pulumi/.github/workflows/container-build.yml

name: pulumi sdk containers build
on:
  repository_dispatch:
    types:
      - docker-build
      - 
env:
  VERSION: ${{ github.event.client_payload.ref }}

jobs:
  base:
    name: base sdk image build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@master
      - name: Build base image
        uses: jaxxstorm/action-docker-build@release/v3.beta
        with:
          repository: pulumi/pulumi-base
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/base/Dockerfile
          additional-tags: ${{ env.VERSION }}
          tag-latest: true
          build-args: PULUMI_VERSION=${{ env.VERSION }}
      - uses: meeDamian/sync-readme@v1.0.6
        name: Sync readme to Docker Hub
        with:
          user: "pulumibot"
          pass: ${{ secrets.DOCKER_HUB_TOKEN }}
          slug: pulumi/pulumi-base
          readme: docker/README.md
          description: Pulumi CLI container - bring your own SDK

  base_os:
    name: os base sdk image build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        os: [ "ubi", "debian" ]
    steps:
      - uses: actions/checkout@master
      - name: Build base image
        uses: jaxxstorm/action-docker-build@release/v3.beta
        with:
          repository: pulumi/pulumi-base
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/base/Dockerfile.${{ matrix.os }}
          additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
          tag-latest: false
          build-args: PULUMI_VERSION=${{ env.VERSION }}

  sdk:
    name: language sdk image
    runs-on: ubuntu-latest
    needs: base
    strategy:
      fail-fast: false
      matrix:
        sdk: [ "nodejs", "python", "dotnet", "go" ]
    steps:
      - uses: actions/checkout@master
      - name: Build image
        uses: jaxxstorm/action-docker-build@release/v3.beta
        with:
          repository: pulumi/pulumi-${{matrix.sdk}}
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/${{ matrix.sdk }}/Dockerfile
          additional-tags: ${{ env.VERSION }}
          build-args: PULUMI_VERSION=${{ env.VERSION }}
      - uses: meeDamian/sync-readme@v1.0.6
        name: Sync readme to Docker Hub
        with:
          user: "pulumibot"
          pass: ${{ secrets.DOCKER_HUB_TOKEN }}
          slug: pulumi/pulumi-${{matrix.sdk}}
          readme: docker/README.md
          description: Pulumi CLI container for ${{ matrix.sdk }}

  os_sdk:
    name: os language sdk image
    runs-on: ubuntu-latest
    needs: base_os
    strategy:
      fail-fast: false
      matrix:
        sdk: [ "nodejs", "python", "dotnet", "go" ]
        os: [ "ubi", "debian" ]
    steps:
      - uses: actions/checkout@master
      - name: Build image
        uses: jaxxstorm/action-docker-build@release/v3.beta
        with:
          repository: pulumi/pulumi-${{matrix.sdk}}
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/${{ matrix.sdk }}/Dockerfile.${{ matrix.os }}
          additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
          build-args: PULUMI_VERSION=${{ env.VERSION }}

  image-scan:
    name: scan container images
    runs-on: ubuntu-latest
    needs: os_sdk
    strategy:
      matrix:
        image: [ "base", "nodejs", "python", "go" ]
        os: [ "ubi" ]
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check Docker images for vulnerabilities
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: pulumi/pulumi-${{matrix.image}}:${{ env.VERSION }}-${{ matrix.os }}
          args: --severity-threshold=high --file=docker/${{matrix.image}}/Dockerfile.${{ matrix.os }}