mirror of
https://github.com/kevinveenbirkenbach/homepage.veen.world.git
synced 2026-04-07 05:12:19 +00:00
Kevin Veen-Birkenbach
58872ced81
The lint-docker job in lint.yml requires security-events: write for SARIF upload; must be explicitly granted to the caller job. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
91 lines
2.2 KiB
YAML
91 lines
2.2 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- "**"
|
|
tags-ignore:
|
|
- "**"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security:
|
|
name: Run security workflow
|
|
uses: ./.github/workflows/security.yml
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
security-events: write
|
|
|
|
tests:
|
|
name: Run test workflow
|
|
uses: ./.github/workflows/tests.yml
|
|
|
|
lint:
|
|
name: Run lint workflow
|
|
uses: ./.github/workflows/lint.yml
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
publish:
|
|
name: Publish image
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- security
|
|
- tests
|
|
- lint
|
|
if: github.event_name == 'push'
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Detect semver tag on current commit
|
|
id: semver
|
|
run: |
|
|
SEMVER_TAG="$(git tag --points-at "$GITHUB_SHA" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n 1 || true)"
|
|
if [ -n "$SEMVER_TAG" ]; then
|
|
{
|
|
echo "found=true"
|
|
echo "raw_tag=$SEMVER_TAG"
|
|
echo "version=${SEMVER_TAG#v}"
|
|
} >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "found=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Compute image name
|
|
if: steps.semver.outputs.found == 'true'
|
|
id: image
|
|
run: echo "name=ghcr.io/$(echo "${GITHUB_REPOSITORY}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Set up Docker Buildx
|
|
if: steps.semver.outputs.found == 'true'
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Login to GHCR
|
|
if: steps.semver.outputs.found == 'true'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build and publish image
|
|
if: steps.semver.outputs.found == 'true'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
push: true
|
|
tags: ${{ steps.image.outputs.name }}:${{ steps.semver.outputs.version }}
|