1- name : Sync Immich Upstream Release and Build ML Images
1+ name : Sync Immich Upstream Release and Build Images
22
33on :
44 schedule :
1515 required : false
1616 type : string
1717
18- # Default permissions for GITHUB_TOKEN for all jobs.
19- # Can be overridden at the job level.
18+ # Permissions for GITHUB_TOKEN used by other steps (API calls, GHCR push)
2019permissions :
21- contents : read # Needed for checkout in build jobs , GITHUB_TOKEN can read.
22- packages : write # For GITHUB_TOKEN to push Docker images to GHCR.
23- actions : read # For GITHUB_TOKEN to make API calls (e.g., in determine_tag).
20+ contents : read # Default for checkout, GITHUB_TOKEN can read. Push uses PAT .
21+ packages : write # For GITHUB_TOKEN to push Docker images to GHCR
22+ actions : read # For GITHUB_TOKEN to make API calls (e.g., in determine_tag)
2423
2524jobs :
2625 sync_and_build :
2726 runs-on : ubuntu-latest
2827 outputs :
2928 release_tag : ${{ steps.determine_tag.outputs.tag_to_process }}
3029 should_run_build : ${{ steps.check_if_new.outputs.should_run_build }}
31- permissions : # Specific permissions for this job
32- contents : write # Needed for GITHUB_TOKEN to push code to its own repository.
33- # Inherits 'packages: write' and 'actions: read' from workflow level.
3430
3531 steps :
3632 - name : Harden Runner
4137 - name : Determine Upstream Tag to Process
4238 id : determine_tag
4339 env :
40+ # GITHUB_TOKEN is implicitly available and used by curl if -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}"
41+ # The 'actions: read' permission at the top level allows this.
4442 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
4543 run : |
4644 if [ -n "${{ github.event.inputs.specific_tag }}" ]; then
5351 https://api.github.com/repos/immich-app/immich/releases/latest)
5452 LATEST_TAG=$(echo "$LATEST_TAG_JSON" | jq -r .tag_name)
5553
54+ # Robust check for empty or null tag
5655 if [ -z "$LATEST_TAG" ] || [ "$LATEST_TAG" == "null" ] || [ "$LATEST_TAG" == "" ]; then
5756 echo "Error: Failed to fetch a valid latest tag name."
5857 echo "API Response: $LATEST_TAG_JSON"
58+ # Check if it's a rate limit issue (though GITHUB_TOKEN has higher limits)
5959 if echo "$LATEST_TAG_JSON" | jq -e '.message | startswith("API rate limit exceeded")' > /dev/null; then
6060 echo "API rate limit exceeded. Consider increasing schedule interval or using a PAT for API calls if this persists."
6161 fi
@@ -107,104 +107,52 @@ jobs:
107107 with :
108108 repository : immich-app/immich
109109 ref : ${{ steps.determine_tag.outputs.tag_to_process }}
110- path : upstream_source # Checks out to $GITHUB_WORKSPACE/upstream_source
110+ path : upstream_source
111+ # token: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is fine for public repo checkout
112+ # If immich-app/immich were private, you might need a PAT with repo read scope for it here.
111113
112- - name : Sync to Target Branch (Excluding Upstream .github/workflows)
114+ - name : Configure Git for pushing to aviv926/immich
115+ if : steps.check_if_new.outputs.should_run_build == 'true'
116+ run : |
117+ git config --global user.name "GitHub Actions Bot (Immich Sync)"
118+ git config --global user.email "actions-bot@users.noreply.github.com" # Or a no-reply email associated with the PAT user
119+
120+ name : Push code to aviv926/immich dockerimageML branch
113121 if : steps.check_if_new.outputs.should_run_build == 'true'
114122 env :
115123 TARGET_BRANCH : dockerimageML
116- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }} # Using GITHUB_TOKEN for the push
117- UPSTREAM_TAG : ${{ steps.determine_tag.outputs.tag_to_process }}
118- UPSTREAM_SOURCE_PATH : ${{ github.workspace }}/upstream_source
124+ # Use your REPO_PATwhich MUST have 'repo' AND 'workflow' scopes for this to work
125+ TARGET_REPO_URL : https://x-access-token:${{ secrets.REPO_PAT }}@github.com/${{ github.repository_owner }}/immich.git
119126 run : |
120- set -e # Exit immediately if a command exits with a non-zero status.
121-
122- MY_REPO_URL="https://x-access-token:$GH_TOKEN@github.com/${{ github.repository }}.git"
123- TARGET_WORKDIR_NAME="target_repo_for_sync"
124- TARGET_WORKDIR_PATH="${{ github.workspace }}/$TARGET_WORKDIR_NAME"
125-
126- echo "Preparing target directory $TARGET_WORKDIR_PATH for branch $TARGET_BRANCH"
127- rm -rf "$TARGET_WORKDIR_PATH"
128-
129- if git ls-remote --exit-code --heads "$MY_REPO_URL" "refs/heads/$TARGET_BRANCH"; then
130- echo "Cloning existing branch $TARGET_BRANCH from $MY_REPO_URL..."
