docker.yml

name: Docker Build & Release

on:
  workflow_dispatch:
  push:
    branches: [main]
    paths:
      - Dockerfile
  pull_request:
    branches: [main]
    paths:
      - Dockerfile

env:
  DOCKER_BUILDKIT: "1"
  DOCKER_BUILD_SUMMARY: "false"
  COSIGN_EXPERIMENTAL: "1"

jobs:
  metadata:
    name: Build metadata
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    outputs:
      image-title: ${{ steps.build-metadata.outputs.image-title }}
      image-name: ${{ steps.build-metadata.outputs.image-name }}
      caddy-version: ${{ steps.build-metadata.outputs.caddy-version }}
      branch-name: ${{ steps.build-metadata.outputs.branch-name }}
      labels: ${{ steps.docker-metadata.outputs.labels }}
      tags: ${{ steps.docker-metadata.outputs.tags }}
      platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le,linux/s390x
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Generate build metadata
        id: build-metadata
        shell: bash
        run: |
          IMAGE_TITLE=${GITHUB_REPOSITORY/*docker-/}
          IMAGE_NAME=$(echo "${GITHUB_REPOSITORY/docker-/}" | tr '[:upper:]' '[:lower:]')
          CADDY_VERSION=$(grep -m 1 -Eo 'caddy:[0-9]+\.[0-9]+\.[0-9]+' Dockerfile \
            | sed -E 's/.+:([0-9]+\.[0-9]+\.[0-9]+)(.+)?$/\1/g')
          BRANCH_NAME=$(echo "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" \
            | tr '[:upper:]' '[:lower:]' | sed 's/[^a-zA-Z0-9]/-/g')
          cat <<EOF | tee -a "$GITHUB_OUTPUT"
          image-title=$IMAGE_TITLE
          image-name=$IMAGE_NAME
          caddy-version=$CADDY_VERSION
          branch-name=$BRANCH_NAME
          EOF

      - name: Generate Docker image metadata
        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        id: docker-metadata
        with:
          images: |
            docker.io/${{ steps.build-metadata.outputs.image-name }}
            ghcr.io/${{ steps.build-metadata.outputs.image-name }}
          tags: |
            type=semver,pattern={{version}},value=v${{ steps.build-metadata.outputs.caddy-version }}
            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.build-metadata.outputs.caddy-version }}
            type=semver,pattern={{major}},value=v${{ steps.build-metadata.outputs.caddy-version }}
          labels: |
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.title=${{ steps.build-metadata.outputs.image-title }}
          annotations: |
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.title=${{ steps.build-metadata.outputs.image-title }}

  build:
    name: Build image
    runs-on: ubuntu-latest
    needs: [metadata]
    permissions:
      id-token: write
      pull-requests: write
    outputs:
      image-ref: ttl.sh/${{ needs.metadata.outputs.image-name }}@${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install Cosign
        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

      - name: Install regctl
        uses: iarekylew00t/regctl-installer@c552a6ea85fb38c900cb63feccaa69145ad0883c # v3.1.4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      # Why?
      # Since we're building for multiple platforms using QEMU it's takes a decent amount
      # of time for the build to finish. We use the PR build as cache to drastically speed
      # things ups!
      - name: Wait for PR build cache to sync
        if: github.event_name == 'push'
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          WORKFLOW_NAME: PR Cache Sync
          INTERVAL: 10
        run: |
          while gh run list \
            -R "$GITHUB_REPOSITORY" \
            -w "$WORKFLOW_NAME" \
            --json status | jq -re 'map(select(.status != "completed")) | length > 0' >/dev/null; do
            echo "Re-checking '$WORKFLOW_NAME' in $INTERVAL seconds..." && sleep "$INTERVAL"
          done
          echo "'$WORKFLOW_NAME' completed!"

      - name: Build CI Docker image
        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        id: build
        with:
          context: .
          push: true
          tags: ttl.sh/${{ needs.metadata.outputs.image-name }}:${{ github.sha }}
          labels: ${{ needs.metadata.outputs.labels }}
          platforms: ${{ needs.metadata.outputs.platforms }}
          cache-from: type=registry,ref=ttl.sh/${{ needs.metadata.outputs.image-name }}:${{ needs.metadata.outputs.branch-name }}
          cache-to: type=inline,mode=max

