mjanez · mjanez · Feb 9, 2024 · Feb 9, 2024
diff --git a/.github/workflows/docker-manual.yaml b/.github/workflows/docker-manual.yaml
@@ -5,7 +5,6 @@ on: workflow_dispatch
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  TAG: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
   CONTEXT: .
   BRANCH: ${{ github.ref_name }}
   DOCKERFILE_PATH: /ckan-pycsw
@@ -35,18 +34,21 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           labels: |
             org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
             org.opencontainers.image.version=${{ env.BRANCH }}
 
+      - name: Replace slashes in BRANCH to avoid errors
+        run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV
+
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           push: true
-          tags: ${{ env.TAG }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
           labels: ${{ steps.meta.outputs.labels }}
           context: ${{ env.CONTEXT }}
           file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
@@ -55,16 +57,17 @@ jobs:
         uses: hadolint/[email protected]
         with:
           dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+          no-fail: true
 
       - name: Run Trivy container image vulnerability scanner
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.17.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
           format: sarif
           output: trivy-results.sarif
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: trivy-results.sarif
diff --git a/.github/workflows/docker-pr.yaml b/.github/workflows/docker-pr.yaml
@@ -3,21 +3,24 @@ name: Test ckan-pycsw images (PR)
 on:
   pull_request:
     branches:
-      - main
-      - latest
+        - main
+        - 'ckan-pycsw-*.*.*'
+        - '!dev/ckan-pycsw-*.*.*'
+        - '!feature/*'
+        - '!fix/*'
 
 env:
-    REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
-    CONTEXT: .
-    BRANCH: ${{ github.head_ref }}
-    DOCKERFILE_PATH: /ckan-pycsw
-    DOCKERFILE: Dockerfile
-    HADOLINT_VERSION: 2.12.0
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ckan-pycsw
+  CONTEXT: .
+  BRANCH: ${{ github.head_ref }}
+  DOCKERFILE_PATH: /ckan-pycsw
+  DOCKERFILE: Dockerfile
+  HADOLINT_VERSION: 2.12.0
 
 jobs:
   docker:
-    name: runner/test-docker-pr:${{ github.head_ref }}
+    name: runner/test-ckan-pycsw-pr:${{ github.head_ref }}
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
@@ -32,41 +35,15 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
-            org.opencontainers.image.version=${{ env.BRANCH }}
-
-      - name: Build to test
-        uses: docker/build-push-action@v5
-        id: docker-push
-        with:
-            push: false
-            tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
-            labels: ${{ steps.meta.outputs.labels }}
-            context: ${{ env.CONTEXT }}
-            file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
-
-      - name: Linting Dockerfile and annotate code inline in the github PR viewer
+
+      - name: Linting Dockerfiles and annotate code inline in the github PR viewer
         id: hadolint
-        uses: jbergstroem/hadolint-gh-action@v1.11.0
+        uses: jbergstroem/hadolint-gh-action@v1.12.2
         with:
           dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
           version: ${{ env.HADOLINT_VERSION }}
           annotate: true
-          error_level: -1
-
-      - name: Run Trivy container image vulnerability scanner
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref:  ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
-          format: sarif
-          output: trivy-results.sarif
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: trivy-results.sarif
+          error_level: -1
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -3,15 +3,17 @@ name: Build and push ckan-pycsw image from PR Merge
 on:
   pull_request:
     types:
-      - closed
+        - closed
     branches:
-      - main
-      - latest
+        - main
+        - 'ckan-pycsw-*.*.*'
+        - '!dev/ckan-pycsw-*.*.*'
+        - '!feature/*'
+        - '!fix/*'
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
   CONTEXT: .
   BRANCH: ${{ github.head_ref }}
   DOCKERFILE_PATH: /ckan-pycsw
@@ -42,18 +44,21 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           labels: |
             org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
             org.opencontainers.image.version=${{ env.BRANCH }}
 
+      - name: Replace slashes in BRANCH to avoid errors
+        run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV
+
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           push: true
-          tags: ${{ env.TAG }}
+          tags: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
           labels: ${{ steps.meta.outputs.labels }}
           context: ${{ env.CONTEXT }}
           file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
@@ -62,16 +67,17 @@ jobs:
         uses: hadolint/[email protected]
         with:
           dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+          no-fail: true
 
       - name: Run Trivy container image vulnerability scanner
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.17.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
           format: sarif
           output: trivy-results.sarif
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: trivy-results.sarif