1#
2#  Copyright (c) 2020, The OpenThread Authors.
3#  All rights reserved.
4#
5#  Redistribution and use in source and binary forms, with or without
6#  modification, are permitted provided that the following conditions are met:
7#  1. Redistributions of source code must retain the above copyright
8#     notice, this list of conditions and the following disclaimer.
9#  2. Redistributions in binary form must reproduce the above copyright
10#     notice, this list of conditions and the following disclaimer in the
11#     documentation and/or other materials provided with the distribution.
12#  3. Neither the name of the copyright holder nor the
13#     names of its contributors may be used to endorse or promote products
14#     derived from this software without specific prior written permission.
15#
16#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26#  POSSIBILITY OF SUCH DAMAGE.
27#
28
29name: Docker
30
31on:
32  push:
33    branches-ignore:
34      - 'dependabot/**'
35  pull_request:
36    branches:
37      - 'main'
38
39concurrency:
40  group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }}
41  cancel-in-progress: true
42
43permissions:  # added using https://github.com/step-security/secure-workflows
44  contents: read
45
46jobs:
47
48  buildx:
49    name: buildx-${{ matrix.docker_name }}
50    runs-on: ubuntu-20.04
51    strategy:
52      fail-fast: false
53      matrix:
54        include:
55          - docker_name: environment
56    steps:
57    - name: Harden Runner
58      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
59      with:
60        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
61
62    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
63      with:
64        submodules: true
65
66    - name: Prepare
67      id: prepare
68      run: |
69        DOCKER_IMAGE=openthread/${{ matrix.docker_name }}
70        DOCKER_FILE=etc/docker/${{ matrix.docker_name }}/Dockerfile
71        DOCKER_PLATFORMS=linux/amd64
72        VERSION=latest
73
74        TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
75
76        echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
77        echo "version=${VERSION}" >> $GITHUB_OUTPUT
78        echo "buildx_args=--platform ${DOCKER_PLATFORMS} \
79          --build-arg OT_GIT_REF=${{ github.sha }} \
80          --build-arg VERSION=${VERSION} \
81          --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
82          --build-arg VCS_REF=${GITHUB_SHA::8} \
83          ${TAGS} --file ${DOCKER_FILE} ." >> $GITHUB_OUTPUT
84
85    - name: Set up Docker Buildx
86      uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
87
88    - name: Docker Buildx (build)
89      run: |
90        docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}
91
92    - name: Login to DockerHub
93      if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
94      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
95      with:
96        username: ${{ secrets.DOCKER_USERNAME }}
97        password: ${{ secrets.DOCKER_PASSWORD }}
98
99    - name: Docker Buildx (push)
100      if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
101      run: |
102        docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
103
104    - name: Inspect Image
105      if: always() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
106      run: |
107        docker buildx imagetools inspect ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
108