      # We don't need to sign the CI build because we use the digest as the
      # reference, which is immutable anyways. Tampering is not an issue.
      - name: Copy CI build to branch tag
        shell: bash
        env:
          IMAGE_NAME: ${{ needs.metadata.outputs.image-name }}
          IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
          BRANCH_NAME: ${{ needs.metadata.outputs.branch-name }}
        run: |
          regctl image copy \
            --verbosity info \
            --digest-tags \
            --force-recursive \
            "ttl.sh/$IMAGE_NAME@$IMAGE_DIGEST" \
            "ttl.sh/$IMAGE_NAME:$BRANCH_NAME"

      - name: Find existing PR comment
        if: github.event_name == 'pull_request' && cancelled() == false
        id: find
        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body-includes: View Workflow Run
          direction: first

      - name: Add/Update PR success comment
        if: github.event_name == 'pull_request' && success()
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.find.outputs.comment-id }}
          edit-mode: replace
          body: |
            ## ✅ PR built successfully!

            #### **[⏩ View Workflow Run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})**

            You can access your ephemeral image for up to 24hrs at:

            ```
            ttl.sh/${{ needs.metadata.outputs.image-name }}@${{ steps.build.outputs.digest }}
            ```

      - name: Add/Update PR failure comment
        if: github.event_name == 'pull_request' && failure()
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.find.outputs.comment-id }}
          edit-mode: replace
          body: |
            ## 💥 PR build failure!

            #### **[⏩ View Workflow Run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})**

            Uh oh, something went wrong building your PR!

  # We call this as a separate reusable workflow so all the event triggers
  # are grouped together properly by their corresponding ref
  # We need the if check because we skip the cache job sometimes
  trivy:
    name: Trivy
    needs: [build]
    uses: ./.github/workflows/trivy.yml
    with:
      image-ref: ${{ needs.build.outputs.image-ref }}

  publish:
    name: Publish image
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [metadata, build, trivy]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      packages: write
      contents: write
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install Cosign
        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to Docker Hub
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Repository
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Publish final Docker image
        id: publish
        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          push: true
          tags: ${{ needs.metadata.outputs.tags }}
          labels: ${{ needs.metadata.outputs.labels }}
          platforms: ${{ needs.metadata.outputs.platforms }}
          cache-from: type=registry,ref=${{ needs.build.outputs.image-ref }}

      # We sign each registry separately
      - name: Sign final Docker images
        shell: bash
        env:
          IMAGE_NAME: ${{ needs.metadata.outputs.image-name }}
          IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}
        run: |
          cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST"
          cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST"

      # This will automatically attach the SBOM to the release
      - name: Generate final Docker image SBOM
        uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
        with:
          format: spdx-json
          image: ${{ needs.metadata.outputs.image-name }}@${{ steps.publish.outputs.digest }}
          artifact-name: ${{ needs.metadata.outputs.image-title }}.spdx.json
          output-file: ${{ needs.metadata.outputs.image-title }}.spdx.json

      - name: Update Git tags
        shell: bash
        env:
          CADDY_VERSION: ${{ needs.metadata.outputs.caddy-version }}
        run: |
          MAJOR=$(echo "$CADDY_VERSION" | cut -d . -f 1)
          MINOR=$(echo "$CADDY_VERSION" | cut -d . -f 2)
          PATCH=$(echo "$CADDY_VERSION" | cut -d . -f 3)
          git tag -f "v$MAJOR"
          git tag -f "v$MAJOR.$MINOR"
          git tag -f "v$MAJOR.$MINOR.$PATCH"
          git push -f -u origin "v$MAJOR"
          git push -f -u origin "v$MAJOR.$MINOR"
          git push -f -u origin "v$MAJOR.$MINOR.$PATCH"

      - name: Create GitHub release
        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          tag_name: v${{ needs.metadata.outputs.caddy-version }}
          make_latest: true
          generate_release_notes: false
          body: |
            ### [🚀 Caddy v${{ needs.metadata.outputs.caddy-version }} Changelog](https://github.com/caddyserver/caddy/releases/tag/v${{ needs.metadata.outputs.caddy-version }})

            ## 🐳 Docker Images

            ```
            ${{ needs.metadata.outputs.image-name }}:latest
            ${{ needs.metadata.outputs.image-name }}:${{ needs.metadata.outputs.caddy-version }}
            ${{ needs.metadata.outputs.image-name }}@${{ steps.publish.outputs.digest }}
            ```

            ## 🔏 Signatures

            ```
            cosign verify \
              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
              --certificate-identity-regexp ${{ github.server_url }}/${{ github.repository }}/.github/workflows/ \
              ${{ needs.metadata.outputs.image-name }}@${{ steps.publish.outputs.digest }}
            ```
          files: |
            *.spdx.json