Skip to content

chore(deps): bump python from 3.12-slim to 3.13-slim in the docker gr… #49

chore(deps): bump python from 3.12-slim to 3.13-slim in the docker gr…

chore(deps): bump python from 3.12-slim to 3.13-slim in the docker gr… #49

Workflow file for this run

name: Release
on:
push:
branches: master
tags:
- 'v*'
paths:
- '.github/workflows/release.yml'
- 'api/*.py'
- 'pyproject.toml'
- 'Dockerfile'
jobs:
release:
name: Release
if: |
github.actor != 'dependabot[bot]' &&
github.actor != 'github-actions[bot]' &&
github.actor != 'protected-auto-commits[bot]'
runs-on: ubuntu-latest
concurrency: release
permissions:
id-token: write
contents: write
issues: write
pull-requests: write
steps:
- name: GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_PRIVATE_KEY }}
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: "pip"
- name: Cache Dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Dependencies
run: |
python -m pip install --upgrade pip
pip install python-semantic-release
- name: Setup Git
run: |
git fetch origin
git reset --hard origin/${{ github.ref_name }}
- name: Semantic Release
uses: python-semantic-release/[email protected]
with:
github_token: ${{ steps.app-token.outputs.token }}
docker:
name: Docker
runs-on: ubuntu-latest
permissions:
contents: read
attestations: write
id-token: write
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
needs: release
steps:
- name: GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_PRIVATE_KEY }}
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
token: ${{ steps.app-token.outputs.token }}
- name: Install CoSign
if: github.event_name != 'pull_request'
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.0'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards
ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
tags: |
type=ref,event=branch
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}.{{minor}}.{{patch}}
- name: Build & Push Docker Image
id: push
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
GITHUB_TOKEN=${{ steps.app-token.outputs.token }}
- name: Sign the published Docker Image
if: ${{ github.event_name != 'pull_request' }}
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.push.outputs.digest }}
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
- name: Generate Artifact Attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Docker Scout Scan
uses: docker/[email protected]
with:
command: quickview, cves
image: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:master
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
sarif-file: docker-scout-results.sarif
- name: Upload Scout Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: docker-scout-results
path: docker-scout-results.sarif
cleanup:
runs-on: ubuntu-latest
needs: docker
name: Cleanup
permissions:
contents: read
packages: write
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: List & Delete Old Docker Hub Tags
run: |
echo "Fetching Docker Hub tags..."
tags=$(curl -s -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags" | jq -r '.results[].name')
echo "Tags found in Docker Hub:"
echo "$tags"
latest_tag=$(echo "$tags" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -rV | head -n 1)
echo "Latest semantic version tag is $latest_tag"
for tag in $tags; do
if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ || "$tag" != "$latest_tag" ]]; then
echo "Deleting tag $tag from Docker Hub"
curl -X DELETE -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags/$tag/"
fi
done
- name: Delete Old GHCR Tags
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_OWNER: ${{ github.repository_owner }}
PACKAGE_NAME: "wakatime-leaderboards"
run: |
echo "Fetching GHCR tags..."
tags=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions" | jq -r '.[].metadata.container.tags[]')
echo "Tags found in GHCR:"
echo "$tags"
latest_tag=$(echo "$tags" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -rV | head -n 1)
echo "Latest semantic version tag is $latest_tag"
for tag in $tags; do
if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ || "$tag" != "$latest_tag" ]]; then
echo "Deleting tag $tag from GHCR"
version_id=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions" | \
jq -r ".[] | select(.metadata.container.tags[] == \"$tag\") | .id")
if [ -n "$version_id" ]; then
curl -X DELETE -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions/$version_id"
else
echo "Warning: Could not find version ID for tag $tag"
fi
fi
done