sdk

Use docker hardened images #402

Workflow file for this run

	name: sdk
	on:
	workflow_call:
	secrets:
	DOCKERHUB_USERNAME:
	required: true
	DOCKERHUB_TOKEN:
	required: true
	pull_request:
	paths:
	- ".github/workflows/sdk.yaml"
	- "packages/sdk/**"
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
	cancel-in-progress: true
	permissions:
	contents: read
	packages: write
	id-token: write
	actions: write
	jobs:
	meta:
	runs-on: ubuntu-latest
	strategy:
	matrix: &target-matrix
	target:
	- rollups-database
	- rollups-runtime
	- sdk
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Get package tag/version
	id: package-version
	if: ${{ github.event_name == 'push' }}
	run: \|
	jq -r '"PACKAGE_VERSION=\(.version)"' packages/sdk/package.json >> "$GITHUB_OUTPUT"

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
	with:
	bake-target: docker-metadata-${{ matrix.target }}
	images: \|
	docker.io/cartesi/${{ matrix.target }},enable=${{ github.event_name != 'pull_request' }}
	ghcr.io/cartesi/${{ matrix.target }}
	tags: \|
	type=raw,value=${{ steps.package-version.outputs.PACKAGE_VERSION }},enable=${{ github.event_name == 'push' }}
	type=ref,event=pr

	- name: Upload bake definition file
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: docker-metadata-${{ matrix.target }}
	path: ${{ steps.meta.outputs.bake-file }}

	build:
	runs-on: ubuntu-latest
	needs: meta
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Download all docker-metadata artifacts
	uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
	with:
	path: packages/sdk/

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

	- name: Login to GitHub Container Registry
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Login to DockerHub
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Login to Docker Hardened Registry
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: dhi.io
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push
	uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
	if: ${{ !startsWith(github.ref, 'refs/tags/sdk@') }}
	with:
	workdir: packages/sdk
	source: .
	targets: \|
	rollups-database
	rollups-runtime
	sdk
	files: \|
	./docker-bake.hcl
	./docker-bake.platforms.hcl
	./docker-metadata-sdk/docker-metadata-action-bake.json
	./docker-metadata-rollups-runtime/docker-metadata-action-bake.json
	./docker-metadata-rollups-database/docker-metadata-action-bake.json
	set: \|
	*.cache-from=type=gha
	*.cache-to=type=gha,mode=max
	push: true
	sbom: true

	- uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
	- name: Build and push (depot)
	uses: depot/bake-action@58d7160c6bfa64eb85e384209e6f2f5ad17948bb # v1.11.0
	if: ${{ startsWith(github.ref, 'refs/tags/sdk@') }}
	with:
	project: ${{ vars.DEPOT_PROJECT }}
	workdir: packages/sdk
	targets: \|
	rollups-database
	rollups-runtime
	sdk
	files: \|
	./docker-bake.hcl
	./docker-bake.platforms.json
	./docker-metadata-sdk/docker-metadata-action-bake.json
	./docker-metadata-rollups-runtime/docker-metadata-action-bake.json
	./docker-metadata-rollups-database/docker-metadata-action-bake.json
	push: true
	sbom: true

	scout:
	runs-on: ubuntu-latest
	needs:
	- build
	- meta
	strategy:
	fail-fast: false
	matrix: *target-matrix
	permissions:
	contents: read
	packages: read
	name: docker-scout-${{ matrix.target }}
	steps:
	- name: Login to GitHub Container Registry
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Login to DockerHub
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Docker Scout
	id: docker-scout
	if: ${{ github.event_name == 'pull_request' }}
	uses: docker/scout-action@8910519cee8ac046f3ee99686b0dc6654d5ba1a7 # v1.20.3
	with:
	command: quickview,cves
	image: ghcr.io/cartesi/${{ matrix.target }}:pr-${{ github.event.pull_request.number }}
	ignore-base: true
	ignore-unchanged: true
	only-severities: critical,high
	github-token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use docker hardened images #402

Workflow file

Use docker hardened images #402

Uh oh!

Workflow file for this run