131- git clone --depth 1 --branch "$TARGET_BRANCH" "$MY_REPO_URL" "$TARGET_WORKDIR_PATH"
132- else
133- echo "Branch $TARGET_BRANCH not found in $MY_REPO_URL. Initializing it locally."
134- mkdir -p "$TARGET_WORKDIR_PATH"
135- cd "$TARGET_WORKDIR_PATH"
136- git init -b "$TARGET_BRANCH" # Use -b to set the branch name during init
137- # No initial commit here; will be done after sync if needed
138- cd "${{ github.workspace }}" # Return to GITHUB_WORKSPACE
139- fi
127+ cd upstream_source
128+ echo "Current directory: $(pwd)"
129+ echo "Attempting to push current HEAD (tag ${{ steps.determine_tag.outputs.tag_to_process }}) to ${{ github.repository_owner }}/immich branch $TARGET_BRANCH using PAT"
140130
141- cd "$TARGET_WORKDIR_PATH"
142- git config user.name "GitHub Actions Bot (Immich Sync)"
143- git config user.email "actions-bot@users.noreply.github.com"
144-
145- TEMP_WORKFLOWS_BACKUP_DIR=$(mktemp -d)
146- TARGET_BRANCH_DOT_GITHUB_WORKFLOWS_PATH=".github/workflows"
147-
148- if [ -d "$TARGET_BRANCH_DOT_GITHUB_WORKFLOWS_PATH" ]; then
149- echo "Preserving existing '$TARGET_BRANCH_DOT_GITHUB_WORKFLOWS_PATH' from branch '$TARGET_BRANCH'..."
150- mv "$TARGET_BRANCH_DOT_GITHUB_WORKFLOWS_PATH" "$TEMP_WORKFLOWS_BACKUP_DIR/workflows"
151- echo "Preserved to $TEMP_WORKFLOWS_BACKUP_DIR/workflows"
152- else
153- echo "No '$TARGET_BRANCH_DOT_GITHUB_WORKFLOWS_PATH' found in branch '$TARGET_BRANCH' to preserve."
154- fi
131+ # Clean any previous remote and add fresh
132+ git remote rm destination_repo 2>/dev/null || true
133+ git remote add destination_repo "$TARGET_REPO_URL"
155134
156- echo "Syncing content from $UPSTREAM_SOURCE_PATH (tag $UPSTREAM_TAG), excluding its .github/workflows/ ..."
157- rsync -a --delete \
158- --exclude '.git/' \
159- --exclude '.github/workflows/' \
160- "$UPSTREAM_SOURCE_PATH/" .
161-
162- if [ -d "$TEMP_WORKFLOWS_BACKUP_DIR/workflows" ]; then
163- echo "Restoring preserved .github/workflows..."
164- mkdir -p ".github" # Ensure .github directory exists
165- mv "$TEMP_WORKFLOWS_BACKUP_DIR/workflows" ".github/workflows"
166- echo "Restored to .github/workflows"
167- fi
168- rm -rf "$TEMP_WORKFLOWS_BACKUP_DIR"
169-
170- echo "Staging changes..."
171- git add -A .
172-
173- if git diff --staged --quiet; then
174- echo "No effective content changes to commit after syncing with upstream $UPSTREAM_TAG (target .github/workflows preserved)."
175- # If the branch was newly created locally and is still empty after sync, and not on remote, push it.
176- if ! git ls-remote --exit-code --heads "$MY_REPO_URL" "refs/heads/$TARGET_BRANCH"; then
177- if git rev-parse --verify --quiet "refs/heads/$TARGET_BRANCH"; then
178- echo "Branch $TARGET_BRANCH is new on remote. Pushing current state."
179- if ! git rev-parse --verify --quiet HEAD^{commit} 2>/dev/null; then # If no commits exist
180- git commit --allow-empty -m "Establish $TARGET_BRANCH (synced from $UPSTREAM_TAG, target .github/workflows preserved)"
181- fi
182- git push "$MY_REPO_URL" HEAD:"refs/heads/$TARGET_BRANCH" --force
183- echo "Pushed new branch $TARGET_BRANCH to remote."
184- fi
185- else
186- echo "Branch $TARGET_BRANCH already exists on remote, and no new content changes to push."
187- fi
188- else
189- echo "Committing changes..."
