name: docker # https://docs.github.com/de/actions/using-workflows/workflow-syntax-for-github-actions # https://docs.github.com/en/actions/using-workflows # https://docs.github.com/en/actions/learn-github-actions/contexts # https://docs.github.com/en/actions/learn-github-actions/expressions # How to setup: https://event-driven.io/en/how_to_buid_and_push_docker_image_with_github_actions/ # How to run: https://aschmelyun.com/blog/using-docker-run-inside-of-github-actions/ on: # run it on push to the default repository branch push: paths-ignore: - 'docs/**' - '**.md' - 'build.sh' tags-ignore: - '**' # branches is needed if tags-ignore is used branches: - '**' schedule: # Run weekly on default branch - cron: '47 3 * * 6' jobs: build-and-push-docker-debian-image: name: Build Docker Bookworm image and push to repositories # run only when code is compiling and tests are passing strategy: matrix: include: - DOCKER_ARCH: amd64 platform: ubuntu-latest PLATFORM_ARCH: x86_64 - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} # steps to perform in job steps: - name: Checkout code uses: actions/checkout@v5 # avoid building if there are testing errors - name: Run smoke test run: | sudo apt-get install -y libzbar0 python -m pip install --upgrade pip pip install -U -r requirements-dev.txt pip install -U . pytest - name: Set up QEMU uses: docker/setup-qemu-action@v3 # setup Docker build action - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: "Build image (Bookworm/Debian 12) and push to Docker Hub and GitHub Container Registry" id: docker_build_qr_reader_latest uses: docker/build-push-action@v6 with: platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located # TODO file:, move to docker/ context: . file: docker/Dockerfile # builder: ${{ steps.buildx.outputs.name }} # Note: tags has to be all lower-case build-args: | BASE_IMAGE=python:3.14-slim-trixie pull: true tags: | docker.io/scit0/extract_otp_secrets:latest-${{ matrix.PLATFORM_ARCH }} docker.io/scit0/extract_otp_secrets:bookworm-${{ matrix.PLATFORM_ARCH }} ghcr.io/scito/extract_otp_secrets:latest-${{ matrix.PLATFORM_ARCH }} ghcr.io/scito/extract_otp_secrets:bookworm-${{ matrix.PLATFORM_ARCH }} provenance: true sbom: true # build on feature branches, push only on master branch push: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} - name: Image digest # TODO upload digests to assets run: | echo "extract_otp_secrets digests: ${{ steps.docker_build_qr_reader_latest.outputs.digest }}" echo "${{ steps.docker_build_qr_reader_latest.outputs.digest }}" > digests.txt - name: Save docker digests as artifacts if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: name: digests_bookworm_${{ matrix.PLATFORM_ARCH }} path: digests.txt create-multiarch-debian-manifests: name: Create multiarch manifests for Debian image if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} runs-on: ubuntu-latest needs: - build-and-push-docker-debian-image steps: - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: Create multiarch manifests if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} shell: bash run: | for tag in \ docker.io/scit0/extract_otp_secrets:latest \ ghcr.io/scito/extract_otp_secrets:latest \ docker.io/scit0/extract_otp_secrets:bookworm \ ghcr.io/scito/extract_otp_secrets:bookworm \ ; do docker buildx imagetools create -t $tag \ $tag-x86_64 \ $tag-arm64 done build-and-push-docker-alpine-image: name: Build Docker Alpine image and push to repositories # run only when code is compiling and tests are passing strategy: matrix: include: - DOCKER_ARCH: amd64 platform: ubuntu-latest PLATFORM_ARCH: x86_64 - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} # steps to perform in job steps: - name: Checkout code uses: actions/checkout@v5 # avoid building if there are testing errors - name: Run smoke test run: | sudo apt-get install -y libzbar0 python -m pip install --upgrade pip pip install -U -r requirements-dev.txt pip install -U . pytest - name: Set up QEMU uses: docker/setup-qemu-action@v3 # setup Docker build action - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: "only_txt: Build image and push to Docker Hub and GitHub Container Registry" id: docker_build_only_txt uses: docker/build-push-action@v6 with: platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located context: . file: docker/Dockerfile_only_txt # builder: ${{ steps.buildx.outputs.name }} # Note: