diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 44d1e94..14ca5f9 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -17,54 +17,65 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - packages: write - actions: read +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: - build: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false matrix: - include: - - platform: linux/amd64 - os: ubuntu-latest - - platform: linux/arm64 - os: ubuntu-latest - runs-on: ${{ matrix.os }} + platform: + - linux/amd64 + - linux/arm64 steps: - - name: Prepare platform name - run: | - echo "PLATFORM_NAME=${{ matrix.platform }}" | sed 's|/|-|g' >> $GITHUB_ENV - - - name: Checkout source code + - name: Checkout repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + version: latest + driver-opts: image=moby/buildkit:buildx-stable-1 - - name: Login to GitHub Container Registry + - name: Log in to Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set lowercase repository owner - id: lowercase - run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | + type=ref,event=branch type=ref,event=pr + type=sha,prefix={{branch}}- type=raw,value=latest,enable={{is_default_branch}} + labels: | + org.opencontainers.image.title=${{ github.repository }} + org.opencontainers.image.description=KatelyaTV - A modern streaming platform + org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} + org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} + org.opencontainers.image.version=${{ steps.meta.outputs.version }} + org.opencontainers.image.created=${{ steps.meta.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.licenses=MIT - - name: Build and push by digest + - name: Build Docker image id: build uses: docker/build-push-action@v5 with: @@ -72,29 +83,38 @@ jobs: file: ./Dockerfile platforms: ${{ matrix.platform }} labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }} - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=${{ github.ref_name }}-${{ matrix.platform }} + cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-${{ matrix.platform }} + outputs: | + type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }} - name: Export digest + if: github.event_name != 'pull_request' run: | mkdir -p /tmp/digests digest="${{ steps.build.outputs.digest }}" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest + if: github.event_name != 'pull_request' uses: actions/upload-artifact@v4 with: - name: digests-${{ env.PLATFORM_NAME }} + name: digests-${{ strategy.job-index }} path: /tmp/digests/* if-no-files-found: error retention-days: 1 - merge: + merge-images: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write needs: - - build + - build-and-push if: github.event_name != 'pull_request' + steps: - name: Download digests uses: actions/download-artifact@v4 @@ -106,48 +126,37 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to GitHub Container Registry + - name: Log in to Container Registry uses: docker/login-action@v3 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set lowercase repository owner - id: lowercase - run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch - type=ref,event=pr - type=sha + type=sha,prefix={{branch}}- type=raw,value=latest,enable={{is_default_branch}} - name: Create manifest list and push working-directory: /tmp/digests run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf 'ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv@sha256:%s ' *) + $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) - name: Inspect image run: | - docker buildx imagetools inspect ghcr.io/${{ steps.lowercase.outputs.owner }}/moontv:${{ steps.meta.outputs.version }} + docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} - cleanup: - runs-on: ubuntu-latest - needs: - - merge - if: always() && github.event_name != 'pull_request' - steps: - - name: Delete workflow runs - uses: Mattraks/delete-workflow-runs@main + - name: Generate artifact attestation + if: github.event_name != 'pull_request' + uses: actions/attest-build-provenance@v1 with: - token: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository }} - retain_days: 0 - keep_minimum_runs: 2 + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true \ No newline at end of file