chore(deps): bump brace-expansion to 5.0.6 in Docker images (GHSA-jxx… #2517
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build seed containers | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "docker/seed/*" | |
| - ".github/workflows/seed-dockers.yml" | |
| workflow_dispatch: | |
| inputs: | |
| all: | |
| description: Rebuild all seed containers | |
| type: boolean | |
| default: false | |
| ts: | |
| description: Rebuild TypeScript seed container | |
| type: boolean | |
| default: false | |
| java: | |
| description: Rebuild Java seed container | |
| type: boolean | |
| default: false | |
| python: | |
| description: Rebuild Python seed container | |
| type: boolean | |
| default: false | |
| csharp: | |
| description: Rebuild C# seed container | |
| type: boolean | |
| default: false | |
| php: | |
| description: Rebuild PHP seed container | |
| type: boolean | |
| default: false | |
| go: | |
| description: Rebuild Go seed container | |
| type: boolean | |
| default: false | |
| # Cancel previous workflows on previous push | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| DO_NOT_TRACK: "1" | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| ts: ${{ steps.set-output.outputs.ts }} | |
| java: ${{ steps.set-output.outputs.java }} | |
| python: ${{ steps.set-output.outputs.python }} | |
| csharp: ${{ steps.set-output.outputs.csharp }} | |
| php: ${{ steps.set-output.outputs.php }} | |
| go: ${{ steps.set-output.outputs.go }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 2 | |
| fetch-tags: false | |
| - name: Check for ts changes | |
| id: ts | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.ts | |
| - name: Check for java changes | |
| id: java | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.java | |
| - name: Check for python changes | |
| id: python | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.python | |
| - name: Check for csharp changes | |
| id: csharp | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.csharp | |
| - name: Check for php changes | |
| id: php | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.php | |
| - name: Check for go changes | |
| id: go | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: docker/seed/Dockerfile.go | |
| - name: Check for workflow changes | |
| id: workflow | |
| uses: ./.github/actions/check-for-changed-files | |
| with: | |
| files: .github/workflows/seed-dockers.yml | |
| - name: Set outputs | |
| id: set-output | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| # Manual run: use inputs to select packages | |
| if [[ "${{ inputs.all }}" == "true" ]]; then | |
| echo "ts=true" >> $GITHUB_OUTPUT | |
| echo "java=true" >> $GITHUB_OUTPUT | |
| echo "python=true" >> $GITHUB_OUTPUT | |
| echo "csharp=true" >> $GITHUB_OUTPUT | |
| echo "php=true" >> $GITHUB_OUTPUT | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "Manual run: rebuilding all images" | |
| else | |
| echo "ts=${{ inputs.ts }}" >> $GITHUB_OUTPUT | |
| echo "java=${{ inputs.java }}" >> $GITHUB_OUTPUT | |
| echo "python=${{ inputs.python }}" >> $GITHUB_OUTPUT | |
| echo "csharp=${{ inputs.csharp }}" >> $GITHUB_OUTPUT | |
| echo "php=${{ inputs.php }}" >> $GITHUB_OUTPUT | |
| echo "go=${{ inputs.go }}" >> $GITHUB_OUTPUT | |
| echo "Manual run: selected images set from inputs" | |
| fi | |
| else | |
| # Push event: use path-based change detection | |
| if [[ "${{ steps.workflow.outputs.any_changed }}" == "true" ]]; then | |
| echo "ts=true" >> $GITHUB_OUTPUT | |
| echo "java=true" >> $GITHUB_OUTPUT | |
| echo "python=true" >> $GITHUB_OUTPUT | |
| echo "csharp=true" >> $GITHUB_OUTPUT | |
| echo "php=true" >> $GITHUB_OUTPUT | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "Workflow changed, rebuilding all images" | |
| else | |
| echo "ts=${{ steps.ts.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "java=${{ steps.java.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "python=${{ steps.python.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "csharp=${{ steps.csharp.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "php=${{ steps.php.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "go=${{ steps.go.outputs.any_changed }}" >> $GITHUB_OUTPUT | |
| echo "Set outputs based on individual file changes" | |
| fi | |
| fi | |
| generate-sha: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sha: ${{ steps.sha.outputs.sha }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - id: sha | |
| run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| build-ts: | |
| if: ${{ needs.changes.outputs.ts == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| # Avoid building arm64 on amd64 runner and vice versa | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/ts-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.ts | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-java: | |
| if: ${{ needs.changes.outputs.java == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/java-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.java | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-python: | |
| if: ${{ needs.changes.outputs.python == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/python-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.python | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-csharp: | |
| if: ${{ needs.changes.outputs.csharp == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/csharp-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.csharp | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-php: | |
| if: ${{ needs.changes.outputs.php == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/php-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.php | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-go: | |
| if: ${{ needs.changes.outputs.go == 'true' }} | |
| strategy: | |
| matrix: | |
| runner: [ubuntu-latest, ubuntu-24.04-arm] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - runner: ubuntu-latest | |
| arch: arm64 | |
| - runner: ubuntu-24.04-arm | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [changes, generate-sha] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: fernapi/go-seed | |
| tags: | | |
| type=raw,value=${{ needs.generate-sha.outputs.sha }}-${{ matrix.arch }} | |
| type=raw,value=latest-${{ matrix.arch }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./docker/seed/Dockerfile.go | |
| platforms: linux/${{ matrix.arch }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=min | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| merge-manifests: | |
| if: ${{ !cancelled() && (needs.changes.outputs.ts == 'true' || needs.changes.outputs.java == 'true' || needs.changes.outputs.python == 'true' || needs.changes.outputs.csharp == 'true' || needs.changes.outputs.php == 'true' || needs.changes.outputs.go == 'true') }} | |
| needs: [changes, build-ts, build-java, build-python, build-csharp, build-php, build-go, generate-sha] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: fernapi | |
| password: ${{ secrets.FERN_API_DOCKERHUB_PASSWORD }} | |
| - name: Build package list | |
| id: build-list | |
| run: | | |
| packages="" | |
| if [[ "${{ needs.changes.outputs.ts }}" == "true" ]]; then | |
| packages+="ts " | |
| fi | |
| if [[ "${{ needs.changes.outputs.java }}" == "true" ]]; then | |
| packages+="java " | |
| fi | |
| if [[ "${{ needs.changes.outputs.python }}" == "true" ]]; then | |
| packages+="python " | |
| fi | |
| if [[ "${{ needs.changes.outputs.csharp }}" == "true" ]]; then | |
| packages+="csharp " | |
| fi | |
| if [[ "${{ needs.changes.outputs.php }}" == "true" ]]; then | |
| packages+="php " | |
| fi | |
| if [[ "${{ needs.changes.outputs.go }}" == "true" ]]; then | |
| packages+="go " | |
| fi | |
| echo "packages=${packages% }" >> $GITHUB_OUTPUT | |
| echo "Building manifests for: ${packages% }" | |
| - name: Create and push manifest | |
| run: | | |
| packages='${{ steps.build-list.outputs.packages }}' | |
| sha='${{ needs.generate-sha.outputs.sha }}' | |
| for package in $packages; do | |
| docker buildx imagetools create -t fernapi/${package}-seed:latest \ | |
| fernapi/${package}-seed:latest-amd64 \ | |
| fernapi/${package}-seed:latest-arm64 | |
| docker buildx imagetools create -t fernapi/${package}-seed:${sha} \ | |
| fernapi/${package}-seed:${sha}-amd64 \ | |
| fernapi/${package}-seed:${sha}-arm64 | |
| done |