284 lines
10 KiB
YAML
284 lines
10 KiB
YAML
name: Build and test image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
tags:
|
|
- 'v[0-9]+.[0-9]+.[0-9]+'
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
|
|
# cancel outdated jobs for the same reference
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
IMAGE : ${{ github.repository_owner }}/openstreetmap-tile-server
|
|
TAG : ${{ github.sha }}
|
|
# Use docker.io for Docker Hub if empty
|
|
REGISTRY: ghcr.io
|
|
# github.repository as <account>/<repo>
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
build:
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- arch : amd64
|
|
mode : build-and-test
|
|
runner : ubuntu-24.04
|
|
- arch : arm64
|
|
variant : v8
|
|
mode : build-and-test
|
|
runner : ubuntu-24.04-arm
|
|
runs-on: ${{matrix.runner}}
|
|
permissions:
|
|
contents: read
|
|
env:
|
|
VOLUME : osm-db
|
|
CONTAINER : osm-www
|
|
MOUNT : /data/database/
|
|
PLATFORM : linux/${{ matrix.arch }}${{ (matrix.variant != '' && format('/{0}', matrix.variant)) || '' }}
|
|
steps:
|
|
-
|
|
name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
-
|
|
name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
with:
|
|
platforms: ${{ matrix.arch }}
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
-
|
|
name: Environment
|
|
run : |
|
|
echo IMAGE=$(echo ${{ env.IMAGE }} | tr '[:upper:]' '[:lower:]') >>$GITHUB_ENV
|
|
-
|
|
name: Docker build
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
with:
|
|
pull : true
|
|
load : ${{ matrix.mode == 'build-and-test' }}
|
|
platforms : ${{ env.PLATFORM }}
|
|
context : .
|
|
file : ./Dockerfile
|
|
tags : ${{ env.IMAGE }}:testbuild-${{ env.PLATFORM }}
|
|
cache-from : type=gha,scope=${{ github.workflow }}:${{ env.PLATFORM }}
|
|
cache-to : type=gha,scope=${{ github.workflow }}:${{ env.PLATFORM }},mode=max
|
|
-
|
|
name: Import Luxembourg
|
|
if : ${{ matrix.mode == 'build-and-test' }}
|
|
run : |
|
|
docker volume create ${VOLUME}
|
|
docker run --rm --shm-size=4GB -v ${VOLUME}:${MOUNT} -e UPDATES=enabled ${IMAGE}:${TAG} import
|
|
-
|
|
name: Start server
|
|
if : ${{ matrix.mode == 'build-and-test' }}
|
|
run : |
|
|
docker run --shm-size=4GB -v ${VOLUME}:${MOUNT} -e UPDATES=enabled -p 80:80 -d --name ${CONTAINER} ${IMAGE}:${TAG} run
|
|
sleep 30
|
|
docker logs ${CONTAINER}
|
|
-
|
|
name: Download tiles
|
|
if : ${{ matrix.mode == 'build-and-test' }}
|
|
run : |
|
|
curl http://localhost/tile/0/0/0.png --fail -o 000.png
|
|
curl http://localhost/tile/1/0/0.png --fail -o 100.png
|
|
curl http://localhost/tile/1/0/1.png --fail -o 101.png
|
|
curl http://localhost/tile/1/1/0.png --fail -o 110.png
|
|
curl http://localhost/tile/1/1/1.png --fail -o 111.png
|
|
curl http://localhost/tile/18/138474/85459.png --fail -o empty.png
|
|
curl http://localhost/tile/18/135536/89345.png --fail -o example.png
|
|
-
|
|
name: Verify tiles
|
|
if : ${{ matrix.mode == 'build-and-test' }}
|
|
run : |
|
|
sha1sum *.png
|
|
sha1sum --check <<EOF
|
|
c226ca747874fb1307eef853feaf9d8db28cef2b *empty.png
|
|
EOF
|
|
tiles=(`ls *.png`)
|
|
for ((i=0; i<${#tiles[@]}; i++)) ; do
|
|
if [ `file --brief --mime-type "${tiles[$i]}"` != 'image/png' ] ; then
|
|
>&2 echo "ERROR: ${tiles[$i]} is not a image/png file"
|
|
exit 1
|
|
fi
|
|
for ((j=i+1; j<${#tiles[@]}; j++)) ; do
|
|
if ( diff "${tiles[$i]}" "${tiles[$j]}" ) ; then
|
|
>&2 echo "ERROR: ${tiles[$i]} is identical to ${tiles[$j]}"