tags has to be all lower-case pull: true tags: | docker.io/scit0/extract_otp_secrets:only-txt-${{ matrix.PLATFORM_ARCH }} docker.io/scit0/extract_otp_secrets:alpine-${{ matrix.PLATFORM_ARCH }} ghcr.io/scito/extract_otp_secrets:only-txt-${{ matrix.PLATFORM_ARCH }} ghcr.io/scito/extract_otp_secrets:alpine-${{ matrix.PLATFORM_ARCH }} provenance: true sbom: true # build on feature branches, push only on master branch push: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} build-args: | RUN_TESTS=true - name: Image digest # TODO upload digests to assets run: | echo "extract_otp_secrets:only-txt digests: ${{ steps.docker_build_only_txt.outputs.digest }}" echo "${{ steps.docker_build_qr_reader_latest.outputs.digest }}" > digests.txt - name: Save docker digests as artifacts if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: name: digests_alpine_${{ matrix.PLATFORM_ARCH }} path: digests.txt create-multiarch-alpine-manifests: name: Create multiarch manifests for Alpine image if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} runs-on: ubuntu-latest needs: - build-and-push-docker-alpine-image defaults: run: shell: bash steps: - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: Create multiarch manifests if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} shell: bash run: | for tag in \ docker.io/scit0/extract_otp_secrets:only-txt \ docker.io/scit0/extract_otp_secrets:alpine \ ghcr.io/scito/extract_otp_secrets:only-txt \ ghcr.io/scito/extract_otp_secrets:alpine \ ; do docker buildx imagetools create -t $tag \ $tag-x86_64 \ $tag-arm64 done build-and-push-docker-bullseye-image: name: Build Docker Bullseye image (for PyInstsaller) and push to repositories # run only when code is compiling and tests are passing strategy: matrix: include: - DOCKER_ARCH: amd64 platform: ubuntu-latest PLATFORM_ARCH: x86_64 - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} # steps to perform in job steps: - name: Checkout code uses: actions/checkout@v5 # avoid building if there are testing errors - name: Run smoke test run: | sudo apt-get install -y libzbar0 python -m pip install --upgrade pip pip install -U -r requirements-dev.txt pip install -U . pytest - name: Set up QEMU uses: docker/setup-qemu-action@v3 # setup Docker build action - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: "Build image from Bullseye (Debian 11) and push to GitHub Container Registry" id: docker_build_bullseye if: github.ref == 'refs/heads/master' uses: docker/build-push-action@v6 with: platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located context: . file: docker/Dockerfile # builder: ${{ steps.buildx.outputs.name }} build-args: | BASE_IMAGE=python:3.13-slim-bullseye # Note: tags has to be all lower-case pull: true tags: | docker.io/scit0/extract_otp_secrets:bullseye-${{ matrix.PLATFORM_ARCH }} ghcr.io/scito/extract_otp_secrets:bullseye-${{ matrix.PLATFORM_ARCH }} provenance: true sbom: true push: ${{ github.secret_source == 'Actions' }} - name: Image digest # TODO upload digests to assets run: | echo "extract_otp_secrets digests: ${{ steps.docker_build_qr_reader_latest.outputs.digest }}" echo "${{ steps.docker_build_qr_reader_latest.outputs.digest }}" > digests.txt - name: Save docker digests as artifacts if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: name: digests_bullseye_${{ matrix.PLATFORM_ARCH }} path: digests.txt create-multiarch-bullseye-manifests: name: Create multiarch manifests for Bullseye image runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} needs: - build-and-push-docker-bullseye-image steps: - name: Login to DockerHub uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Github Packages uses: docker/login-action@v3 if: github.secret_source == 'Actions' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - name: if: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} shell: bash run: | for tag in \ docker.io/scit0/extract_otp_secrets:bullseye \ ghcr.io/scito/extract_otp_secrets:bullseye \ ; do docker buildx imagetools create -t $tag \ $tag-x86_64 \ $tag-arm64 done container-images-clean-up: name: Cleanup old container images runs-on: ubuntu-latest steps: - name: Delete Container Packages uses: actions/delete-package-versions@v5 if: ${{ github.secret_source == 'Actions'}} with: package-name: 'extract_otp_secrets' package-type: 'container' min-versions-to-keep: 1 delete-only-untagged-versions: 'true'