Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/.github/workflows/goreleaser-snapshot-fleet.yaml
Scott Gress 854fa2af62
Cleanup docker publish (#42693) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42691

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a

## Testing

- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- I ran the updated snapshot action on this branch and verified that it
pushed the branch-tagged image, but not the SHA-tagged one.
- I ran the cleanup script in dry-run mode and verified that it didn't
expect to delete any non-sha-tagged images
- I wasn't able to test the delete-image-on-branch-delete action for
obvious reasons.
- I haven't tested the cleanup script in non-dry-run mode... I could do
on my personal dockerhub...

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Automated cleanup of Docker images when development branches are
deleted to maintain registry hygiene.
  * New utility for managing and cleaning up legacy Docker image tags.

* **Chores**
* Enhanced Docker image tagging in snapshot builds with improved branch
name handling.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-03 10:40:56 -05:00

188 lines
7.1 KiB
YAML
Raw Blame History

name: Docker publish
on:
push:
branches:
- "main"
- "rc-minor-*"
- "rc-patch-*"
paths-ignore:
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
pull_request:
paths-ignore:
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
publish:
# Only run it when the push is to the fleetdm/fleet repo. Otherwise the secrets for pushing to
# Docker will not be available.
#
# Also not run if author is dependabot (it doesn't have access to Github secrets).
if: ${{ (github.repository == 'fleetdm/fleet') && (github.actor != 'dependabot[bot]') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
runs-on: ubuntu-22.04
environment: Docker Hub
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
# Set the Node.js version
- name: Set up Node.js
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version-file: package.json
check-latest: true
- name: Install Dependencies
run: make deps
- name: Sanitize branch name for Docker tag
id: sanitize_branch
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
SANITIZED="${BRANCH//\//-}"
echo "DOCKER_IMAGE_TAG=$SANITIZED" >> $GITHUB_OUTPUT
- name: Compute version from branch
id: compute_version
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
VERSION=$(tools/version-from-branch.sh "$BRANCH" 2>/dev/null)
if [ -z "$VERSION" ]; then
# Fall back to default snapshot version
VERSION="0.0.0-SNAPSHOT-$(git rev-parse --short HEAD)"
fi
echo "FLEET_VERSION=$VERSION" >> $GITHUB_OUTPUT
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
with:
distribution: goreleaser-pro
version: "~> 2"
args: release --snapshot --clean -f .goreleaser-snapshot.yml
env:
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
FLEET_VERSION: ${{ steps.compute_version.outputs.FLEET_VERSION }}
DOCKER_IMAGE_TAG: ${{ steps.sanitize_branch.outputs.DOCKER_IMAGE_TAG }}
- name: List VEX files
id: generate_vex_files
run: |
echo "VEX_FILES=$(ls -1 ./security/vex/fleet/ | while IFS= read -r line; do echo "./security/vex/fleet/$line"; done | tr '\n' ',' | sed 's/.$//')" >> $GITHUB_OUTPUT
# We use the trivy command and not the github action because it doesn't support loading VEX files yet.
- name: Check high/critical vulnerabilities before publishing (trivy)
# Only run this when tagging RCs.
if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-')
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
run: |
mkdir trivy-download
cd trivy-download
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.tar.gz --output trivy_0.68.1_Linux-64bit.tar.gz
tar -xf trivy_0.68.1_Linux-64bit.tar.gz
mv trivy ..
cd ..
chmod +x ./trivy
./trivy image \
--ignore-unfixed \
--exit-code=1 \
--pkg-types=os,library \
--severity=HIGH,CRITICAL \
--vex="${{ steps.generate_vex_files.outputs.VEX_FILES }}" \
fleetdm/fleet:${{ steps.sanitize_branch.outputs.DOCKER_IMAGE_TAG }}
- name: Check high/critical vulnerabilities before publishing (docker scout)
# Only run this when tagging RCs.
if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-')
uses: docker/scout-action@381b657c498a4d287752e7f2cfb2b41823f566d9 # v1.17.1
with:
command: cves
image: fleetdm/fleet:${{ steps.sanitize_branch.outputs.DOCKER_IMAGE_TAG }}
only-severities: critical,high
only-fixed: true
only-vex-affected: true
write-comment: false
vex-location: ./security/vex/fleet
exit-code: true
# Explicitly push the docker images as GoReleaser will not do so in snapshot mode
- name: Publish Docker images
run: docker push fleetdm/fleet --all-tags
- name: List tags for push
run: |
echo "The following tag will be pushed: ${{ steps.sanitize_branch.outputs.DOCKER_IMAGE_TAG }}"
- name: Login to quay.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: quay.io
username: fleetdm+fleetreleaser
password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
- name: Tag and push to quay.io
env:
TAG: ${{ steps.sanitize_branch.outputs.DOCKER_IMAGE_TAG }}
run: |
docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG}
for i in {1..5}; do
docker push quay.io/fleetdm/fleet:${TAG} && break || sleep 10
done
- name: Slack notification
if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-') && failure()
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ Docker publish failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
Reference in a new issue View git blame Copy permalink