bump deps (#6041) #3487

Workflow file for this run

.github/workflows/push-docker.yml at 61280f7

	name: Push Docker Image with VersionNumber

	on:
	workflow_dispatch:
	push:
	branches:
	- master
	- main
	- V2-master
	- testMain

	# cancel in-progress jobs if a new job is triggered
	# This is useful to avoid running multiple builds for the same branch if a new commit is pushed
	# or a pull request is updated.
	# It helps to save resources and time by ensuring that only the latest commit is built and tested
	# This is particularly useful for long-running jobs that may take a while to complete.
	# The `group` is set to a combination of the workflow name, event name, and branch name.
	# This ensures that jobs are grouped by the workflow and branch, allowing for cancellation of
	# in-progress jobs when a new commit is pushed to the same branch or a new pull request is opened.
	concurrency:
	group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name \|\| github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	push:
	if: ${{ vars.CI_PROFILE != 'lite' }}
	runs-on: ubuntu-24.04-8core
	permissions:
	packages: write
	id-token: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
	with:
	egress-policy: audit

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up JDK 25
	uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
	with:
	java-version: "25"
	distribution: "temurin"

	- name: Cache Gradle dependencies
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
	with:
	path: \|
	~/.gradle/caches
	~/.gradle/wrapper
	key: gradle-${{ runner.os }}-${{ hashFiles('**/gradle/wrapper/gradle-wrapper.properties') }}
	restore-keys: \|
	gradle-${{ runner.os }}-

	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1
	with:
	gradle-version: 9.3.1

	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Get version number
	id: versionNumber
	run: echo "versionNumber=$(./gradlew printVersion --quiet \| tail -1)" >> $GITHUB_OUTPUT
	env:
	MAVEN_USER: ${{ secrets.MAVEN_USER }}
	MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
	MAVEN_PUBLIC_URL: ${{ secrets.MAVEN_PUBLIC_URL }}

	- name: Install cosign
	if: github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master'
	uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
	with:
	cosign-release: "v2.4.1"

	- name: Install cosign
	if: github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master'
	uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
	with:
	cosign-release: "v2.4.1"

	- name: Login to Docker Hub
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	username: ${{ secrets.DOCKER_HUB_USERNAME }}
	password: ${{ secrets.DOCKER_HUB_API }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ github.token }}

	- name: Set up QEMU
	uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

	- name: Convert repository owner to lowercase
	id: repoowner
	run: echo "lowercase=$(echo ${{ github.repository_owner }} \| awk '{print tolower($0)}')" >> $GITHUB_OUTPUT

	- name: Generate tags for latest
	id: meta
	uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
	with:
	images: \|
	${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf
	${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf
	tags: \|
	type=raw,value=${{ steps.versionNumber.outputs.versionNumber }},enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}
	type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}
	type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/testMain' }}

	- name: Build and push Unified Dockerfile (latest variant)
	id: build-push-latest
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./docker/embedded/Dockerfile
	push: true
	cache-from: type=gha,scope=stirling-pdf-latest
	cache-to: type=gha,mode=max,scope=stirling-pdf-latest
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	build-args: \|
	VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
	BASE_VERSION=1.0.0
	platforms: linux/amd64,linux/arm64/v8
	provenance: true
	sbom: true

	- name: Sign regular images
	if: github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master'
	env:
	DIGEST: ${{ steps.build-push-latest.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: \|
	echo "$TAGS" \| tr ',' '\n' \| while read -r tag; do
	cosign sign --yes \
	--key env://COSIGN_PRIVATE_KEY \
	"${tag}@${DIGEST}"
	done

	- name: Generate tags for latest-fat
	id: meta-fat
	uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
	if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/testMain'
	with:
	images: \|
	${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf
	${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf
	tags: \|
	type=raw,value=${{ steps.versionNumber.outputs.versionNumber }}-fat,enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}
	type=raw,value=latest-fat,enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}

	- name: Build and push Unified Dockerfile (fat variant)
	id: build-push-fat
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/testMain'
	with:
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./docker/embedded/Dockerfile.fat
	push: true
	cache-from: type=gha,scope=stirling-pdf-fat
	cache-to: type=gha,mode=max,scope=stirling-pdf-fat
	tags: ${{ steps.meta-fat.outputs.tags }}
	labels: ${{ steps.meta-fat.outputs.labels }}
	build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
	platforms: linux/amd64,linux/arm64/v8
	provenance: true
	sbom: true

	- name: Sign fat images
	if: github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master'
	env:
	DIGEST: ${{ steps.build-push-fat.outputs.digest }}
	TAGS: ${{ steps.meta-fat.outputs.tags }}
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: \|
	echo "$TAGS" \| tr ',' '\n' \| while read -r tag; do
	cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
	done

	- name: Generate tags for ultra-lite
	id: meta-lite
	uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
	if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/testMain'
	with:
	images: \|
	${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/s-pdf
	ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf
	${{ secrets.DOCKER_HUB_ORG_USERNAME }}/stirling-pdf
	tags: \|
	type=raw,value=${{ steps.versionNumber.outputs.versionNumber }}-ultra-lite,enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}
	type=raw,value=latest-ultra-lite,enable=${{ github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master' }}

	- name: Build and push Unified Dockerfile (ultra-lite variant)
	id: build-push-lite
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/testMain'
	with:
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./docker/embedded/Dockerfile.ultra-lite
	push: true
	cache-from: type=gha,scope=stirling-pdf-ultra-lite
	cache-to: type=gha,mode=max,scope=stirling-pdf-ultra-lite
	tags: ${{ steps.meta-lite.outputs.tags }}
	labels: ${{ steps.meta-lite.outputs.labels }}
	build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }}
	platforms: linux/amd64,linux/arm64/v8
	provenance: true
	sbom: true

	- name: Sign ultra-lite images
	if: github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/V2-master'
	env:
	DIGEST: ${{ steps.build-push-lite.outputs.digest }}
	TAGS: ${{ steps.meta-lite.outputs.tags }}
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: \|
	echo "$TAGS" \| tr ',' '\n' \| while read -r tag; do
	cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bump deps (#6041) #3487

Workflow file

bump deps (#6041) #3487

Uh oh!

Workflow file for this run