Skip to content

fix(data-manager): validate git branch arg in /transit/bump #378

fix(data-manager): validate git branch arg in /transit/bump

fix(data-manager): validate git branch arg in /transit/bump #378

Workflow file for this run

name: Build & Push Docker Images
on:
push:
branches: [main]
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_PREFIX: ghcr.io/openmapx
# Least-privilege default; each job opts into the extra scopes it needs
# (the build job adds packages: write + security-events: write).
permissions:
contents: read
jobs:
changes:
name: Detect changed apps
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
apps: ${{ steps.set.outputs.apps }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- id: filter
if: github.event_name != 'workflow_dispatch'
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
with:
filters: |
api:
- 'apps/api/**'
- 'packages/**'
- 'integrations/**'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
- 'package.json'
- 'apps/api/Dockerfile'
web:
- 'apps/web/**'
- 'packages/**'
- 'integrations/**'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
- 'package.json'
- 'apps/web/Dockerfile'
data-manager:
- 'services/data-manager/**'
- 'packages/**'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
- 'package.json'
transitous-tools:
- 'services/motis/tools/transitous/**'
docs:
- 'docs/**'
- id: set
env:
DISPATCH: ${{ github.event_name == 'workflow_dispatch' }}
FILTER_CHANGES: ${{ steps.filter.outputs.changes }}
run: |
if [ "$DISPATCH" = "true" ]; then
echo 'apps=["api","web","data-manager","transitous-tools","docs"]' >> "$GITHUB_OUTPUT"
else
echo "apps=${FILTER_CHANGES}" >> "$GITHUB_OUTPUT"
fi
build:
name: Build ${{ matrix.app }}
needs: changes
if: needs.changes.outputs.apps != '[]' && needs.changes.outputs.apps != ''
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
strategy:
fail-fast: false
matrix:
app: ${{ fromJSON(needs.changes.outputs.apps) }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Resolve build context
id: ctx
env:
APP: ${{ matrix.app }}
run: |
case "$APP" in
api)
echo "context=." >> "$GITHUB_OUTPUT"
echo "dockerfile=apps/api/Dockerfile" >> "$GITHUB_OUTPUT"
;;
web)
echo "context=." >> "$GITHUB_OUTPUT"
echo "dockerfile=apps/web/Dockerfile" >> "$GITHUB_OUTPUT"
;;
data-manager)
echo "context=." >> "$GITHUB_OUTPUT"
echo "dockerfile=services/data-manager/Dockerfile" >> "$GITHUB_OUTPUT"
;;
transitous-tools)
echo "context=services/motis/tools/transitous" >> "$GITHUB_OUTPUT"
echo "dockerfile=services/motis/tools/transitous/Dockerfile" >> "$GITHUB_OUTPUT"
;;
docs)
echo "context=docs" >> "$GITHUB_OUTPUT"
echo "dockerfile=docs/Dockerfile" >> "$GITHUB_OUTPUT"
;;
*)
echo "Unknown app: $APP" >&2
exit 1
;;
esac
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
id: meta
with:
images: ${{ env.IMAGE_PREFIX }}/${{ matrix.app }}
tags: |
type=sha,prefix=
type=raw,value=latest
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
id: build
with:
context: ${{ steps.ctx.outputs.context }}
file: ${{ steps.ctx.outputs.dockerfile }}
platforms: linux/amd64
# Stamp the web service worker with the commit SHA so each deploy
# produces a fresh sw.js and the PWA's update prompt fires. Ignored by
# the other images (their Dockerfiles declare no such ARG).
build-args: ${{ matrix.app == 'web' && format('SW_BUILD_ID={0}', github.sha) || '' }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=${{ matrix.app }}
cache-to: type=gha,mode=max,scope=${{ matrix.app }}
provenance: mode=max
sbom: true
# Trivy scan + SARIF upload require Code Scanning, which needs
# GitHub Advanced Security on private repos. To enable: make the
# repo public OR set repo variable ENABLE_CODE_SCANNING=true
# under Settings → Secrets and variables → Actions → Variables.
- name: Scan image with Trivy
if: vars.ENABLE_CODE_SCANNING == 'true'
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ env.IMAGE_PREFIX }}/${{ matrix.app }}@${{ steps.build.outputs.digest }}
format: sarif
output: trivy-${{ matrix.app }}.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
exit-code: "0"
- name: Upload Trivy results
if: always() && vars.ENABLE_CODE_SCANNING == 'true'
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
sarif_file: trivy-${{ matrix.app }}.sarif
category: trivy-${{ matrix.app }}