fleet/.github/workflows/build-and-push-fleetctl-docker.yml

name: Build and push fleetdm/fleetctl Docker image

# Manually trigger this workflow for now
on:
  workflow_dispatch:
    inputs:
      image_tag:
        description: 'Docker image tag'
        required: true
        type: string

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  docker-push:
    runs-on: ubuntu-latest
    environment: Docker Hub
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2

      - name: Login to Docker Hub
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}

      - name: Set up Go
        uses: actions/setup-go@v2.1.3
        with:
          go-version: 1.19.8

      - name: Install Go Dependencies
        run: make deps-go

      - name: Build fleetdm/fleetctl
        run: make fleetctl-docker

      - name: Push to Docker
        run: |
          docker tag fleetdm/fleetctl fleetdm/fleetctl:${{ inputs.image_tag }}
          docker push fleetdm/fleetctl:${{ inputs.image_tag }}

      - name: Push To quay.io
        id: push-to-quay
        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
        with:
          image: fleetdm/fleetctl
          tags: ${{ inputs.image_tag }}
          registry: quay.io/
          username: fleetdm+fleetreleaser
          password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00			`name: Build and push fleetdm/fleetctl Docker image`

			`# Manually trigger this workflow for now`
			`on:`
			`workflow_dispatch:`
			`inputs:`
			`image_tag:`
			`description: 'Docker image tag'`
			`required: true`
			`type: string`

add concurrency to ci (#8271) * add concurrency to ci * add readme for workflows 2022-10-24 20:01:00 +00:00			`# This allows a subsequently queued workflow run to interrupt previous runs`
			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id}}`
			`cancel-in-progress: true`

set default shell in workflows (#8108) * wait for mysql in workflows 2022-10-07 15:43:56 +00:00			`defaults:`
			`run:`
			`# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference`
			`shell: bash`

add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00			`permissions:`
			`contents: read`

			`jobs:`
			`docker-push:`
			`runs-on: ubuntu-latest`
			`environment: Docker Hub`
			`permissions:`
			`contents: write`
			`steps:`
			`- name: Checkout`
Bump actions/checkout from 2 to 3.0.2 (#7301) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...2541b1294d2704b0964813337f33b291d3f8596b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-08-31 10:44:22 +00:00			`uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2`
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00
			`- name: Login to Docker Hub`
Bump docker/login-action from 2.0.0 to 2.1.0 (#10182) Bumps [docker/login-action](https://github.com/docker/login-action) from 2.0.0 to 2.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v2.1.0</h2> <h2>What's Changed</h2> <ul> <li>Ensure AWS temp credentials are redacted in workflow logs by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/275">#275</a>)</li> <li>Bump <code>@actions/core</code> from 1.6.0 to 1.10.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/252">#252</a> <a href="https://github-redirect.dependabot.com/docker/login-action/issues/292">#292</a>)</li> <li>Bump <code>@aws-sdk/client-ecr</code> from 3.53.0 to 3.186.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/298">#298</a>)</li> <li>Bump <code>@aws-sdk/client-ecr-public</code> from 3.53.0 to 3.186.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/299">#299</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v2.0.0...v2.1.0">https://github.com/docker/login-action/compare/v2.0.0...v2.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/login-action/commit/f4ef78c080cd8ba55a85445d5b36e214a81df20a"><code>f4ef78c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/docker/login-action/issues/299">#299</a> from docker/dependabot/npm_and_yarn/aws-sdk/client-ec...</li> <li><a href="https://github.com/docker/login-action/commit/9ad4ce3929bc07d004540e2ebe754234848335e2"><code>9ad4ce3</code></a> Update generated content</li> <li><a href="https://github.com/docker/login-action/commit/884eadd4f88fc6034a7a1ba10fbd2fd69404b94b"><code>884eadd</code></a> Bump <code>@aws-sdk/client-ecr-public</code> from 3.53.0 to 3.186.0</li> <li><a href="https://github.com/docker/login-action/commit/a266232f5c33001624fdfca7a1d9e5c5612a20ac"><code>a266232</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/docker/login-action/issues/298">#298</a> from docker/dependabot/npm_and_yarn/aws-sdk/client-ec...</li> <li><a href="https://github.com/docker/login-action/commit/f97efcfbf9cb420547dae40adf642fc2366c979a"><code>f97efcf</code></a> Update generated content</li> <li><a href="https://github.com/docker/login-action/commit/5ae789beac0ced16338cc5996b168a5785de8ae9"><code>5ae789b</code></a> Bump <code>@aws-sdk/client-ecr</code> from 3.53.0 to 3.186.0</li> <li><a href="https://github.com/docker/login-action/commit/71c23b5b3471683fb0acf7a6c821f834735aec44"><code>71c23b5</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/docker/login-action/issues/292">#292</a> from docker/dependabot/npm_and_yarn/actions/core-1.10.0</li> <li><a href="https://github.com/docker/login-action/commit/6401d70aab8811e905cbf52b0eae2c58bc274b5b"><code>6401d70</code></a> Update generated content</li> <li><a href="https://github.com/docker/login-action/commit/67e8909cc694e896d07b96876522f898972abbfd"><code>67e8909</code></a> Bump <code>@actions/core</code> from 1.9.1 to 1.10.0</li> <li><a href="https://github.com/docker/login-action/commit/21f251affc0769ccac8a1cf17e937592fb492337"><code>21f251a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/docker/login-action/issues/275">#275</a> from crazy-max/redact-aws-creds</li> <li>Additional commits viewable in <a href="https://github.com/docker/login-action/compare/49ed152c8eca782a232dede0303416e8f356c37b...f4ef78c080cd8ba55a85445d5b36e214a81df20a">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/login-action&package-manager=github_actions&previous-version=2.0.0&new-version=2.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2023-03-01 01:19:37 +00:00			`uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a`
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00			`with:`
			`username: ${{ secrets.DOCKERHUB_USERNAME }}`
			`password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}`

			`- name: Set up Go`
Update 'install go' Github Actions to use tag as it uses deprecated commands (#11408) At the moment, in Github Actions, when a job has `uses: actions/setup-go` it uses a specific commit from that repo. In that commit, it used `set-output` somewhere, which is now deprecated and will be disabled within the next month or so. See here for more information: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ This PR changes every instance where `actions/setup-go@...` was used and replaces it with release `v2.1.3`. [From the release notes](https://github.com/actions/setup-go/releases/tag/v2.1.3): > Updated communication with runner to use environment files rather then workflow commands Which is what the above Github blog recommends doing. --- Addationally, the latest version of this Github Action is [`v4.0.0`](https://github.com/actions/setup-go/releases/tag/v4.0.0), which you may want to update to in the future. 2023-05-17 20:56:16 +00:00			`uses: actions/setup-go@v2.1.3`
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00			`with:`
Upgrade Go version to 1.19.8 (#11057) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. 2023-04-07 19:05:22 +00:00			`go-version: 1.19.8`
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00
			`- name: Install Go Dependencies`
			`run: make deps-go`

			`- name: Build fleetdm/fleetctl`
			`run: make fleetctl-docker`

			`- name: Push to Docker`
tag fleetdm/fleetctl docker image before pushing to Hub (#6585) 2022-07-11 17:57:54 +00:00			`run: \|`
			`docker tag fleetdm/fleetctl fleetdm/fleetctl:${{ inputs.image_tag }}`
			`docker push fleetdm/fleetctl:${{ inputs.image_tag }}`
add a workflow to build and push fleetdm/fleetctl images (#6533) 2022-07-11 13:32:40 +00:00
Add quay push (#8967) * Add quay push to the snapshot pusher to start * Tags need to be just the tag part in this one * Put the tag in a variable * Fix typos * Switch up how we define registry to see if it finds the image like this * Add quay push everywhere else 2022-12-12 17:15:06 +00:00			`- name: Push To quay.io`
			`id: push-to-quay`
Pin actions to commit SHA (#10204) ## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-03-01 01:55:38 +00:00			`uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1`
Add quay push (#8967) * Add quay push to the snapshot pusher to start * Tags need to be just the tag part in this one * Put the tag in a variable * Fix typos * Switch up how we define registry to see if it finds the image like this * Add quay push everywhere else 2022-12-12 17:15:06 +00:00			`with:`
			`image: fleetdm/fleetctl`
			`tags: ${{ inputs.image_tag }}`
			`registry: quay.io/`
			`username: fleetdm+fleetreleaser`
			`password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}`