1# 2# Copyright (c) 2020, The OpenThread Authors. 3# All rights reserved. 4# 5# Redistribution and use in source and binary forms, with or without 6# modification, are permitted provided that the following conditions are met: 7# 1. Redistributions of source code must retain the above copyright 8# notice, this list of conditions and the following disclaimer. 9# 2. Redistributions in binary form must reproduce the above copyright 10# notice, this list of conditions and the following disclaimer in the 11# documentation and/or other materials provided with the distribution. 12# 3. Neither the name of the copyright holder nor the 13# names of its contributors may be used to endorse or promote products 14# derived from this software without specific prior written permission. 15# 16# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26# POSSIBILITY OF SUCH DAMAGE. 27# 28 29name: Docker 30 31on: 32 push: 33 branches-ignore: 34 - 'dependabot/**' 35 pull_request: 36 branches: 37 - 'main' 38 39concurrency: 40 group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }} 41 cancel-in-progress: true 42 43permissions: # added using https://github.com/step-security/secure-workflows 44 contents: read 45 46env: 47 DOCKERHUB_REPO: openthread/environment 48 49jobs: 50 build: 51 strategy: 52 fail-fast: false 53 matrix: 54 include: 55 - platform: linux/amd64 56 runner: ubuntu-24.04 57 - platform: linux/arm64 58 runner: ubuntu-24.04-arm 59 60 runs-on: ${{ matrix.runner }} 61 62 steps: 63 - name: Harden Runner 64 uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 65 with: 66 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs 67 68 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 69 with: 70 submodules: true 71 72 - name: Prepare 73 run: | 74 platform=${{ matrix.platform }} 75 echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV 76 77 - name: Docker meta 78 id: meta 79 uses: docker/metadata-action@v5 80 with: 81 images: | 82 ${{ env.DOCKERHUB_REPO }} 83 84 - name: Login to Docker Hub 85 if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' 86 uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 87 with: 88 username: ${{ secrets.DOCKER_USERNAME }} 89 password: ${{ secrets.DOCKER_PASSWORD }} 90 91 - name: Set up Docker Buildx 92 uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 93 94 - name: Build and push by digest 95 if: success() 96 id: build 97 uses: docker/build-push-action@v6 98 with: 99 file: etc/docker/environment/Dockerfile 100 platforms: ${{ matrix.platform }} 101 labels: ${{ steps.meta.outputs.labels }} 102 outputs: type=image,"name=${{ env.DOCKERHUB_REPO }}",push-by-digest=true,name-canonical=true 103 push: ${{ github.repository == 'openthread/openthread' && github.event_name != 'pull_request' }} 104 105 - name: Export digest 106 if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' 107 run: | 108 mkdir -p ${{ runner.temp }}/digests 109 digest="${{ steps.build.outputs.digest }}" 110 touch "${{ runner.temp }}/digests/${digest#sha256:}" 111 112 - name: Upload digest 113 if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' 114 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 115 with: 116 name: digests-${{ env.PLATFORM_PAIR }} 117 path: ${{ runner.temp }}/digests/* 118 if-no-files-found: error 119 retention-days: 1 120 121 merge: 122 if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request' 123 runs-on: ubuntu-latest 124 needs: 125 - build 126 steps: 127 - name: Harden Runner 128 uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 129 with: 130 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs 131 132 - name: Download digests 133 uses: actions/download-artifact@v4 134 with: 135 path: ${{ runner.temp }}/digests 136 pattern: digests-* 137 merge-multiple: true 138 139 - name: Login to Docker Hub 140 uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 141 with: 142 username: ${{ secrets.DOCKER_USERNAME }} 143 password: ${{ secrets.DOCKER_PASSWORD }} 144 145 - name: Set up Docker Buildx 146 uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 147 148 - name: Docker meta 149 id: meta 150 uses: docker/metadata-action@v5 151 with: 152 images: | 153 ${{ env.DOCKERHUB_REPO }} 154 tags: | 155 type=ref,event=branch 156 type=raw,value=latest,enable={{is_default_branch}} 157 158 - name: Create manifest list and push 159 working-directory: ${{ runner.temp }}/digests 160 run: | 161 docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ 162 $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) 163 164 - name: Inspect image 165 run: | 166 docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }} 167