Check Cuprate Latest Tag and Build Docker #1554
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check Cuprate Latest Tag and Build Docker | |
| on: | |
| schedule: | |
| # Run every 8 hours | |
| - cron: '0 */8 * * *' | |
| # Allow manual trigger | |
| workflow_dispatch: | |
| # Run on push to main branch | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'Dockerfile' | |
| - 'docker-compose.yml' | |
| - '.github/workflows/docker-build.yml' | |
| concurrency: | |
| group: docker-build-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check-upstream-tag: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| outputs: | |
| should_build: ${{ steps.check-image.outputs.should_build }} | |
| version: ${{ steps.get-latest-tag.outputs.version }} | |
| cuprate_tag: ${{ steps.get-latest-tag.outputs.cuprate_tag }} | |
| steps: | |
| - name: Get latest Cuprate tag | |
| id: get-latest-tag | |
| run: | | |
| # Fetch the latest tag from Cuprate repository that matches the pattern | |
| LATEST_TAG=$(curl -s https://api.github.com/repos/cuprate/cuprate/tags | jq -r '[.[] | select(.name | startswith("cuprated-"))] | .[0].name') | |
| echo "Latest Cuprate tag: $LATEST_TAG" | |
| # Extract version number from tag (e.g., cuprated-0.0.1 -> 0.0.1) | |
| VERSION=${LATEST_TAG#cuprated-} | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "cuprate_tag=$LATEST_TAG" >> $GITHUB_OUTPUT | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check if image for version already exists | |
| id: check-image | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository_owner }}/cuprate-docker:${{ steps.get-latest-tag.outputs.version }} | |
| run: | | |
| # Always rebuild on push to main (Dockerfile/workflow changes) | |
| if [ "${{ github.event_name }}" = "push" ]; then | |
| echo "Push event detected — forcing rebuild." | |
| echo "should_build=true" >> "$GITHUB_OUTPUT" | |
| elif docker manifest inspect "$IMAGE" > /dev/null 2>&1; then | |
| echo "Image $IMAGE already exists. Skipping build." | |
| echo "should_build=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "should_build=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| build-and-push: | |
| needs: check-upstream-tag | |
| if: needs.check-upstream-tag.outputs.should_build == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write # Required for GitHub CodeQL and dependency submission | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 # Fetch all history for better versioning | |
| # Set up QEMU for multi-architecture builds | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| with: | |
| platforms: 'arm64,amd64' | |
| # Set up Docker Buildx for multi-platform builds | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| with: | |
| version: latest | |
| platforms: linux/amd64,linux/arm64 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Create and start build cache | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository_owner }}/cuprate-docker | |
| tags: | | |
| type=raw,value=latest | |
| type=raw,value=${{ needs.check-upstream-tag.outputs.version }} | |
| type=sha,format=short | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: | | |
| CUPRATE_TAG=${{ needs.check-upstream-tag.outputs.cuprate_tag }} | |
| BUILD_DATE=${{ github.event.head_commit.timestamp }} | |
| VCS_REF=${{ github.sha }} | |
| VERSION=${{ needs.check-upstream-tag.outputs.version }} | |
| # Enhanced caching strategy | |
| cache-from: | | |
| type=gha | |
| type=registry,ref=ghcr.io/${{ github.repository_owner }}/cuprate-docker:buildcache | |
| cache-to: | | |
| type=gha,mode=max | |
| type=registry,ref=ghcr.io/${{ github.repository_owner }}/cuprate-docker:buildcache,mode=max | |
| # Enable parallel builds and security features | |
| builder: ${{ steps.buildx.outputs.name }} | |
| provenance: true | |
| sbom: true | |
| outputs: type=registry,push=true |