diff --git a/.github/workflows/test_build_push.yml b/.github/workflows/test_build_push.yml index 49d3ae13..590863f4 100644 --- a/.github/workflows/test_build_push.yml +++ b/.github/workflows/test_build_push.yml @@ -50,11 +50,69 @@ jobs: - hadolint - ruby runs-on: ubuntu-latest + permissions: + contents: read + packages: write + env: + IMAGE_NAME: gilcreator/html2rss-web + TAG_SHA: ${{ github.sha }} steps: - - uses: actions/checkout@v4 - - run: bin/docker-build + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: | + gilcreator/html2rss-web:latest + gilcreator/html2rss-web:${{ github.sha }} + platforms: linux/amd64,linux/arm64 + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + provenance: true + labels: | + org.opencontainers.image.source=https://github.com/${{ github.repository }} + org.opencontainers.image.created=${{ github.event.head_commit.timestamp }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.title=html2rss-web + org.opencontainers.image.description=Generates RSS feeds of any website & serves to the web! + org.opencontainers.image.sbom=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts + + - name: Generate SBOM + uses: anchore/sbom-action@v0.20.1 + with: + image: gilcreator/html2rss-web:${{ github.sha }} + output-file: sbom.spdx.json + + - name: Upload SBOM Artifact + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.spdx.json - - run: bin/docker-push - env: - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + - name: Move updated cache into place + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/README.md b/README.md index 785329eb..be81611d 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ Please refer to [html2rss' README for a description of _the feed config and its This web application is distributed in a [rolling release](https://en.wikipedia.org/wiki/Rolling_release) fashion from the `master` branch. For the latest commit passing GitHub CI/CD on the master branch, an updated Docker image will be pushed to [Docker Hub: `gilcreator/html2rss-web`](https://hub.docker.com/r/gilcreator/html2rss-web). +The [SBOM](https://en.wikipedia.org/wiki/Software_supply_chain) is embedded as an OCI label in the Docker image and is [also available as a build artifact](https://github.com/html2rss/html2rss-web/actions/workflows/test_build_push.yml?query=branch%3Amaster). GitHub's @dependabot is enabled for dependency updates and they are automatically merged to the `master` branch when the CI gives the green light. diff --git a/bin/docker-push b/bin/docker-push deleted file mode 100755 index b3cf5631..00000000 --- a/bin/docker-push +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -set -euo pipefail - -echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - -docker push gilcreator/html2rss-web