name: Release on: push: tags: ['v*'] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build-binary: name: Build Binary runs-on: self-hosted steps: - uses: actions/checkout@v4 - name: Set up Rust run: | echo "/home/github-runner/.cargo/bin" >> $GITHUB_PATH echo "RUSTUP_HOME=/home/github-runner/.rustup" >> $GITHUB_ENV echo "CARGO_HOME=/home/github-runner/.cargo" >> $GITHUB_ENV - name: Build release binary (musl static) run: | cargo build --release --target x86_64-unknown-linux-musl --package nora-registry # Save to shared runner path — all build-docker jobs run on the same self-hosted runner mkdir -p /tmp/nora-artifacts cp target/x86_64-unknown-linux-musl/release/nora /tmp/nora-artifacts/nora-${{ github.run_id }} chmod +x /tmp/nora-artifacts/nora-${{ github.run_id }} build-docker: name: Build & Push (${{ matrix.name }}) runs-on: self-hosted needs: build-binary permissions: contents: read packages: write strategy: fail-fast: false matrix: include: - name: alpine dockerfile: Dockerfile suffix: "" - name: astra dockerfile: Dockerfile.astra suffix: "-astra" - name: redos dockerfile: Dockerfile.redos suffix: "-redos" steps: - uses: actions/checkout@v4 - name: Copy binary from shared runner storage run: cp /tmp/nora-artifacts/nora-${{ github.run_id }} ./nora - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: | suffix=${{ matrix.suffix }},onlatest=true tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable=${{ matrix.suffix == '' }} type=raw,value=${{ matrix.name }},enable=${{ matrix.suffix != '' }} - name: Build and push uses: docker/build-push-action@v5 with: context: . file: ${{ matrix.dockerfile }} platforms: linux/amd64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha,scope=${{ matrix.name }} cache-to: type=gha,mode=max,scope=${{ matrix.name }} scan: name: Scan (${{ matrix.name }}) runs-on: ubuntu-latest needs: build-docker permissions: contents: read packages: read security-events: write strategy: fail-fast: false matrix: include: - name: alpine suffix: "" - name: astra suffix: "-astra" - name: redos suffix: "-redos" steps: - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set version tag (strip leading v) id: ver run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT # ── CVE scan of the pushed image ──────────────────────────────────────── # Images are FROM scratch — no OS packages, only binary CVE scan - name: Trivy — image scan (${{ matrix.name }}) uses: aquasecurity/trivy-action@master with: scan-type: image image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }} format: sarif output: trivy-image-${{ matrix.name }}.sarif severity: HIGH,CRITICAL exit-code: 0 # warn only; change to 1 to block on vulnerabilities - name: Upload Trivy image results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: trivy-image-${{ matrix.name }}.sarif category: trivy-image-${{ matrix.name }} release: name: GitHub Release runs-on: ubuntu-latest needs: [build-docker, scan] permissions: contents: write packages: read # to pull image for SBOM generation steps: - uses: actions/checkout@v4 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set version tag (strip leading v) id: ver run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT # ── SBOM — Software Bill of Materials ─────────────────────────────────── - name: Generate SBOM (SPDX) uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }} format: spdx-json output-file: nora-${{ github.ref_name }}.sbom.spdx.json registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }} - name: Generate SBOM (CycloneDX) uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }} format: cyclonedx-json output-file: nora-${{ github.ref_name }}.sbom.cdx.json registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }} - name: Create Release uses: softprops/action-gh-release@v1 with: generate_release_notes: true files: | nora-${{ github.ref_name }}.sbom.spdx.json nora-${{ github.ref_name }}.sbom.cdx.json body: | ## Docker **Alpine (standard):** ```bash docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }} ``` **Astra Linux SE:** ```bash docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-astra ``` **RED OS:** ```bash docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos ``` ## Changelog See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)