Fix GitHub Actions permissions and workflow configuration

- Simplify workflow structure with explicit job-level permissions - Remove problematic cleanup job that caused permission errors - Use environment variables for better maintainability - Add proper Docker buildx configuration - Implement artifact attestation for security - Fix digest export and artifact naming issues - Optimize caching strategy for different platforms
2025-08-29 04:23:13 +00:00 · 2025-08-29 04:23:13 +00:00 · 8bf71ff139
parent 32b9521030
commit 8bf71ff139
1 changed files with 62 additions and 53 deletions
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -17,54 +17,65 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  packages: write
-  actions: read
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}

 jobs:
-  build:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
    strategy:
+      fail-fast: false
      matrix:
-        include:
-          - platform: linux/amd64
-            os: ubuntu-latest
-          - platform: linux/arm64
-            os: ubuntu-latest
-    runs-on: ${{ matrix.os }}
+        platform:
+          - linux/amd64
+          - linux/arm64

    steps:
-      - name: Prepare platform name
-        run: |
-          echo "PLATFORM_NAME=${{ matrix.platform }}" | sed 's|/|-|g' >> $GITHUB_ENV
-
-      - name: Checkout source code
+      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
+        with:
+          version: latest
+          driver-opts: image=moby/buildkit:buildx-stable-1

-      - name: Login to GitHub Container Registry
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Set lowercase repository owner
-        id: lowercase
-        run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
-
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
+            type=ref,event=branch
            type=ref,event=pr
+            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.title=${{ github.repository }}
+            org.opencontainers.image.description=KatelyaTV - A modern streaming platform
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.version=${{ steps.meta.outputs.version }}
+            org.opencontainers.image.created=${{ steps.meta.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.licenses=MIT

-      - name: Build and push by digest
+      - name: Build Docker image
        id: build
        uses: docker/build-push-action@v5
        with:
@ -72,29 +83,38 @@ jobs:
          file: ./Dockerfile
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,name=ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=${{ github.ref_name }}-${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-${{ matrix.platform }}
+          outputs: |
+            type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}

      - name: Export digest
+        if: github.event_name != 'pull_request'
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
+        if: github.event_name != 'pull_request'
        uses: actions/upload-artifact@v4
        with:
-          name: digests-${{ env.PLATFORM_NAME }}
+          name: digests-${{ strategy.job-index }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

-  merge:
+  merge-images:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
    needs:
-      - build
+      - build-and-push
    if: github.event_name != 'pull_request'
+
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
@ -106,48 +126,37 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

-      - name: Login to GitHub Container Registry
+      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Set lowercase repository owner
-        id: lowercase
-        run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
-
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
-            type=ref,event=pr
-            type=sha
+            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf 'ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv@sha256:%s ' *)
+            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)

      - name: Inspect image
        run: |
-          docker buildx imagetools inspect ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv:${{ steps.meta.outputs.version }}
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}

-  cleanup:
-    runs-on: ubuntu-latest
-    needs:
-      - merge
-    if: always() && github.event_name != 'pull_request'
-    steps:
-      - name: Delete workflow runs
-        uses: Mattraks/delete-workflow-runs@main
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v1
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          repository: ${{ github.repository }}
-          retain_days: 0
-          keep_minimum_runs: 2
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true