2024-01-09 01:15:01 +01:00
|
|
|
# This Github action is for publishing of the primary image for AnythingLLM
|
|
|
|
# It will publish a linux/amd64 and linux/arm64 image at the same time
|
|
|
|
# This file should ONLY BY USED FOR `master` BRANCH.
|
|
|
|
# TODO: Update `runs-on` for arm64 when GitHub finally supports
|
|
|
|
# native arm environments as QEMU takes around 1 hour to build
|
|
|
|
# ref: https://github.com/actions/runner-images/issues/5631 :(
|
|
|
|
name: Publish AnythingLLM Primary Docker image (amd64/arm64)
|
|
|
|
|
|
|
|
concurrency:
|
|
|
|
group: build-${{ github.ref }}
|
|
|
|
cancel-in-progress: true
|
2023-11-18 04:15:23 +01:00
|
|
|
|
|
|
|
on:
|
|
|
|
push:
|
2024-01-09 01:15:01 +01:00
|
|
|
branches: ['master'] # master branch only. Do not modify.
|
2023-12-20 01:22:25 +01:00
|
|
|
paths-ignore:
|
2024-01-09 23:28:56 +01:00
|
|
|
- '**.md'
|
2024-07-25 17:08:56 +02:00
|
|
|
- 'cloud-deployments/**/*'
|
2024-01-09 23:28:56 +01:00
|
|
|
- 'images/**/*'
|
|
|
|
- '.vscode/**/*'
|
2024-01-07 00:40:03 +01:00
|
|
|
- '**/.env.example'
|
2024-01-09 23:28:56 +01:00
|
|
|
- '.github/ISSUE_TEMPLATE/**/*'
|
2024-08-02 19:23:27 +02:00
|
|
|
- '.devcontainer/**/*'
|
2024-08-28 00:06:44 +02:00
|
|
|
- 'embed/**/*' # Embed is submodule
|
|
|
|
- 'browser-extension/**/*' # Chrome extension is submodule
|
2024-04-16 19:50:10 +02:00
|
|
|
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
|
2023-11-18 04:15:23 +01:00
|
|
|
|
|
|
|
jobs:
|
2024-01-09 01:15:01 +01:00
|
|
|
push_multi_platform_to_registries:
|
|
|
|
name: Push Docker multi-platform image to multiple registries
|
2023-11-18 04:15:23 +01:00
|
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
|
|
packages: write
|
|
|
|
contents: read
|
|
|
|
steps:
|
|
|
|
- name: Check out the repo
|
|
|
|
uses: actions/checkout@v4
|
2024-01-09 01:15:01 +01:00
|
|
|
|
2024-01-12 22:31:59 +01:00
|
|
|
- name: Check if DockerHub build needed
|
|
|
|
shell: bash
|
|
|
|
run: |
|
|
|
|
# Check if the secret for USERNAME is set (don't even check for the password)
|
|
|
|
if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then
|
|
|
|
echo "DockerHub build not needed"
|
|
|
|
echo "enabled=false" >> $GITHUB_OUTPUT
|
|
|
|
else
|
|
|
|
echo "DockerHub build needed"
|
|
|
|
echo "enabled=true" >> $GITHUB_OUTPUT
|
|
|
|
fi
|
|
|
|
id: dockerhub
|
2024-01-09 01:15:01 +01:00
|
|
|
|
|
|
|
- name: Set up QEMU
|
|
|
|
uses: docker/setup-qemu-action@v3
|
|
|
|
|
|
|
|
- name: Set up Docker Buildx
|
|
|
|
uses: docker/setup-buildx-action@v3
|
2023-11-18 04:15:23 +01:00
|
|
|
|
|
|
|
- name: Log in to Docker Hub
|
|
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
|
2024-01-12 22:31:59 +01:00
|
|
|
# Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR
|
|
|
|
if: steps.dockerhub.outputs.enabled == 'true'
|
2023-11-18 04:15:23 +01:00
|
|
|
with:
|
|
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
|
|
|
|
- name: Log in to the Container registry
|
|
|
|
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
|
|
|
|
with:
|
|
|
|
registry: ghcr.io
|
|
|
|
username: ${{ github.actor }}
|
|
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
|
|
id: meta
|
|
|
|
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
|
|
|
|
with:
|
|
|
|
images: |
|
2024-01-12 22:31:59 +01:00
|
|
|
${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }}
|
2023-11-18 04:15:23 +01:00
|
|
|
ghcr.io/${{ github.repository }}
|
2024-01-12 22:31:59 +01:00
|
|
|
tags: |
|
|
|
|
type=raw,value=latest,enable={{is_default_branch}}
|
|
|
|
type=ref,event=branch
|
|
|
|
type=ref,event=tag
|
|
|
|
type=ref,event=pr
|
|
|
|
|
2024-01-09 01:15:01 +01:00
|
|
|
- name: Build and push multi-platform Docker image
|
2024-07-19 17:09:32 +02:00
|
|
|
uses: docker/build-push-action@v6
|
2023-11-18 04:15:23 +01:00
|
|
|
with:
|
|
|
|
context: .
|
2023-11-18 04:18:26 +01:00
|
|
|
file: ./docker/Dockerfile
|
2023-11-18 04:15:23 +01:00
|
|
|
push: true
|
2024-07-19 17:09:32 +02:00
|
|
|
sbom: true
|
|
|
|
provenance: mode=max
|
2024-07-20 02:51:12 +02:00
|
|
|
platforms: linux/amd64,linux/arm64
|
2024-01-12 22:31:59 +01:00
|
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
|
|
cache-from: type=gha
|
|
|
|
cache-to: type=gha,mode=max
|
2024-07-25 20:13:57 +02:00
|
|
|
|
|
|
|
# For Docker scout there are some intermediary reported CVEs which exists outside
|
|
|
|
# of execution content or are unreachable by an attacker but exist in image.
|
|
|
|
# We create VEX files for these so they don't show in scout summary.
|
|
|
|
- name: Collect known and verified CVE exceptions
|
|
|
|
id: cve-list
|
|
|
|
run: |
|
|
|
|
# Collect CVEs from filenames in vex folder
|
|
|
|
CVE_NAMES=""
|
|
|
|
for file in ./docker/vex/*.vex.json; do
|
|
|
|
[ -e "$file" ] || continue
|
|
|
|
filename=$(basename "$file")
|
|
|
|
stripped_filename=${filename%.vex.json}
|
|
|
|
CVE_NAMES+=" $stripped_filename"
|
|
|
|
done
|
|
|
|
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
|
|
|
|
shell: bash
|
|
|
|
|
|
|
|
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
|
|
|
|
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
|
|
|
|
- name: Add VEX attestations
|
|
|
|
env:
|
|
|
|
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
|
|
|
|
run: |
|
|
|
|
echo $CVE_EXCEPTIONS
|
|
|
|
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
|
|
|
|
for cve in $CVE_EXCEPTIONS; do
|
|
|
|
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
|
|
|
|
echo "Attaching VEX exception $cve to $tag"
|
|
|
|
docker scout attestation add \
|
|
|
|
--file "./docker/vex/$cve.vex.json" \
|
|
|
|
--predicate-type https://openvex.dev/ns/v0.2.0 \
|
|
|
|
$tag
|
|
|
|
done
|
|
|
|
done
|
|
|
|
shell: bash
|