build: improve build config

Author: sebthom

.dockerignore

@@ -1,7 +1,13 @@
 *.md
 *.txt
+.actrc
+.dockerignore
+.editorconfig
+.gitattributes
+.gitignore
 .github/
 .shared/.*
 .shared/*.md
 .shared/*.txt
-example
+example
+image/Dockerfile

.editorconfig

@@ -9,7 +9,7 @@ end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 indent_style = space
-indent_size = 3
+indent_size = 2
 
 [*.{bat,cmd}]
 end_of_line = crlf

.gitattributes

@@ -60,6 +60,8 @@
 *.php        text
 *.python     text
 *.sql        text
+**/Dockerfile text eol=lf
+**/*.Dockerfile text eol=lf
 
 
 # Archives

.github/dependabot.yml

@@ -1,17 +1,17 @@
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 version: 2
 updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-      time: "09:00"
-    commit-message:
-      prefix: fix
-      prefix-development: chore
-      include: scope
-    labels:
-      - pinned
-      - dependencies
-      - gha
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+    day: monday
+    time: "14:00"
+  commit-message:
+    prefix: ci
+    prefix-development: ci
+    include: scope
+  labels:
+  - dependencies
+  - gha
+  - pinned

.github/workflows/build.yml

@@ -3,28 +3,33 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-graalvm-maven
 #
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
 name: Build
 
 on:
   push:
-    branches:    # build all branches
-    - '**'
-    tags-ignore: # but don't build tags
+    branches-ignore:  # build all branches except:
+    - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
+    tags-ignore:  # don't build tags
     - '**'
     paths-ignore:
-    - '**/*.adoc'
     - '**/*.md'
     - '.editorconfig'
     - '.git*'
     - '.github/*.yml'
     - '.github/workflows/stale.yml'
-  schedule:
-    # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows
-    - cron: '0 4 * * */3' # At 04:00 on every 3rd day-of-week
   pull_request:
+    paths-ignore:
+    - '**/*.md'
+    - '.editorconfig'
+    - '.git*'
+    - '.github/*.yml'
+    - '.github/workflows/stale.yml'
+  schedule:
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+    - cron: '0 17 * * 3'
   workflow_dispatch:
-    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_dispatch
     inputs:
       GRAALVM_VERSION:
         description: 'GraalVM Version'
@@ -36,14 +41,21 @@ defaults:
     shell: bash
 
 env:
-  DOCKER_IMAGE_REPO: vegardit/graalvm-maven
+  DOCKER_REPO_NAME: graalvm-maven
   TRIVY_CACHE_DIR: ~/.trivy/cache
 
 jobs:
+
+  ###########################################################
   build:
-    runs-on: ubuntu-latest
+  ###########################################################
+    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
+    timeout-minutes: 20
     continue-on-error: ${{ matrix.experimental }}
 
+    permissions:
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -67,22 +79,47 @@ jobs:
           experimental: true
 
     steps:
-    - name: Show environment variables
+    - name: "Show: GitHub context"
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github) }}
+      run: echo $GITHUB_CONTEXT
+
+
+    - name: "Show: environment variables"
       run: env | sort
 
+
     - name: Git Checkout
-      uses: actions/checkout@v4 #https://github.com/actions/checkout
+      uses: actions/checkout@v4  # https://github.com/actions/checkout
+
+
+    - name: Run the sh-checker
+      uses: luizm/action-sh-checker@master  # https://github.com/marketplace/actions/sh-checker
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SHFMT_OPTS: --simplify --keep-padding
+      with:
+         sh_checker_comment: true
+         sh_checker_checkbashisms_enable: true
+         sh_checker_shfmt_disable: true
+
+
+    - name: Check Dockerfile
+      uses: hadolint/[email protected]
+      with:
+        dockerfile: image/Dockerfile
+
 
     - name: Cache trivy cache
       uses: actions/cache@v4
-      if: env.ACT != 'true' # https://github.com/nektos/act#skipping-steps
       with:
         path: ${{ env.TRIVY_CACHE_DIR }}
         # https://github.com/actions/cache/issues/342#issuecomment-673371329
         key: ${{ runner.os }}-trivy-${{ github.run_id }}
         restore-keys: |
           ${{ runner.os }}-trivy-
 
+
     - name: Cache local Maven repository
       uses: actions/cache@v4
       if: env.ACT != 'true' # https://github.com/nektos/act#skipping-steps
@@ -92,32 +129,60 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-mvnrepo-
 
+
     - name: Configure fast APT repository mirror
       uses: vegardit/fast-apt-mirror.sh@v1
 
+
     - name: Install dos2unix
       run: sudo apt-get install --no-install-recommends -y dos2unix
 
