.github/workflows/docker.yml - third_party/openthread - Git at Google

 #
 #  Copyright (c) 2020, The OpenThread Authors.
 #  All rights reserved.
 #
 #  Redistribution and use in source and binary forms, with or without
 #  modification, are permitted provided that the following conditions are met:
 #  1. Redistributions of source code must retain the above copyright
 #     notice, this list of conditions and the following disclaimer.
 #  2. Redistributions in binary form must reproduce the above copyright
 #     notice, this list of conditions and the following disclaimer in the
 #     documentation and/or other materials provided with the distribution.
 #  3. Neither the name of the copyright holder nor the
 #     names of its contributors may be used to endorse or promote products
 #     derived from this software without specific prior written permission.
 #
 #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 #  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 #  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 #  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 #  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 #  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 #  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 #  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 #  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 #  POSSIBILITY OF SUCH DAMAGE.
 #

 name: Docker

 on:
   push:
     branches-ignore:
       - 'dependabot/**'
   pull_request:
     branches:
       - 'main'

 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }}
   cancel-in-progress: true

 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read

 jobs:

   buildx:
     name: buildx-${{ matrix.docker_name }}
     runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
         include:
           - docker_name: environment
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       with:
         submodules: true

     - name: Prepare
       id: prepare
       run: |
         DOCKER_IMAGE=openthread/${{ matrix.docker_name }}
         DOCKER_FILE=etc/docker/${{ matrix.docker_name }}/Dockerfile
         DOCKER_PLATFORMS=linux/amd64
         VERSION=latest

         TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"

         echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
         echo "version=${VERSION}" >> $GITHUB_OUTPUT
         echo "buildx_args=--platform ${DOCKER_PLATFORMS} \
           --build-arg OT_GIT_REF=${{ github.sha }} \
           --build-arg VERSION=${VERSION} \
           --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
           --build-arg VCS_REF=${GITHUB_SHA::8} \
           ${TAGS} --file ${DOCKER_FILE} ." >> $GITHUB_OUTPUT

     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1

     - name: Docker Buildx (build)
       run: |
         docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}

     - name: Login to DockerHub
       if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
       uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
       with:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}

     - name: Docker Buildx (push)
       if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
       run: |
         docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}

     - name: Inspect Image
       if: always() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
       run: |
         docker buildx imagetools inspect ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
	#
	# Copyright (c) 2020, The OpenThread Authors.
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are met:
	# 1. Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# 2. Redistributions in binary form must reproduce the above copyright
	# notice, this list of conditions and the following disclaimer in the
	# documentation and/or other materials provided with the distribution.
	# 3. Neither the name of the copyright holder nor the
	# names of its contributors may be used to endorse or promote products
	# derived from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
	# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	# POSSIBILITY OF SUCH DAMAGE.
	#

	name: Docker

	on:
	push:
	branches-ignore:
	- 'dependabot/**'
	pull_request:
	branches:
	- 'main'

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| (github.repository == 'openthread/openthread' && github.run_id) \|\| github.ref }}
	cancel-in-progress: true

	permissions: # added using https://github.com/step-security/secure-workflows
	contents: read

	jobs:

	buildx:
	name: buildx-${{ matrix.docker_name }}
	runs-on: ubuntu-20.04
	strategy:
	fail-fast: false
	matrix:
	include:
	- docker_name: environment
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
	with:
	submodules: true

	- name: Prepare
	id: prepare
	run: \|
	DOCKER_IMAGE=openthread/${{ matrix.docker_name }}
	DOCKER_FILE=etc/docker/${{ matrix.docker_name }}/Dockerfile
	DOCKER_PLATFORMS=linux/amd64
	VERSION=latest

	TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"

	echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	echo "buildx_args=--platform ${DOCKER_PLATFORMS} \
	--build-arg OT_GIT_REF=${{ github.sha }} \
	--build-arg VERSION=${VERSION} \
	--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
	--build-arg VCS_REF=${GITHUB_SHA::8} \
	${TAGS} --file ${DOCKER_FILE} ." >> $GITHUB_OUTPUT

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1

	- name: Docker Buildx (build)
	run: \|
	docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}

	- name: Login to DockerHub
	if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Docker Buildx (push)
	if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
	run: \|
	docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}

	- name: Inspect Image
	if: always() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
	run: \|
	docker buildx imagetools inspect ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}