Mirrors/EOS
1
0
Fork 0
mirror of https://github.com/Akkudoktor-EOS/EOS.git synced 2025-11-03 16:26:20 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
Files
e3c5b758dd0c2f46582a4210f4da28ec08040dfc
EOS/.github/workflows/docker-build.yml
Christian Heinrich Hohlfeld 63962343d9 ci(docker): add :latest tag on default branch builds (#522) Fixes #499
2025-04-21 19:27:33 +02:00

218 lines
7.0 KiB
YAML
Raw Blame History

name: docker-build
on:
# pipeline runs per trigger condition, so release trigger not required as tag is sufficient
#release:
# types: [published]
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:
branches:
- '**'
env:
DOCKERHUB_REPO: akkudoktor/eos
GHCR_REPO: ghcr.io/akkudoktor-eos/eos
EOS_LICENSE: Apache-2.0
# From https://docs.docker.com/build/ci/github-actions/multi-platform/
# Changes:
# - adjusted rw permissions
# - manually set undetected license (label+annotation)
# - set description for index manifest
# - add attestation
# - conditionally don't push on pr
# - on pr just use amd64 platform
jobs:
# Build platform matrix excludes. if-conditional with matrix on job level is not
# supported, see https://github.com/actions/runner/issues/1985
platform-excludes:
runs-on: ubuntu-latest
outputs:
excludes: ${{ steps.excludes.outputs.matrix }}
steps:
- id: excludes
run: |
if ${{ github.event_name == 'pull_request' }}; then
echo 'matrix=[
{"platform": "linux/arm64"}
]' | tr -d '[:space:]' >> $GITHUB_OUTPUT
else
echo 'matrix=[]' >> $GITHUB_OUTPUT
fi
build:
needs: platform-excludes
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64
exclude: ${{ fromJSON(needs.platform-excludes.outputs.excludes) }}
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
labels: |
org.opencontainers.image.licenses=${{ env.EOS_LICENSE }}
annotations: |
org.opencontainers.image.licenses=${{ env.EOS_LICENSE }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
# Prepare to extract description so it can be manually set for index manifest (group of platform manifests)
- name: Prepare description
id: get_description
run: |
echo "EOS_REPO_DESCRIPTION=$(jq -cr '.labels."org.opencontainers.image.description"' <<< "$DOCKER_METADATA_OUTPUT_JSON")" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
# skip for pull requests
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
# skip for pull requests
if: ${{ github.event_name != 'pull_request' }}
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# skip for pull requests
if: ${{ github.event_name != 'pull_request' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,"push=${{ github.event_name != 'pull_request' }}","annotation-index.org.opencontainers.image.description=${{ env.EOS_REPO_DESCRIPTION }}"
- name: Generate artifact attestation DockerHub
uses: actions/attest-build-provenance@v2
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: docker.io/${{ env.DOCKERHUB_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation GitHub
uses: actions/attest-build-provenance@v2
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ env.GHCR_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
needs:
- build
# skip for pull requests
if: ${{ github.event_name != 'pull_request' }}
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
labels: |
org.opencontainers.image.licenses=${{ env.EOS_LICENSE }}
annotations: |
org.opencontainers.image.licenses=${{ env.EOS_LICENSE }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *)
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }}
Reference in New Issue View Git Blame Copy Permalink