
	name: Checkout
	uses: actions/checkout@v4
	-
	name: Create matrix
	id: platforms
	run: \|
	matrix="$(docker buildx bake binary-cross --print \| jq -cr '.target."binary-cross".platforms')"
	echo "matrix=$matrix" >> $GITHUB_OUTPUT
	-
	name: Show matrix
	run: \|
	echo ${{ steps.platforms.outputs.matrix }}

	cross:
	runs-on: ubuntu-24.04
	timeout-minutes: 20 # guardrails timeout for the whole job
	if: ${{ github.event_name != 'pull_request' \|\| !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
	needs:
	- validate-dco
	- prepare-cross
	strategy:
	fail-fast: false
	matrix:
	platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
	steps:
	-
	name: Prepare
	run: \|
	platform=${{ matrix.platform }}
	echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	version: ${{ env.SETUP_BUILDX_VERSION }}
	driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
	buildkitd-flags: --debug
	-
	name: Build
	uses: docker/bake-action@v6
	with:
	targets: all
	set: \|
	*.platform=${{ matrix.platform }}
	-
	name: List artifacts
	run: \|
	tree -nh ${{ env.DESTDIR }}
	-
	name: Check artifacts
	run: \|
	find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

	govulncheck:
	runs-on: ubuntu-24.04
	timeout-minutes: 120 # guardrails timeout for the whole job
	# Always run security checks, even with 'ci/validate-only' label
	permissions:
	# required to write sarif report
	security-events: write
	# required to check out the repository
	contents: read
	steps:
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	version: ${{ env.SETUP_BUILDX_VERSION }}
	driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
	buildkitd-flags: --debug
	-
	name: Run
	uses: docker/bake-action@v6
	with:
	targets: govulncheck
	env:
	GOVULNCHECK_FORMAT: sarif
	-
	name: Upload SARIF report
	if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ${{ env.DESTDIR }}/govulncheck.out

	build-dind:
	runs-on: ubuntu-24.04
	if: ${{ github.event_name != 'pull_request' \|\| !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
	needs:
	- validate-dco
	steps:
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	version: ${{ env.SETUP_BUILDX_VERSION }}
	driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
	buildkitd-flags: --debug
	-
	name: Build dind image
	uses: docker/bake-action@v6
	with:
	targets: dind
	set: \|
	*.output=type=cacheonly