From bb8b9ab6da71e56987b1e96638a33dfa2789a1e3 Mon Sep 17 00:00:00 2001 From: Krishan <33421343+kfiven@users.noreply.github.com> Date: Wed, 4 Mar 2026 18:31:54 +1100 Subject: [PATCH] Add more docker related action checks (#2724) * Pin all the action deps to SHA * Add more docker related action checks * Limit Docker build platforms to linux/amd64 Updated Docker build action to target only linux/amd64 platform. --- .github/workflows/docker-pr.yml | 43 ++++++++++++++++++++++++++++++- .github/workflows/prod-deploy.yml | 8 +++--- 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index 4f1dba31..822b8f3f 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -10,11 +10,52 @@ on: jobs: docker-build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Build Docker image + + - name: Set up QEMU + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Login to Docker Hub #Do not update this action from a outside PR + if: github.event.pull_request.head.repo.fork == false + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to the Github Container registry #Do not update this action from a outside PR + if: github.event.pull_request.head.repo.fork == false + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker, GHCR + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + with: + images: | + ajbura/cinny + ghcr.io/${{ github.repository }} + + - name: Build Docker image (no push) uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . + platforms: linux/amd64 push: false + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Show Docker images + run: docker images diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml index b797b32c..2341e348 100644 --- a/.github/workflows/prod-deploy.yml +++ b/.github/workflows/prod-deploy.yml @@ -59,7 +59,7 @@ jobs: cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc publish-image: - name: Push Docker image to Docker Hub, ghcr + name: Push Docker image to Docker Hub, GHCR runs-on: ubuntu-latest permissions: contents: read @@ -71,18 +71,18 @@ jobs: uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Login to Docker Hub + - name: Login to Docker Hub #Do not update this action from a outside PR uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Login to the Container registry + - name: Login to the Github Container registry #Do not update this action from a outside PR uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (tags, labels) for Docker, GHCR id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: