Build Zerotier Dev - UBI version #541
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Zerotier Dev - UBI version | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/build-dev-ubi.yml | |
| - Dockerfile | |
| - /patches/*.patch | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '0 0 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build and push to registry | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install qemu dependency | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Clone the repository | |
| uses: actions/checkout@v4 | |
| - name: Environment Vars setup | |
| run: | | |
| echo "zt_dev_sha=$(git ls-remote https://github.com/zerotier/ZeroTierOne.git --head refs/heads/dev | awk '{print $1}')" >> "$GITHUB_ENV" | |
| - name: Tar as root | |
| run: | | |
| sudo mv -fv /usr/bin/tar /usr/bin/tar.orig | |
| echo -e '#!/bin/sh\n\nsudo /usr/bin/tar.orig "$@"' | sudo tee -a /usr/bin/tar | |
| sudo chmod +x /usr/bin/tar | |
| - name: Enable caching for podman | |
| id: cache-podman | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.local/share/containers | |
| key: ${{ runner.os }}-${{ runner.arch }}-zerotier-docker-ubi-dev | |
| - name: Podman Socket | |
| run: | | |
| podman system service --time=0 unix:///tmp/podman.sock & | |
| - name: Log in to Quay | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| registry: "quay.io" | |
| username: ${{ secrets.ZENITH_QUAY_USER }} | |
| password: ${{ secrets.ZENITH_QUAY_TOKEN }} | |
| - name: Log in to registry.redhat.io | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| registry: "registry.redhat.io" | |
| username: ${{ secrets.ZENITH_REDHAT_USER }} | |
| password: ${{ secrets.ZENITH_REDHAT_TOKEN }} | |
| - name: Remove localhost/zerotier-docker:dev | |
| run: | | |
| podman image rm -f localhost/zerotier-docker:dev || true | |
| - name: Build container for UBI - origin branch dev | |
| id: build-dev | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: zerotier-docker | |
| tags: dev | |
| layers: true | |
| platforms: linux/amd64, linux/arm64, linux/ppc64le | |
| containerfiles: | | |
| ./Dockerfile | |
| build-args: | | |
| zt_version=dev | |
| - name: Build container for UBI - origin branch dev - sha commit | |
| id: build-sha | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: zerotier-docker | |
| tags: ${{ env.zt_dev_sha }} | |
| layers: true | |
| platforms: linux/amd64, linux/arm64, linux/ppc64le | |
| labels: | | |
| quay.expires-after=1w | |
| containerfiles: | | |
| ./Dockerfile | |
| build-args: | | |
| zt_version=dev | |
| quay_expiration=1w | |
| - name: Push to Quay - origin branch dev | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.build-dev.outputs.image }} | |
| tags: ${{ steps.build-dev.outputs.tags }} | |
| registry: quay.io/zenithtecnologia | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.27.0 | |
| with: | |
| image-ref: '${{ steps.build-dev.outputs.image }}' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| format: 'sarif' | |
| output: zerotier-docker-ubi-dev.sarif | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'zerotier-docker-ubi-dev.sarif' |