diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1a270a8..35f9597 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,7 @@ jobs: id: cache-container-image uses: actions/cache@v4 with: - key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} path: | share/container.tar.gz share/image-id.txt @@ -97,6 +97,7 @@ jobs: python3 ./install/common/build-image.py echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin gunzip -c share/container.tar.gz | podman load + tag=$(cat share/image-id.txt) podman push \ - dangerzone.rocks/dangerzone \ - ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone + dangerzone.rocks/dangerzone:$tag \ + ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone:tag diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f54f8e..4af11d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,7 +59,7 @@ jobs: id: cache-container-image uses: actions/cache@v4 with: - key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} path: |- share/container.tar.gz share/image-id.txt @@ -227,7 +227,7 @@ jobs: - name: Restore container cache uses: actions/cache/restore@v4 with: - key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} path: |- share/container.tar.gz share/image-id.txt @@ -334,7 +334,7 @@ jobs: - name: Restore container image uses: actions/cache/restore@v4 with: - key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} path: |- share/container.tar.gz share/image-id.txt @@ -429,7 +429,7 @@ jobs: - name: Restore container image uses: actions/cache/restore@v4 with: - key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} path: |- share/container.tar.gz share/image-id.txt diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 3080476..d985109 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -20,13 +20,18 @@ jobs: run: sudo apt install pipx && pipx install poetry - name: Build container image run: python3 ./install/common/build-image.py --runtime docker --no-save + - name: Get image tag + id: tag + run: | + tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}') + echo "tag=$tag" >> $GITHUB_OUTPUT # NOTE: Scan first without failing, else we won't be able to read the scan # report. - name: Scan container image (no fail) uses: anchore/scan-action@v5 id: scan_container with: - image: "dangerzone.rocks/dangerzone:latest" + image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" fail-build: false only-fixed: false severity-cutoff: critical @@ -40,7 +45,7 @@ jobs: - name: Scan container image uses: anchore/scan-action@v5 with: - image: "dangerzone.rocks/dangerzone:latest" + image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" fail-build: true only-fixed: false severity-cutoff: critical diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml index 2bba78c..0333e49 100644 --- a/.github/workflows/scan_released.yml +++ b/.github/workflows/scan_released.yml @@ -24,13 +24,18 @@ jobs: CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME} docker load -i ${CONTAINER_FILENAME} + - name: Get image tag + id: tag + run: | + tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}') + echo "tag=$tag" >> $GITHUB_OUTPUT # NOTE: Scan first without failing, else we won't be able to read the scan # report. - name: Scan container image (no fail) uses: anchore/scan-action@v5 id: scan_container with: - image: "dangerzone.rocks/dangerzone:latest" + image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" fail-build: false only-fixed: false severity-cutoff: critical @@ -44,7 +49,7 @@ jobs: - name: Scan container image uses: anchore/scan-action@v5 with: - image: "dangerzone.rocks/dangerzone:latest" + image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" fail-build: true only-fixed: false severity-cutoff: critical