name: ci # Default to 'contents: read', which grants actions to read commits. # # If any permission is set, any permission not included in the list is # implicitly set to "none". # # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true on: workflow_dispatch: push: branches: - 'master' - '[0-9]+.[0-9]+' - '[0-9]+.x' pull_request: env: DESTDIR: ./build SETUP_BUILDX_VERSION: edge SETUP_BUILDKIT_IMAGE: moby/buildkit:latest jobs: validate-dco: uses: ./.github/workflows/.dco.yml build: runs-on: ubuntu-24.04 timeout-minutes: 20 # guardrails timeout for the whole job needs: - validate-dco strategy: fail-fast: false matrix: target: - binary - dynbinary steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build uses: docker/bake-action@v6 with: targets: ${{ matrix.target }} - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Check artifacts run: | find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + prepare-cross: runs-on: ubuntu-24.04 timeout-minutes: 20 # guardrails timeout for the whole job needs: - validate-dco outputs: matrix: ${{ steps.platforms.outputs.matrix }} steps: - name: Checkout uses: actions/checkout@v4 - name: Create matrix id: platforms run: | matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')" echo "matrix=$matrix" >> $GITHUB_OUTPUT - name: Show matrix run: | echo ${{ steps.platforms.outputs.matrix }} cross: runs-on: ubuntu-24.04 timeout-minutes: 20 # guardrails timeout for the whole job needs: - validate-dco - prepare-cross strategy: fail-fast: false matrix: platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }} steps: - name: Prepare run: | platform=${{ matrix.platform }} echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build uses: docker/bake-action@v6 with: targets: all set: | *.platform=${{ matrix.platform }} - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Check artifacts run: | find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + govulncheck: runs-on: ubuntu-24.04 timeout-minutes: 120 # guardrails timeout for the whole job permissions: # required to write sarif report security-events: write # required to check out the repository contents: read steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Run uses: docker/bake-action@v6 with: targets: govulncheck env: GOVULNCHECK_FORMAT: sarif - name: Upload SARIF report if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }} uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out build-dind: runs-on: ubuntu-24.04 needs: - validate-dco steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build dind image uses: docker/bake-action@v6 with: targets: dind set: | *.output=type=cacheonly