162 lines
6.2 KiB
YAML
162 lines
6.2 KiB
YAML
name: Build & Push Docker image
|
||
on:
|
||
push:
|
||
branches:
|
||
- main
|
||
paths-ignore:
|
||
- '**.md'
|
||
pull_request:
|
||
branches:
|
||
- main
|
||
paths-ignore:
|
||
- '**.md'
|
||
workflow_dispatch:
|
||
concurrency:
|
||
group: ${{ github.workflow }}-${{ github.ref }}
|
||
cancel-in-progress: true
|
||
env:
|
||
REGISTRY: ghcr.io
|
||
jobs:
|
||
build-and-push:
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
attestations: write
|
||
id-token: write
|
||
strategy:
|
||
fail-fast: false
|
||
matrix:
|
||
platform:
|
||
- linux/amd64
|
||
- linux/arm64
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Set image name to lowercase
|
||
run: echo "IMAGE_NAME=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
with:
|
||
version: latest
|
||
driver-opts: image=moby/buildkit:buildx-stable-1
|
||
- name: Log in to Container Registry
|
||
if: github.event_name != 'pull_request'
|
||
uses: docker/login-action@v3
|
||
with:
|
||
registry: ${{ env.REGISTRY }}
|
||
username: ${{ github.actor }}
|
||
password: ${{ secrets.GITHUB_TOKEN }}
|
||
- name: Extract metadata
|
||
id: meta
|
||
uses: docker/metadata-action@v5
|
||
with:
|
||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||
tags: |
|
||
type=ref,event=branch
|
||
type=ref,event=pr
|
||
type=sha,prefix={{branch}}-
|
||
type=raw,value=latest,enable={{is_default_branch}}
|
||
labels: |
|
||
org.opencontainers.image.title=${{ github.repository }}
|
||
org.opencontainers.image.description=katelyatv - A modern streaming platform
|
||
org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
|
||
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
|
||
org.opencontainers.image.version=${{ steps.meta.outputs.version }}
|
||
org.opencontainers.image.created=${{ steps.meta.outputs.created }}
|
||
org.opencontainers.image.revision=${{ github.sha }}
|
||
org.opencontainers.image.licenses=MIT
|
||
- name: Build Docker image
|
||
id: build
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
file: ./Dockerfile
|
||
platforms: ${{ matrix.platform }}
|
||
labels: ${{ steps.meta.outputs.labels }}
|
||
cache-from: type=gha,scope=${{ github.ref_name }}-${{ matrix.platform }}
|
||
cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-${{ matrix.platform }}
|
||
outputs: |
|
||
type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
|
||
provenance: false
|
||
sbom: false
|
||
- name: Export digest
|
||
if: github.event_name != 'pull_request'
|
||
run: |
|
||
mkdir -p /tmp/digests
|
||
digest="${{ steps.build.outputs.digest }}"
|
||
touch "/tmp/digests/${digest#sha256:}"
|
||
- name: Upload digest
|
||
if: github.event_name != 'pull_request'
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: digests-${{ strategy.job-index }}
|
||
path: /tmp/digests/*
|
||
if-no-files-found: error
|
||
retention-days: 1
|
||
merge-images:
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
attestations: write
|
||
id-token: write
|
||
needs:
|
||
- build-and-push
|
||
if: github.event_name != 'pull_request'
|
||
steps:
|
||
- name: Set image name to lowercase
|
||
run: echo "IMAGE_NAME=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
|
||
- name: Download digests
|
||
uses: actions/download-artifact@v4
|
||
with:
|
||
path: /tmp/digests
|
||
pattern: digests-*
|
||
merge-multiple: true
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
- name: Log in to Container Registry
|
||
uses: docker/login-action@v3
|
||
with:
|
||
registry: ${{ env.REGISTRY }}
|
||
username: ${{ github.actor }}
|
||
password: ${{ secrets.GITHUB_TOKEN }}
|
||
- name: Extract metadata
|
||
id: meta
|
||
uses: docker/metadata-action@v5
|
||
with:
|
||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||
tags: |
|
||
type=ref,event=branch
|
||
type=sha,prefix={{branch}}-
|
||
type=raw,value=latest,enable={{is_default_branch}}
|
||
- name: Create manifest list and push
|
||
working-directory: /tmp/digests
|
||
run: |
|
||
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
||
$(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
|
||
- name: Get multi-arch digest
|
||
id: get_digest
|
||
run: |
|
||
# 直接从 docker pull 获取 digest,这是最可靠的方法
|
||
digest=$(docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} 2>&1 | grep "Digest:" | cut -d' ' -f2 || echo "")
|
||
if [ -z "$digest" ]; then
|
||
# 备选方案:使用 crane 风格的检查(如果支持的话)
|
||
digest=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | grep "Digest:" | head -1 | cut -d' ' -f2 || echo "")
|
||
fi
|
||
if [ -z "$digest" ]; then
|
||
# 最后备选:从 raw manifest 计算
|
||
digest=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} --raw | sha256sum | awk '{print "sha256:"$1}')
|
||
fi
|
||
echo "digest=$digest" >> $GITHUB_OUTPUT
|
||
- name: Inspect image
|
||
run: |
|
||
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
|
||
- name: Generate artifact attestation
|
||
if: github.event_name != 'pull_request'
|
||
uses: actions/attest-build-provenance@v1
|
||
with:
|
||
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
|
||
subject-digest: ${{ steps.get_digest.outputs.digest }}
|
||
push-to-registry: true
|