name: Build and test image on: push: branches: - master tags: - 'v[0-9]+.[0-9]+.[0-9]+' pull_request: branches: - master # cancel outdated jobs for the same reference concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: IMAGE : ${{ github.repository_owner }}/openstreetmap-tile-server TAG : ${{ github.sha }} # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} permissions: contents: read jobs: build: strategy: matrix: include: - arch : amd64 mode : build-and-test runner : ubuntu-24.04 - arch : arm64 variant : v8 mode : build-and-test runner : ubuntu-24.04-arm runs-on: ${{matrix.runner}} permissions: contents: read env: VOLUME : osm-db CONTAINER : osm-www MOUNT : /data/database/ PLATFORM : linux/${{ matrix.arch }}${{ (matrix.variant != '' && format('/{0}', matrix.variant)) || '' }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: platforms: ${{ matrix.arch }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Environment run : | echo IMAGE=$(echo ${{ env.IMAGE }} | tr '[:upper:]' '[:lower:]') >>$GITHUB_ENV - name: Docker build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: pull : true load : ${{ matrix.mode == 'build-and-test' }} platforms : ${{ env.PLATFORM }} context : . file : ./Dockerfile tags : ${{ env.IMAGE }}:${{ env.TAG }} cache-from : type=gha,scope=${{ github.workflow }}:${{ env.PLATFORM }} cache-to : type=gha,scope=${{ github.workflow }}:${{ env.PLATFORM }},mode=max - name: Import Luxembourg if : ${{ matrix.mode == 'build-and-test' }} run : | docker volume create ${VOLUME} docker run --rm --shm-size=128M -v ${VOLUME}:${MOUNT} -e UPDATES=enabled ${IMAGE}:${TAG} import - name: Start server if : ${{ matrix.mode == 'build-and-test' }} run : | docker run --shm-size=128M -v ${VOLUME}:${MOUNT} -e UPDATES=enabled -p 80:80 -d --name ${CONTAINER} ${IMAGE}:${TAG} run sleep 30 docker logs ${CONTAINER} - name: Download tiles if : ${{ matrix.mode == 'build-and-test' }} run : | curl http://localhost/tile/0/0/0.png --fail -o 000.png curl http://localhost/tile/1/0/0.png --fail -o 100.png curl http://localhost/tile/1/0/1.png --fail -o 101.png curl http://localhost/tile/1/1/0.png --fail -o 110.png curl http://localhost/tile/1/1/1.png --fail -o 111.png curl http://localhost/tile/18/138474/85459.png --fail -o empty.png curl http://localhost/tile/18/135536/89345.png --fail -o example.png - name: Upload tiles if : ${{ matrix.mode == 'build-and-test' }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: tiles path: '*.png' - name: Verify tiles if : ${{ matrix.mode == 'build-and-test' }} run : | sha1sum *.png sha1sum --check <&2 echo "ERROR: ${tiles[$i]} is not a image/png file" exit 1 fi for ((j=i+1; j<${#tiles[@]}; j++)) ; do if ( diff "${tiles[$i]}" "${tiles[$j]}" ) ; then >&2 echo "ERROR: ${tiles[$i]} is identical to ${tiles[$j]}" exit 2 fi done done - name: Cleanup if : ${{ matrix.mode == 'build-and-test' }} run : | docker rm --force --volumes ${CONTAINER} docker volume rm --force ${VOLUME} docker rmi --force ${IMAGE}:${TAG} deploy: runs-on: ubuntu-latest permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write attestations: write needs: - build if: ${{ github.event_name != 'pull_request' }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 #v3.9.2 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: platforms: amd64,arm64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to GHCR if: github.event_name != 'pull_request' uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push id: build-and-push uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: sbom : true pull : true push : true platforms : linux/amd64,linux/arm64/v8 context : . file : ./Dockerfile tags : ${{ steps.meta.outputs.tags }} labels : ${{ steps.meta.outputs.labels }} cache-from: | type=gha,scope=${{ github.workflow }}:linux/amd64 type=gha,scope=${{ github.workflow }}:linux/arm64/v8 cache-to: type=gha,mode=max # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - name: Attest if: github.event_name != 'pull_request' uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 id: attest with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true scan: needs: deploy permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build id: docker_build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: push: false load: true tags: localbuild/testimage:latest cache-from: type=gha cache-to: type=gha,mode=max - name: Generate SBOM and upload dependency results uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 with: image: localbuild/testimage:latest artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json" output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" dependency-snapshot: false format: cyclonedx-json upload-artifact: true - name: Scan SBOM uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 id: scan with: cache-db: true fail-build: false sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" output-format: sarif - name: Upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5 with: sarif_file: ${{ steps.scan.outputs.sarif }}