name: Weekly rebuild on: schedule: - cron: '0 4 * * 1' workflow_dispatch: env: IMAGE_NAME: rusian/yt-local GRYPE_VERSION: "0.112.0" PLATFORMS: linux/amd64,linux/arm64 jobs: docker: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_REGISTRY_USER }} password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} - name: Extract metadata id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.IMAGE_NAME }} tags: | type=sha,prefix= type=raw,value=latest - name: Build image for scan (amd64 only) uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . load: true tags: ${{ env.IMAGE_NAME }}:scan - name: Install Grype run: | tarball="grype_${GRYPE_VERSION}_linux_amd64.tar.gz" base="https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}" curl -sSfL -o "$tarball" "$base/$tarball" curl -sSfL -o checksums.txt "$base/grype_${GRYPE_VERSION}_checksums.txt" grep " $tarball\$" checksums.txt | sha256sum --check --strict - tar -xzf "$tarball" -C /usr/local/bin grype grype version - name: Scan image for vulnerabilities run: | grype "${IMAGE_NAME}:scan" --output table grype "${IMAGE_NAME}:scan" --only-fixed --fail-on critical -q - name: Build and push (multi-platform) uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . platforms: ${{ env.PLATFORMS }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}