Build Node Images #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Node Images | |
| on: | |
| push: | |
| branches: | |
| - master | |
| paths: | |
| - 'Dockerfile' | |
| - 'versions/**' | |
| - '.github/workflows/build.yml' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Specific version to build (e.g., node22-jdk21), or "all"' | |
| required: false | |
| default: 'all' | |
| env: | |
| DOCKER_HUB_IMAGE: ringcentral/node | |
| GHCR_IMAGE: ghcr.io/ringcentral-docker/node | |
| BASE_OS: noble | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate build matrix | |
| id: set-matrix | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.version }}" != "all" ]]; then | |
| MATRIX=$(jq -c --arg v "${{ github.event.inputs.version }}" \ | |
| '{include: [.versions[] | select(.name == $v)]}' versions/versions.json) | |
| else | |
| MATRIX=$(jq -c '{include: .versions}' versions/versions.json) | |
| fi | |
| echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT | |
| build: | |
| needs: prepare | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| packages: write | |
| strategy: | |
| matrix: ${{ fromJson(needs.prepare.outputs.matrix) }} | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
| password: ${{ secrets.DOCKER_HUB_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Docker tags | |
| id: meta | |
| run: | | |
| NODE_VER="${{ matrix.node_version }}" | |
| NODE_MAJ="${{ matrix.node_major }}" | |
| JDK_VER="${{ matrix.jdk_version }}" | |
| IS_LATEST="${{ matrix.is_latest }}" | |
| TAGS="" | |
| for REGISTRY in "${{ env.DOCKER_HUB_IMAGE }}" "${{ env.GHCR_IMAGE }}"; do | |
| # Always add version-specific tags | |
| TAGS="${TAGS}${REGISTRY}:${NODE_VER}-jdk${JDK_VER}," | |
| TAGS="${TAGS}${REGISTRY}:${NODE_MAJ}-jdk${JDK_VER}," | |
| # Add simple tags for latest | |
| if [[ "${IS_LATEST}" == "true" ]]; then | |
| TAGS="${TAGS}${REGISTRY}:${NODE_VER}," | |
| TAGS="${TAGS}${REGISTRY}:${NODE_MAJ}," | |
| TAGS="${TAGS}${REGISTRY}:latest," | |
| fi | |
| done | |
| echo "tags=${TAGS%,}" >> $GITHUB_OUTPUT | |
| - name: Build and push | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| build-args: | | |
| NODE_VERSION=${{ matrix.node_version }} | |
| MAVEN_TAG=${{ matrix.maven_tag }} | |
| cache-from: type=gha,scope=${{ matrix.name }} | |
| cache-to: type=gha,mode=max,scope=${{ matrix.name }} | |
| - name: Run Trivy vulnerability scanner | |
| if: steps.build.outcome == 'success' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.DOCKER_HUB_IMAGE }}:${{ matrix.node_version }}-jdk${{ matrix.jdk_version }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: steps.build.outcome == 'success' | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| update-readme: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate README from versions.json | |
| run: | | |
| cat > README.md << 'HEADER' | |
| # Node + Maven + JDK Docker Images | |
| Multi-platform Node.js Docker images with Maven and JDK included. | |
| ## Supported Platforms | |
| - linux/amd64 | |
| - linux/arm64 | |
| ## Available Images | |
| | Name | Node | JDK | Docker Hub | GitHub Package | | |
| |------|------|-----|------------|----------------| | |
| HEADER | |
| jq -r --arg hub "${{ env.DOCKER_HUB_IMAGE }}" \ | |
| --arg ghcr "${{ env.GHCR_IMAGE }}" \ | |
| '.versions[] | | |
| "| \(.name) | \(.node_version) | \(.jdk_version) | `\($hub):\(.node_version)-jdk\(.jdk_version)` | `\($ghcr):\(.node_version)-jdk\(.jdk_version)` |" | |
| ' versions/versions.json >> README.md | |
| cat >> README.md << 'FOOTER' | |
| ## Usage | |
| ```bash | |
| docker pull ringcentral/node:22-jdk21 | |
| docker run -it ringcentral/node:22-jdk21 node --version | |
| ``` | |
| ## Build Locally | |
| ```bash | |
| docker build \ | |
| --build-arg NODE_VERSION=22.22.2 \ | |
| --build-arg MAVEN_TAG=3.9.15-jdk21.0.10-noble \ | |
| -t my-node:22-jdk21 . | |
| ``` | |
| ## License | |
| MIT License | |
| FOOTER | |
| - name: Commit README | |
| run: | | |
| git config --global user.name 'github-actions[bot]' | |
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | |
| git add README.md | |
| if git diff --staged --quiet; then | |
| echo "No changes to commit" | |
| else | |
| git commit -m "docs: update README with Docker image info" | |
| git push | |
| fi | |
| - name: Update Docker Hub Description | |
| uses: peter-evans/dockerhub-description@v4 | |
| continue-on-error: true | |
| with: | |
| username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
| password: ${{ secrets.DOCKER_HUB_PASSWORD }} | |
| repository: ringcentral/node | |
| readme-filepath: ./README.md |