-    - name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
+
+    - name: "Determine if docker images shall be published"
+      id: docker_push_actions
+      run: |
+        # ACT -> https://nektosact.com/usage/index.html#skipping-steps
+        set -x
+        if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
+          echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
+          echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT
+          if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
+            echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
+          fi
+        fi
+
+
+    - name: Login to docker.io
+      if: ${{ env.DOCKER_PUSH }}
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_HUB_USERNAME }}
+        password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+
+    - name: Login to ghcr.io
+      if: ${{ env.DOCKER_PUSH_GHCR }}
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+
+    - name: Build ${{ env.DOCKER_REPO_NAME }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
       env:
-        DOCKER_REGISTRY: docker.io
-        DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
-        DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
-        GITHUB_TOKEN: ${{ github.token }}
+        DOCKER_BASE_IMAGE: ghcr.io/dockerhub-mirror/debian:stable-slim
+        DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GRAALVM_VERSION: ${{ matrix.GRAALVM_VERSION }}
         GRAALVM_JAVA_VERSION: ${{ matrix.GRAALVM_JAVA_VERSION }}
-        TRIVY_GITHUB_TOKEN: ${{ github.token }}
-      run: |
-        set -eu
-        if [[ $GITHUB_REF_NAME == "main" && $GITHUB_EVENT_NAME != "pull_request" && ${ACT:-} != "true" ]]; then
-          export DOCKER_PUSH=1
-          echo "$DOCKER_REGISTRY_TOKEN" | docker login -u="$DOCKER_REGISTRY_USERNAME" "$DOCKER_REGISTRY" --password-stdin
-        fi
-        bash build-image.sh
+        TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: bash build-image.sh
+
 
-    - name: Test ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
+    - name: Test ${{ env.DOCKER_REPO_NAME }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
       run: |
-        docker run --rm -t ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }} /bin/bash -c "
+        docker run --rm -t ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }} /bin/bash -c "
           cd /tmp
           echo 'class HelloWorld { public static void main(String[] args) { System.out.println(\"HelloWorld!\"); }}' > HelloWorld.java
           javac HelloWorld.java
@@ -131,42 +196,40 @@ jobs:
           ./helloworld
         "
 
-    - name: Test ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }} via Maven
+    - name: Test ${{ env.DOCKER_REPO_NAME }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }} via Maven
       env:
-        RUN_IN_DOCKER_IMAGE: ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
-      if: ${{ !env.ACT }} # https://github.com/nektos/act#skipping-steps
+        RUN_IN_DOCKER_IMAGE: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}
       run: |
         set -eux
         bash example/tools/run-in-docker.sh mvn clean package
         bash example/tools/run-in-docker.sh bash -c target/example
 
-    - name: Publish Docker image to GH registry
-      if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
-      run: |
-        set -eux
-
-        echo "${{ github.token }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+    outputs:
+      DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }}
 
-        image_name="$DOCKER_IMAGE_REPO:${{ matrix.GRAALVM_VERSION }}-java${{ matrix.GRAALVM_JAVA_VERSION }}"
-        docker image tag $image_name ghcr.io/$image_name
-        docker push ghcr.io/$image_name
 
-  purge-untagged-images:
-    runs-on: ubuntu-latest
+  ###########################################################
+  delete-untagged-images:
+  ###########################################################
+    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
+    timeout-minutes: 5
     needs: [build]
+    if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }}
+
+    concurrency:
+      group: ${{ github.workflow }}
+      cancel-in-progress: false
+      
+    permissions:
+      packages: write
+
     steps:
     - name: Delete untagged images
-      uses: actions/github-script@v7
-      if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
+      uses: dataaxiom/ghcr-cleanup-action@v1
       with:
-        github-token: ${{ secrets.GHA_DELETE_PACKAGES }}
-        script: |
-          const imageName = /[^/]*$/.exec(process.env.DOCKER_IMAGE_REPO)[0]
-          const basePath = `/orgs/${{ github.repository_owner }}/packages/container/${imageName}/versions`
-          for (version of (await github.request(`GET ${basePath}`, { per_page: 100 })).data) {
-            if (version.metadata.container.tags.length == 0) {
-              console.log(`deleting ${version.name}...`)
-              const delResponse = await github.request(`DELETE ${basePath}/${version.id}`)
-              console.log(`status: ${delResponse.status}`)
-            }
-          }
+        package: ${{ env.DOCKER_REPO_NAME }}
+        delete-untagged: true
+        delete-partial-images: true
+        delete-ghost-images: true
+        delete-orphaned-images: true
+        validate: true

.github/workflows/stale.yml

@@ -1,18 +1,13 @@
-# SPDX-FileCopyrightText: © Sebastian Thomschke and contributors
-# SPDX-License-Identifier: AGPL-3.0-or-later
-# SPDX-ArtifactOfProjectHomePage: https://github.com/Second-Hand-Friends/kleinanzeigen-bot/
-#
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
 name: Stale issues
 
 on:
   schedule:
-    - cron: '0 16 * * *'
+    - cron: '0 16 * * 1'
   workflow_dispatch:
     # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
 
 permissions:
-  contents: write # only for delete-branch option
   issues: write
   pull-requests: write
 
@@ -42,7 +37,7 @@ jobs:
           pinned
           security
 
-    - name: Run stale action
+    - name: Run stale action (for enhancements)
       uses: actions/stale@v9  # https://github.com/actions/stale
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -14,16 +14,16 @@ bin/
 **/.*.md.html
 
 # IntelliJ
-.idea
-*.iml
-*.ipr
-*.iws
+/.idea
+/*.iml
+/*.ipr
+/*.iws
 
 # NetBeans
 nb-configuration.xml
 
 # Visual Studio Code
-.vscode
+/.vscode
 
 # OSX
 .DS_Store
@@ -35,3 +35,6 @@ nb-configuration.xml
 # patch
 *.orig
 *.rej
+
+# nektos/act
+.actrc