1+ name : Publish Docker image for PG database deployments
2+
3+ concurrency :
4+ group : build-${{ github.ref }}
5+ cancel-in-progress : true
6+
7+ on :
8+ push :
9+ branches : ['pg']
10+ paths-ignore :
11+ - ' **.md'
12+ - ' cloud-deployments/*'
13+ - ' images/**/*'
14+ - ' .vscode/**/*'
15+ - ' **/.env.example'
16+ - ' .github/ISSUE_TEMPLATE/**/*'
17+ - ' embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
18+ - ' server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
19+
20+ jobs :
21+ push_to_registries :
22+ name : Push Docker image to DockerHub for use in PG database deployments
23+ runs-on : ubuntu-latest
24+ permissions :
25+ packages : write
26+ contents : read
27+ steps :
28+ - name : Check out the repo
29+ uses : actions/checkout@v4
30+
31+ - name : Check if DockerHub build needed
32+ shell : bash
33+ run : |
34+ # Check if the secret for USERNAME is set (don't even check for the password)
35+ if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then
36+ echo "DockerHub build not needed"
37+ echo "enabled=false" >> $GITHUB_OUTPUT
38+ else
39+ echo "DockerHub build needed"
40+ echo "enabled=true" >> $GITHUB_OUTPUT
41+ fi
42+ id : dockerhub
43+
44+ - name : Set up QEMU
45+ uses : docker/setup-qemu-action@v3
46+
47+ - name : Set up Docker Buildx
48+ uses : docker/setup-buildx-action@v3
49+
50+ - name : Log in to Docker Hub
51+ uses : docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
52+ # Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR
53+ if : steps.dockerhub.outputs.enabled == 'true'
54+ with :
55+ username : ${{ secrets.DOCKER_USERNAME }}
56+ password : ${{ secrets.DOCKER_PASSWORD }}
57+
58+ - name : Extract metadata (tags, labels) for Docker
59+ id : meta
60+ uses : docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
61+ with :
62+ images : |
63+ ${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }}
64+ tags : |
65+ type=raw,value=pg
66+
67+ name : Build and push multi-platform Docker image
68+ uses : docker/build-push-action@v6
69+ with :
70+ context : .
71+ file : ./docker/Dockerfile
72+ push : true
73+ sbom : true
74+ provenance : mode=max
75+ platforms : linux/amd64,linux/arm64
76+ tags : ${{ steps.meta.outputs.tags }}
77+ labels : ${{ steps.meta.outputs.labels }}
78+ cache-from : type=gha
79+ cache-to : type=gha,mode=max
80+ build-args : |
81+ "STORAGE_DIR=/storage"
82+
83+ # For Docker scout there are some intermediary reported CVEs which exists outside
84+ # of execution content or are unreachable by an attacker but exist in image.
85+ # We create VEX files for these so they don't show in scout summary.
86+ - name : Collect known and verified CVE exceptions
87+ id : cve-list
88+ run : |
89+ # Collect CVEs from filenames in vex folder
90+ CVE_NAMES=""
91+ for file in ./docker/vex/*.vex.json; do
92+ [ -e "$file" ] || continue
93+ filename=$(basename "$file")
94+ stripped_filename=${filename%.vex.json}
95+ CVE_NAMES+=" $stripped_filename"
96+ done
97+ echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
98+ shell : bash
99+
100+ # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
101+ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
102+ - name : Add VEX attestations
103+ env :
104+ CVE_EXCEPTIONS : ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
105+ run : |
106+ echo $CVE_EXCEPTIONS
107+ curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
108+ for cve in $CVE_EXCEPTIONS; do
109+ for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
110+ echo "Attaching VEX exception $cve to $tag"
111+ docker scout attestation add \
112+ --file "./docker/vex/$cve.vex.json" \
113+ --predicate-type https://openvex.dev/ns/v0.2.0 \
114+ $tag
115+ done
116+ done
117+ shell : bash
0 commit comments