1#
2#  Copyright (c) 2020, The OpenThread Authors.
3#  All rights reserved.
4#
5#  Redistribution and use in source and binary forms, with or without
6#  modification, are permitted provided that the following conditions are met:
7#  1. Redistributions of source code must retain the above copyright
8#     notice, this list of conditions and the following disclaimer.
9#  2. Redistributions in binary form must reproduce the above copyright
10#     notice, this list of conditions and the following disclaimer in the
11#     documentation and/or other materials provided with the distribution.
12#  3. Neither the name of the copyright holder nor the
13#     names of its contributors may be used to endorse or promote products
14#     derived from this software without specific prior written permission.
15#
16#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26#  POSSIBILITY OF SUCH DAMAGE.
27#
28
29name: Docker
30
31on:
32  push:
33    branches-ignore:
34      - 'dependabot/**'
35  pull_request:
36    branches:
37      - 'main'
38
39concurrency:
40  group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }}
41  cancel-in-progress: true
42
43permissions:  # added using https://github.com/step-security/secure-workflows
44  contents: read
45
46jobs:
47
48  buildx:
49    name: buildx-${{ matrix.docker_name }}
50    runs-on: ubuntu-20.04
51    strategy:
52      fail-fast: false
53      matrix:
54        include:
55          - docker_name: environment
56    steps:
57    - name: Harden Runner
58      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
59      with:
60        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
61
62    - name: Free Disk Space (Ubuntu)
63      uses: jlumbroso/free-disk-space@main
64
65    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
66      with:
67        submodules: true
68
69    - name: Prepare
70      id: prepare
71      run: |
72        DOCKER_IMAGE=openthread/${{ matrix.docker_name }}
73        DOCKER_FILE=etc/docker/${{ matrix.docker_name }}/Dockerfile
74        DOCKER_PLATFORMS=linux/amd64,linux/arm64
75        VERSION=latest
76
77        TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
78
79        echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
80        echo "version=${VERSION}" >> $GITHUB_OUTPUT
81        echo "buildx_args=--platform ${DOCKER_PLATFORMS} \
82          --build-arg OT_GIT_REF=${{ github.sha }} \
83          --build-arg VERSION=${VERSION} \
84          --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
85          --build-arg VCS_REF=${GITHUB_SHA::8} \
86          ${TAGS} --file ${DOCKER_FILE} ." >> $GITHUB_OUTPUT
87
88    - name: Set up Docker Buildx
89      uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
90
91    - name: Docker Buildx (build)
92      run: |
93        docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}
94
95    - name: Login to DockerHub
96      if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
97      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
98      with:
99        username: ${{ secrets.DOCKER_USERNAME }}
100        password: ${{ secrets.DOCKER_PASSWORD }}
101
102    - name: Docker Buildx (push)
103      if: success() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
104      run: |
105        docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
106
107    - name: Inspect Image
108      if: always() && github.repository == 'openthread/openthread' && github.event_name != 'pull_request'
109      run: |
110        docker buildx imagetools inspect ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
111