almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

ci: Work with image tarballs that are not tagged as 'latest'

Browse source 
Now that our image tarball is not tagged as 'latest', we must first grab
the image tag first, and then refer to it. We can grab the tag either
from `share/image-id.txt` (if available) or with:

    docker load dangerzone.rocks/dangerzone --format {{ .Tag }}
This commit is contained in:
Alex Pyrgiotis 2024-12-04 18:04:43 +02:00
parent ec9f8835e0
commit 3eac00b873
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
4 changed files with 22 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/build.yml vendored
View file

@ -85,7 +85,7 @@ jobs:
id: cache-container-image id: cache-container-image
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: | path: |
share/container.tar.gz share/container.tar.gz
share/image-id.txt share/image-id.txt
@ -97,6 +97,7 @@ jobs:
python3 ./install/common/build-image.py python3 ./install/common/build-image.py
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
gunzip -c share/container.tar.gz | podman load gunzip -c share/container.tar.gz | podman load
tag=$(cat share/image-id.txt)
podman push \ podman push \
dangerzone.rocks/dangerzone \ dangerzone.rocks/dangerzone:$tag \
${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone:tag

8
.github/workflows/ci.yml vendored
View file

@ -59,7 +59,7 @@ jobs:
id: cache-container-image id: cache-container-image
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |- path: |-
share/container.tar.gz share/container.tar.gz
share/image-id.txt share/image-id.txt
@ -227,7 +227,7 @@ jobs:
- name: Restore container cache - name: Restore container cache
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
with: with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |- path: |-
share/container.tar.gz share/container.tar.gz
share/image-id.txt share/image-id.txt
@ -334,7 +334,7 @@ jobs:
- name: Restore container image - name: Restore container image
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
with: with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |- path: |-
share/container.tar.gz share/container.tar.gz
share/image-id.txt share/image-id.txt
@ -429,7 +429,7 @@ jobs:
- name: Restore container image - name: Restore container image
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
with: with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }} key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |- path: |-
share/container.tar.gz share/container.tar.gz
share/image-id.txt share/image-id.txt

9
.github/workflows/scan.yml vendored
View file

@ -20,13 +20,18 @@ jobs:
run: sudo apt install pipx && pipx install poetry run: sudo apt install pipx && pipx install poetry
- name: Build container image - name: Build container image
run: python3 ./install/common/build-image.py --runtime docker --no-save run: python3 ./install/common/build-image.py --runtime docker --no-save
- name: Get image tag
id: tag
run: |
tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}')
echo "tag=$tag" >> $GITHUB_OUTPUT
# NOTE: Scan first without failing, else we won't be able to read the scan # NOTE: Scan first without failing, else we won't be able to read the scan
# report. # report.
- name: Scan container image (no fail) - name: Scan container image (no fail)
uses: anchore/scan-action@v5 uses: anchore/scan-action@v5
id: scan_container id: scan_container
with: with:
image: "dangerzone.rocks/dangerzone:latest" image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
fail-build: false fail-build: false
only-fixed: false only-fixed: false
severity-cutoff: critical severity-cutoff: critical
@ -40,7 +45,7 @@ jobs:
- name: Scan container image - name: Scan container image
uses: anchore/scan-action@v5 uses: anchore/scan-action@v5
with: with:
image: "dangerzone.rocks/dangerzone:latest" image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
fail-build: true fail-build: true
only-fixed: false only-fixed: false
severity-cutoff: critical severity-cutoff: critical

9
.github/workflows/scan_released.yml vendored
View file

@ -24,13 +24,18 @@ jobs:
CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME} wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
docker load -i ${CONTAINER_FILENAME} docker load -i ${CONTAINER_FILENAME}
- name: Get image tag
id: tag
run: |
tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}')
echo "tag=$tag" >> $GITHUB_OUTPUT
# NOTE: Scan first without failing, else we won't be able to read the scan # NOTE: Scan first without failing, else we won't be able to read the scan
# report. # report.
- name: Scan container image (no fail) - name: Scan container image (no fail)
uses: anchore/scan-action@v5 uses: anchore/scan-action@v5
id: scan_container id: scan_container
with: with:
image: "dangerzone.rocks/dangerzone:latest" image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
fail-build: false fail-build: false
only-fixed: false only-fixed: false
severity-cutoff: critical severity-cutoff: critical
@ -44,7 +49,7 @@ jobs:
- name: Scan container image - name: Scan container image
uses: anchore/scan-action@v5 uses: anchore/scan-action@v5
with: with:
image: "dangerzone.rocks/dangerzone:latest" image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
fail-build: true fail-build: true
only-fixed: false only-fixed: false
severity-cutoff: critical severity-cutoff: critical