|
|
exit 2
|
|
fi
|
|
done
|
|
done
|
|
-
|
|
name: Cleanup
|
|
if : ${{ matrix.mode == 'build-and-test' }}
|
|
run : |
|
|
docker rm --force --volumes ${CONTAINER}
|
|
docker volume rm --force ${VOLUME}
|
|
docker rmi --force ${IMAGE}:${TAG}
|
|
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
# This is used to complete the identity challenge
|
|
# with sigstore/fulcio when running outside of PRs.
|
|
id-token: write
|
|
attestations: write
|
|
needs:
|
|
- build
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
# Install the cosign tool except on PR
|
|
# https://github.com/sigstore/cosign-installer
|
|
-
|
|
name: Install cosign
|
|
if: github.event_name != 'pull_request'
|
|
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 #v3.9.2
|
|
|
|
-
|
|
name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
with:
|
|
platforms: amd64,arm64
|
|
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
|
|
-
|
|
name: Login to GHCR
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# Extract metadata (tags, labels) for Docker
|
|
# https://github.com/docker/metadata-action
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
-
|
|
name: Build and push
|
|
id: build-and-push
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
with:
|
|
sbom : true
|
|
pull : true
|
|
push : true
|
|
platforms : linux/amd64,linux/arm64/v8
|
|
context : .
|
|
file : ./Dockerfile
|
|
tags : ${{ steps.meta.outputs.tags }}
|
|
labels : ${{ steps.meta.outputs.labels }}
|
|
cache-from: |
|
|
type=gha,scope=${{ github.workflow }}:linux/amd64
|
|
type=gha,scope=${{ github.workflow }}:linux/arm64/v8
|
|
cache-to: type=gha,mode=max
|
|
|
|
# Sign the resulting Docker image digest except on PRs.
|
|
# This will only write to the public Rekor transparency log when the Docker
|
|
# repository is public to avoid leaking data. If you would like to publish
|
|
# transparency data even for private images, pass --force to cosign below.
|
|
# https://github.com/sigstore/cosign
|
|
- name: Sign the published Docker image
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
env:
|
|
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
|
|
TAGS: ${{ steps.meta.outputs.tags }}
|
|
DIGEST: ${{ steps.build-and-push.outputs.digest }}
|
|
# This step uses the identity token to provision an ephemeral certificate
|
|
# against the sigstore community Fulcio instance.
|
|
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
|
|
|
|
- name: Attest
|
|
if: github.event_name != 'pull_request'
|
|
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
|
|
id: attest
|
|
with:
|
|
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
subject-digest: ${{ steps.build-and-push.outputs.digest }}
|
|
push-to-registry: true
|
|
|
|
scan:
|
|
needs: deploy
|
|
permissions:
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
-
|
|
name: Build
|
|
id: docker_build
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
with:
|
|
push: false
|
|
load: true
|
|
tags: localbuild/testimage:latest
|
|
platforms: linux/amd64
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
-
|
|
name: Generate SBOM and upload dependency results
|
|
uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
|
|
with:
|
|
image: localbuild/testimage:latest
|
|
artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
dependency-snapshot: false
|
|
format: cyclonedx-json
|
|
upload-artifact: true
|
|
-
|
|
name: Scan SBOM
|
|
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
|
|
id: scan
|
|
with:
|
|
cache-db: true
|
|
fail-build: false
|
|
sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
output-format: sarif
|
|
-
|
|
name: Upload Anchore scan SARIF report
|
|
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif }} |