| # |
| # Copyright (c) 2020, The OpenThread Authors. |
| # All rights reserved. |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are met: |
| # 1. Redistributions of source code must retain the above copyright |
| # notice, this list of conditions and the following disclaimer. |
| # 2. Redistributions in binary form must reproduce the above copyright |
| # notice, this list of conditions and the following disclaimer in the |
| # documentation and/or other materials provided with the distribution. |
| # 3. Neither the name of the copyright holder nor the |
| # names of its contributors may be used to endorse or promote products |
| # derived from this software without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE |
| # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| # POSSIBILITY OF SUCH DAMAGE. |
| # |
| |
| name: Docker |
| |
| on: |
| push: |
| branches-ignore: |
| - 'dependabot/**' |
| pull_request: |
| branches: |
| - 'main' |
| |
| concurrency: |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }} |
| cancel-in-progress: true |
| |
| permissions: # added using https://github.com/step-security/secure-workflows |
| contents: read |
| |
| jobs: |
| |
| buildx: |
| name: buildx-${{ matrix.docker_name }} |
| runs-on: ubuntu-20.04 |
| strategy: |
| fail-fast: false |
| matrix: |
| include: |
| - docker_name: environment |
| steps: |
| - name: Harden Runner |
| uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 |
| with: |
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs |
| |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 |
| with: |
| submodules: true |
| |
| - name: Prepare |
| id: prepare |
| run: | |
| DOCKER_IMAGE=openthread/${{ matrix.docker_name }} |
| DOCKER_FILE=etc/docker/${{ matrix.docker_name }}/Dockerfile |
| DOCKER_PLATFORMS=linux/amd64 |
| VERSION=latest |
| |
| TAGS="--tag ${DOCKER_IMAGE}:${VERSION}" |
| |
| echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT |
| echo "buildx_args=--platform ${DOCKER_PLATFORMS} \ |
| --build-arg OT_GIT_REF=${{ github.sha }} \ |
| --build-arg VERSION=${VERSION} \ |
| --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ |
| --build-arg VCS_REF=${GITHUB_SHA::8} \ |
| ${TAGS} --file ${DOCKER_FILE} ." >> $GITHUB_OUTPUT |
| |
| - name: Set up Docker Buildx |
| uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 |
| |
| - name: Docker Buildx (build) |
| run: | |
| docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }} |
| |
| - name: Login to DockerHub |
| if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 |
| with: |
| username: ${{ secrets.DOCKER_USERNAME }} |
| password: ${{ secrets.DOCKER_PASSWORD }} |
| |
| - name: Docker Buildx (push) |
| if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' |
| run: | |
| docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} |
| |
| - name: Inspect Image |
| if: always() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' |
| run: | |
| docker buildx imagetools inspect ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} |