build(deps): switch trivy-action to new versioning schema #99
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| paths-ignore: | |
| - README.md | |
| branches: | |
| - main | |
| - "feature/*" | |
| - "bugfix/*" | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| # weekly: at 04:13 on Monday | |
| - cron: "13 4 * * 1" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag_version: ${{ steps.tag_version.outputs.new_tag }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set up Docker | |
| uses: docker/setup-docker-action@v4 | |
| with: | |
| daemon-config: | | |
| { | |
| "features": { | |
| "containerd-snapshotter": true | |
| } | |
| } | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver: docker-container | |
| platforms: linux/arm/v7,linux/amd64,linux/arm64,linux/ppc64le,linux/riscv64,linux/s390x | |
| - name: Setup Template Dockerfiles | |
| uses: tgagor/template-dockerfiles@v0.16.2 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| - name: Guess next version | |
| if: github.ref == 'refs/heads/main' | |
| id: tag_version | |
| uses: mathieudutour/github-tag-action@v6.2 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| dry_run: true | |
| - name: Extract version from tag on main | |
| if: github.ref == 'refs/heads/main' | |
| env: | |
| VERSION_TAG: ${{ steps.tag_version.outputs.new_tag }} | |
| run: echo "DOCKER_TAG=${VERSION_TAG#v}" >> $GITHUB_ENV | |
| - name: Use branch name as version not on main | |
| if: github.ref != 'refs/heads/main' | |
| run: echo "DOCKER_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| - name: Discover Gemini CLI latest version | |
| id: gemini_version | |
| run: | | |
| GEMINI_CLI_VERSION=$(npm view @google/gemini-cli version) | |
| echo "GEMINI_CLI_VERSION=${GEMINI_CLI_VERSION}" >> $GITHUB_ENV | |
| - name: Just build on branches | |
| if: github.ref != 'refs/heads/main' | |
| run: | | |
| td \ | |
| --config build.yaml \ | |
| --build \ | |
| --parallel 1 \ | |
| --engine buildx \ | |
| --tag ${DOCKER_TAG} | |
| - name: Build and Push on main branch | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin | |
| td --config build.yaml \ | |
| --build \ | |
| --engine buildx \ | |
| --push \ | |
| --tag ${DOCKER_TAG} | |
| - name: Bump version and push tag | |
| if: github.ref == 'refs/heads/main' | |
| uses: mathieudutour/github-tag-action@v6.2 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Update README | |
| if: github.ref == 'refs/heads/main' && !contains(github.event.commits[0].message, 'auto-update README') | |
| run: | | |
| curl -fsSLo /usr/local/bin/tpl https://github.com/tgagor/tpl/releases/latest/download/tpl-linux-amd64 | |
| chmod +x /usr/local/bin/tpl | |
| export DOCKER_TAG=${DOCKER_TAG} | |
| export GEMINI_CLI_VERSION=${GEMINI_CLI_VERSION} | |
| tpl -t README-TEMPLATE.md | tee README.md | |
| if [[ "$(git status --porcelain)" != "" ]]; then | |
| git config user.name "GitHub Action" | |
| git config user.email "action@github.com" | |
| git add . | |
| git commit -m "docs(readme): auto-update README.md" | |
| git push | |
| fi | |
| - name: Create normal GitHub release | |
| if: github.ref == 'refs/heads/main' && (github.event_name != 'schedule' || github.actor == 'dependabot[bot]') | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
| release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
| body: ${{ steps.tag_version.outputs.changelog }} | |
| - name: Get current date | |
| if: github.event_name == 'schedule' && github.actor != 'dependabot[bot]' | |
| id: date | |
| run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
| - name: Create a weekly GitHub release | |
| if: github.event_name == 'schedule' && github.actor != 'dependabot[bot]' | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.tag_version.outputs.new_tag }} | |
| release_name: Release ${{ steps.tag_version.outputs.new_tag }} | |
| body: | | |
| Weekly rebuild on ${{ steps.date.outputs.date }} | |
| security-scan: | |
| permissions: | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| if: github.ref == 'refs/heads/main' || github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Fetch image | |
| run: | | |
| echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin | |
| docker pull tgagor/gemini-cli:build-${{needs.build.outputs.tag_version}} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@v0.35.0 | |
| with: | |
| image-ref: tgagor/gemini-cli:build-${{needs.build.outputs.tag_version}} | |
| format: template | |
| template: "@/contrib/sarif.tpl" | |
| # don't fail | |
| exit-code: 0 | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH,MEDIUM | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: github.ref == 'refs/heads/main' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif |