publicWagsHome
/
amcrest2mqtt
mirror of https://github.com/dchesterton/amcrest2mqtt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/docker/setup-buildx-action-2.5.0
dependabot/pip/python-slugify-8.0.1
dependabot/github_actions/docker/build-push-action-4.0.0
dependabot/github_actions/docker/setup-qemu-action-2.1.0
dependabot/github_actions/docker/login-action-2.1.0
main
1.0.16
1.0.15
1.0.14
1.0.13
1.0.12
1.0.11
1.0.10
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '570279a570'
${ noResults }
amcrest2mqtt/.github/workflows/deploy.yaml

200 lines
6.5 KiB
YAML
Raw Blame History

name: Release and Docker Deploy
on:
push:
branches:
- "main"
pull_request:
workflow_dispatch:
schedule:
- cron: "0 3 1 * *" # Monthly rebuild at 03:00 UTC on the 1st
permissions:
contents: write
issues: write
pull-requests: write
packages: write
security-events: write
id-token: write # for cosign signing
jobs:
lint:
name: Lint (ruff/black/mypy)
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ['3.12', '3.13', '3.14']
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.python-version }}
- name: Set up uv
uses: astral-sh/setup-uv@8d55fbecc275b1c35dbe060458839f8d30439ccf # v3
with:
version: "latest"
# If your dev tools (ruff/black/rst-lint/rich/etc.) are in optional-dependencies
# like [project.optional-dependencies.dev], this installs them.
- name: Install project (dev)
run: uv sync --all-extras --dev
- name: Ruff
run: uv run ruff check src
- name: Black
run: |
uv run black --version
uv run black --check --color --diff .
- name: Mypy
run: |
uv run mypy .
release:
name: Semantic Release
runs-on: ubuntu-latest
needs: [lint]
if: github.event_name != 'pull_request'
outputs:
published: ${{ steps.semrel.outputs.new_release_published }}
version: ${{ steps.semrel.outputs.new_release_version }}
tag: ${{ steps.semrel.outputs.new_release_git_tag }}
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: Setup Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
node-version: 20
- name: Install dependencies
run: npm ci
- name: Run semantic-release
id: semrel
uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
extra_plugins: |
@semantic-release/changelog
@semantic-release/git
@semantic-release/npm
- name: Update VERSION file in repo
if: steps.semrel.outputs.new_release_published == 'true'
run: |
echo "v${{ steps.semrel.outputs.new_release_version }}" > VERSION
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add VERSION
git diff --cached --quiet || git commit -m "chore: update VERSION to v${{ steps.semrel.outputs.new_release_version }}"
git push
docker:
name: Build and Push Docker Image
needs: [release]
if: github.event_name != 'pull_request' && needs.release.result == 'success'
runs-on: ubuntu-latest
env:
RELEASE_VERSION: ${{ needs.release.outputs.version }}
RELEASE_TAG: ${{ needs.release.outputs.tag }}
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PAT }}
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Docker meta
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: graystorm/amcrest2mqtt
tags: |
type=raw,value=${{ env.RELEASE_TAG }}
type=raw,value=latest
labels: |
org.opencontainers.image.title=amcrest2mqtt
org.opencontainers.image.description=Publishes Amcrest device data to MQTT for Home Assistant
org.opencontainers.image.url=https://www.graystorm.com
org.opencontainers.image.documentation=https://github.com/${{ github.repository }}#readme
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.revision=${{ github.sha }}
- name: Fetch tags
run: git fetch --tags --force
- name: Ensure VERSION is set
id: version-fallback
run: |
if [ -z "${{ needs.release.outputs.version }}" ]; then
TAG=$(git tag --sort=-creatordate | head -n 1)
if [ -z "$TAG" ]; then
echo "No tags found — defaulting to 0.0.0"
TAG="0.0.0"
fi
echo "Using existing tag: $TAG"
echo "VERSION=$TAG" >> $GITHUB_ENV
else
echo "VERSION=${{ needs.release.outputs.version }}" >> $GITHUB_ENV
fi
- name: Build and push
id: build-and-push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
context: .
pull: true
push: true
build-args: |
VERSION=${{ env.VERSION }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/arm64,linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
sbom: true
provenance: true
- name: Install Cosign
uses: sigstore/cosign-installer@f713795cb21599bc4e5c4b58cbad1da852d7eeb9 # v3
- name: Sign the image
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign sign --yes graystorm/amcrest2mqtt@${DIGEST}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
with:
image-ref: graystorm/amcrest2mqtt@${{ steps.build-and-push.outputs.digest }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@27fcff4ecb39e96348e7ceddcc2d9ef42308b6fc # v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
Reference in New Issue View Git Blame Copy Permalink