Free and open source ticket system written in python
1name: Docker Image CI
2
3on:
4 push:
5 branches:
6 - '**'
7 pull_request:
8 branches:
9 - '**'
10
11env:
12 REGISTRY: ghcr.io
13 # github.repository as <account>/<repo>
14 IMAGE_NAME: ${{ github.repository }}
15
16jobs:
17
18 test:
19 runs-on: ubuntu-latest
20
21 steps:
22 - uses: actions/checkout@v4
23 - uses: actions/setup-python@v5
24 with:
25 python-version: 3.12
26
27 - name: Install Poetry
28 run: |
29 curl -sSL https://install.python-poetry.org | python3 -
30
31 - name: Install dependencies
32 run: |
33 poetry install
34
35 - name: Run tests
36 env:
37 SECRET_KEY: 'asdf'
38 DEBUG: 'True'
39 ALLOWED_HOSTS: 'localhost'
40 run: |
41 poetry run python manage.py test
42
43 build:
44 runs-on: ubuntu-latest
45 if: github.event_name == 'push' && github.ref == 'refs/heads/main'
46 permissions:
47 contents: read
48 packages: write # might need to use PAT instead
49 id-token: write
50
51 steps:
52 - name: Checkout repository
53 uses: actions/checkout@v4
54
55 # Install the cosign tool except on PR
56 # https://github.com/sigstore/cosign-installer
57 - name: Install cosign
58 if: github.event_name != 'pull_request'
59 uses: sigstore/cosign-installer@v3.3.0
60 with:
61 cosign-release: "v2.2.2"
62
63 # Set up BuildKit Docker container builder to be able to build
64 # multi-platform images and export cache
65 # https://github.com/docker/setup-buildx-action
66 - name: Set up Docker Buildx
67 uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
68
69 # Login against a Docker registry except on PR
70 # https://github.com/docker/login-action
71 - name: Log into registry ghcr.io
72 if: github.event_name != 'pull_request'
73 uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
74 with:
75 registry: ${{ env.REGISTRY }}
76 username: ${{ github.actor }}
77 password: ${{ secrets.GITHUB_TOKEN }} # might need to use PAT instead
78
79 # Extract metadata (tags, labels) for Docker
80 # https://github.com/docker/metadata-action
81 - name: Extract Docker metadata
82 id: meta
83 uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
84 with:
85 tags: |
86 type=raw,value=latest,enable={{is_default_branch}}
87 type=ref,event=branch
88 type=raw,value={{branch}}-{{date 'X'}},enable=${{ github.event_name != 'pull_request' }}
89 type=raw,value={{base_ref}}-{{date 'X'}},enable=${{ github.event_name == 'pull_request' }}
90 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
91
92 # Build and push Docker image with Buildx (don't push on PR)
93 # https://github.com/docker/build-push-action
94 - name: Build and push Docker image
95 id: build-and-push
96 uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
97 with:
98 context: .
99 push: ${{ github.event_name != 'pull_request' }}
100 tags: ${{ steps.meta.outputs.tags }}
101 platforms: linux/amd64,linux/arm64
102 labels: ${{ steps.meta.outputs.labels }}
103 cache-from: type=gha
104 cache-to: type=gha,mode=max
105
106 # Sign the resulting Docker image digest except on PRs.
107 # This will only write to the public Rekor transparency log when the Docker
108 # repository is public to avoid leaking data. If you would like to publish
109 # transparency data even for private images, pass --force to cosign below.
110 # https://github.com/sigstore/cosign
111 - name: Sign the published Docker image
112 if: ${{ github.event_name != 'pull_request' }}
113 env:
114 # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
115 TAGS: ${{ steps.meta.outputs.tags }}
116 DIGEST: ${{ steps.build-and-push.outputs.digest }}
117 # This step uses the identity token to provision an ephemeral certificate
118 # against the sigstore community Fulcio instance.
119 run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}