akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
7e92e29f3776136f663b157b773486c1a2c507ea
caddy-proxy-manager/.github/workflows/docker-build.yml
Claude 7e92e29f37 Fix workflow dependency and platform conflicts 
Fixed critical workflow issues preventing builds:

1. Job Dependency Structure:
   - build-and-push now properly depends on security-check with always()
   - Allows push/tag events to run even when security-check is skipped
   - Only pull_request events trigger security-check
   - Conditional logic checks needs.security-check.result to handle skipped cases

2. Platform vs Load Conflict:
   - Removed platform specification for PR builds (load=true)
   - load: true only works with single platform matching host
   - Multi-platform (linux/amd64,linux/arm64) only for push events
   - Empty string for platforms when using load to avoid conflicts

3. Conditional Logic Improvements:
   - push events: always run (security-check skipped)
   - workflow_dispatch: always run (security-check skipped)
   - pull_request: only run if security-check succeeded and not a fork
   - pull_request_target: only run if has 'safe-to-build' label

This ensures:
- Branch pushes work correctly
- Tag builds work correctly
- PRs are security-checked before building
- Fork PRs require manual approval
2025-11-04 21:49:41 +00:00

149 lines
5.0 KiB
YAML
Raw Blame History

name: Build and Push Docker Images
on:
push:
branches:
- main
- develop
tags:
- 'v*'
pull_request:
branches:
- main
- develop
pull_request_target:
types: [labeled]
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
# Security check for fork PRs
security-check:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
pull-requests: read
outputs:
is_fork: ${{ steps.check.outputs.is_fork }}
steps:
- name: Check if PR is from fork
id: check
run: |
if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
echo "is_fork=true" >> $GITHUB_OUTPUT
echo "::warning::This PR is from a fork. Builds from forks require manual approval for security."
else
echo "is_fork=false" >> $GITHUB_OUTPUT
fi
build-and-push:
needs: security-check
# Run on push/tag events (security-check is skipped but that's ok)
# For PRs, only run on non-fork PRs or manually approved fork PRs
if: |
always() && (
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'pull_request' && needs.security-check.result == 'success' && needs.security-check.outputs.is_fork == 'false') ||
(github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-build'))
)
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write # For Trivy to upload SARIF results
strategy:
matrix:
include:
- service: web
dockerfile: docker/web/Dockerfile
context: .
- service: caddy
dockerfile: docker/caddy/Dockerfile
context: .
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# For pull_request_target, checkout the PR head
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
file: ${{ matrix.dockerfile }}
push: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}
load: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Only specify platforms for push (multi-platform), not for load (single-platform only)
platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
sbom: true
provenance: true
- name: Extract first tag for Trivy
id: trivy-tag
run: |
# Extract the first tag from the metadata output
FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
echo "Using tag for Trivy: $FIRST_TAG"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ${{ steps.trivy-tag.outputs.tag }}
format: 'sarif'
output: 'trivy-results-${{ matrix.service }}.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1' # Fail the build on critical/high vulnerabilities
- name: Upload Trivy results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
category: 'trivy-${{ matrix.service }}'
- name: Run Trivy in table format
if: always()
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ${{ steps.trivy-tag.outputs.tag }}
format: 'table'
severity: 'CRITICAL,HIGH,MEDIUM'
Reference in New Issue View Git Blame Copy Permalink