1+ name : 🐳 构建并发布Docker镜像
2+
3+ on :
4+ push :
5+ branches :
6+ - main
7+ - develop
8+ tags :
9+ - ' v*'
10+ pull_request :
11+ branches :
12+ - main
13+ release :
14+ types : [published]
15+
16+ env :
17+ REGISTRY : ghcr.io
18+ IMAGE_NAME : ${{ github.repository }}
19+
20+ jobs :
21+ build-and-push :
22+ runs-on : ubuntu-latest
23+ permissions :
24+ contents : read
25+ packages : write
26+
27+ steps :
28+ - name : 📦 检出代码
29+ uses : actions/checkout@v4
30+
31+ - name : 🔧 设置Docker Buildx
32+ uses : docker/setup-buildx-action@v3
33+
34+ - name : 🔑 登录到Container Registry
35+ if : github.event_name != 'pull_request'
36+ uses : docker/login-action@v3
37+ with :
38+ registry : ${{ env.REGISTRY }}
39+ username : ${{ github.actor }}
40+ password : ${{ secrets.GITHUB_TOKEN }}
41+
42+ - name : 📝 提取元数据
43+ id : meta
44+ uses : docker/metadata-action@v5
45+ with :
46+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
47+ tags : |
48+ type=ref,event=branch
49+ type=ref,event=pr
50+ type=semver,pattern={{version}}
51+ type=semver,pattern={{major}}.{{minor}}
52+ type=semver,pattern={{major}}
53+ type=raw,value=latest,enable={{is_default_branch}}
54+
55+ name : 🏗️ 构建并推送Docker镜像 (标准版)
56+ uses : docker/build-push-action@v5
57+ with :
58+ context : .
59+ file : ./Dockerfile
60+ platforms : linux/amd64,linux/arm64
61+ push : ${{ github.event_name != 'pull_request' }}
62+ tags : ${{ steps.meta.outputs.tags }}
63+ labels : ${{ steps.meta.outputs.labels }}
64+ target : development
65+ cache-from : type=gha
66+ cache-to : type=gha,mode=max
67+
68+ - name : 🏗️ 构建并推送Docker镜像 (中国优化版)
69+ uses : docker/build-push-action@v5
70+ with :
71+ context : .
72+ file : ./Dockerfile.china
73+ platforms : linux/amd64,linux/arm64
74+ push : ${{ github.event_name != 'pull_request' }}
75+ tags : |
76+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:china
77+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:china-latest
78+ labels : ${{ steps.meta.outputs.labels }}
79+ target : development
80+ cache-from : type=gha
81+ cache-to : type=gha,mode=max
82+
83+ # 生产环境镜像构建
84+ build-production :
85+ runs-on : ubuntu-latest
86+ permissions :
87+ contents : read
88+ packages : write
89+ if : github.event_name == 'release'
90+
91+ steps :
92+ - name : 📦 检出代码
93+ uses : actions/checkout@v4
94+
95+ - name : 🔧 设置Docker Buildx
96+ uses : docker/setup-buildx-action@v3
97+
98+ - name : 🔑 登录到Container Registry
99+ uses : docker/login-action@v3
100+ with :
101+ registry : ${{ env.REGISTRY }}
102+ username : ${{ github.actor }}
103+ password : ${{ secrets.GITHUB_TOKEN }}
104+
105+ - name : 📝 提取生产环境元数据
106+ id : meta-prod
107+ uses : docker/metadata-action@v5
108+ with :
109+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
110+ tags : |
111+ type=semver,pattern={{version}}-prod
112+ type=raw,value=production
113+
114+ name : 🏗️ 构建并推送生产环境镜像
115+ uses : docker/build-push-action@v5
116+ with :
117+ context : .
118+ file : ./Dockerfile
119+ platforms : linux/amd64,linux/arm64
120+ push : true
121+ tags : ${{ steps.meta-prod.outputs.tags }}
122+ labels : ${{ steps.meta-prod.outputs.labels }}
123+ target : production
124+ cache-from : type=gha
125+ cache-to : type=gha,mode=max
126+
127+ - name : 🏗️ 构建并推送生产环境镜像 (中国优化版)
128+ uses : docker/build-push-action@v5
129+ with :
130+ context : .
131+ file : ./Dockerfile.china
132+ platforms : linux/amd64,linux/arm64
133+ push : true
134+ tags : |
135+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:china-production
136+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:china-prod
137+ labels : ${{ steps.meta-prod.outputs.labels }}
138+ target : production
139+ cache-from : type=gha
140+ cache-to : type=gha,mode=max
141+
142+ # 安全扫描
143+ security-scan :
144+ runs-on : ubuntu-latest
145+ permissions :
146+ contents : read
147+ packages : read
148+ security-events : write
149+ needs : build-and-push
150+ if : github.event_name != 'pull_request'
151+
152+ steps :
153+ - name : 🔍 运行Trivy漏洞扫描
154+ uses : aquasecurity/trivy-action@master
155+ with :
156+ image-ref : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
157+ format : ' sarif'
158+ output : ' trivy-results.sarif'
159+
160+ - name : 📋 上传Trivy扫描结果到GitHub Security
161+ uses : github/codeql-action/upload-sarif@v2
162+ if : always()
163+ with :
164+ sarif_file : ' trivy-results.sarif'
0 commit comments