190- COMMIT_MSG="Sync from immich-app/immich@$UPSTREAM_TAG, preserving target's .github/workflows
191-
192- Upstream tag : $UPSTREAM_TAG
193- Workflow sync strategy : Target branch .github/workflows preserved. Upstream .github/workflows ignored during sync."
194- git commit -m "$COMMIT_MSG"
195-
196- echo "Pushing with force to $TARGET_BRANCH..."
197- git push "$MY_REPO_URL" HEAD:"refs/heads/$TARGET_BRANCH" --force
198- echo "Push to $TARGET_BRANCH complete."
199- fi
135+ # Fetch the target branch to see if it exists, helps avoid some errors if it's the very first push
136+ # and provides a more specific error if the branch doesn't exist and we're not force pushing to create it.
137+ # However, with --force, this fetch isn't strictly necessary for the push itself.
138+ # git fetch destination_repo $TARGET_BRANCH # Optional
200139
201- cd "${{ github.workspace }}" # Return to original GITHUB_WORKSPACE
140+ echo "Pushing with force to $TARGET_BRANCH..."
141+ git push destination_repo HEAD:refs/heads/$TARGET_BRANCH --force
142+ echo "Push to $TARGET_BRANCH complete."
143+ cd .. # Go back to GITHUB_WORKSPACE root
144+
145+ # --- Docker Build Jobs ---
146+ # These jobs will run only if the sync_and_build job determined it should run.
147+ # They will checkout the freshly updated dockerimageML branch from aviv926/immich.
202148
203- build-server :
149+ build-server :
204150 needs : sync_and_build
205151 if : needs.sync_and_build.outputs.should_run_build == 'true'
206152 runs-on : ubuntu-latest
207- # Inherits permissions (contents:read, packages:write) from workflow level
153+ permissions : # These permissions are for GITHUB_TOKEN
154+ contents : read # To checkout code from aviv926/immich
155+ packages : write # To push to GHCR using GITHUB_TOKEN
208156 steps :
209157 - name : Harden Runner
210158 uses : step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
@@ -214,8 +162,9 @@ build-server:
214162 - name : Checkout aviv926/immich@dockerimageML
215163 uses : actions/checkout@v4
216164 with :
217- repository : ${{ github.repository }}
218- ref : dockerimageML
165+ repository : ${{ github.repository }} # This repository (aviv926/immich)
166+ ref : dockerimageML # The branch we just pushed to
167+ # token: ${{ secrets.GITHUB_TOKEN }} # Default, uses GITHUB_TOKEN with 'contents: read'
219168
220169 - name : Set up Docker Buildx
221170 uses : docker/setup-buildx-action@v3
@@ -225,7 +174,7 @@ build-server:
225174 with :
226175 registry : ghcr.io
227176 username : ${{ github.repository_owner }}
228- password : ${{ secrets.GITHUB_TOKEN }}
177+ password : ${{ secrets.GITHUB_TOKEN }} # Use GITHUB_TOKEN for GHCR
229178
230179 - name : Build and push server image
231180 uses : docker/build-push-action@v6
@@ -238,11 +187,13 @@ build-server:
238187 cache-from : type=gha
239188 cache-to : type=gha,mode=max
240189
241- build-ml :
242- needs : [ sync_and_build, build-server]
190+ build-ml :
191+ needs : sync_and_build
243192 if : needs.sync_and_build.outputs.should_run_build == 'true'
244193 runs-on : ubuntu-latest
245- # Inherits permissions (contents:read, packages:write) from workflow level
194+ permissions : # These permissions are for GITHUB_TOKEN
195+ contents : read
196+ packages : write
246197 strategy :
247198 matrix :
248199 include :
@@ -251,7 +202,7 @@ build-ml:
251202 dockerfile : machine-learning/Dockerfile
252203 - device : cuda
253204 suffix : " -cuda"
254- dockerfile : machine-learning/Dockerfile # Assuming same Dockerfile handles DEVICE arg
205+ dockerfile : machine-learning/Dockerfile
255206 steps :
256207 - name : Harden Runner
257208 uses : step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
@@ -263,6 +214,7 @@ build-ml:
263214 with :
264215 repository : ${{ github.repository }}
265216 ref : dockerimageML
217+ # token: ${{ secrets.GITHUB_TOKEN }} # Default
266218
267219 - name : Set up Docker Buildx
268220 uses : docker/setup-buildx-action@v3
@@ -277,8 +229,8 @@ build-ml:
277229 - name : Build and push ML image (${{ matrix.device }})
278230 uses : docker/build-push-action@v6
279231 with :
280- context : machine-learning # Context should be where Dockerfile is
281- file : ${{ matrix.dockerfile }} # Path relative to context
232+ context : machine-learning
233+ file : ${{ matrix.dockerfile }}
282234 platforms : linux/amd64
283235 push : true
284236 build-args : |
0 commit comments