cuprate-docker/.github/workflows/docker-build.yml at 06c57657ef9c0c09413dfc38464e88927df8bf37 · hundehausen/cuprate-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
name: Check Cuprate Latest Tag and Build Docker

on:
  schedule:
    # Run every 8 hours
    - cron: '0 */8 * * *'
  # Allow manual trigger
  workflow_dispatch:
  # Run on push to main branch
  push:
    branches:
      - main
    paths:
      - 'Dockerfile'
      - 'docker-compose.yml'
      - '.github/workflows/docker-build.yml'

concurrency:
  group: docker-build-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check-upstream-tag:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
    outputs:
      should_build: ${{ steps.check-image.outputs.should_build }}
      version: ${{ steps.get-latest-tag.outputs.version }}
      cuprate_tag: ${{ steps.get-latest-tag.outputs.cuprate_tag }}
    steps:
      - name: Get latest Cuprate tag
        id: get-latest-tag
        run: |
          # Fetch the latest tag from Cuprate repository that matches the pattern
          LATEST_TAG=$(curl -s https://api.github.com/repos/cuprate/cuprate/tags | jq -r '[.[] | select(.name | startswith("cuprated-"))] | .[0].name')
          echo "Latest Cuprate tag: $LATEST_TAG"
          # Extract version number from tag (e.g., cuprated-0.0.1 -> 0.0.1)
          VERSION=${LATEST_TAG#cuprated-}
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "cuprate_tag=$LATEST_TAG" >> $GITHUB_OUTPUT

      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Check if image for version already exists
        id: check-image
        env:
          IMAGE: ghcr.io/${{ github.repository_owner }}/cuprate-docker:${{ steps.get-latest-tag.outputs.version }}
        run: |
          # Always rebuild on push to main (Dockerfile/workflow changes)
          if [ "${{ github.event_name }}" = "push" ]; then
            echo "Push event detected — forcing rebuild."
            echo "should_build=true" >> "$GITHUB_OUTPUT"
          elif docker manifest inspect "$IMAGE" > /dev/null 2>&1; then
            echo "Image $IMAGE already exists. Skipping build."
            echo "should_build=false" >> "$GITHUB_OUTPUT"
          else
            echo "should_build=true" >> "$GITHUB_OUTPUT"
          fi

  build-arch:
    needs: check-upstream-tag
    if: needs.check-upstream-tag.outputs.should_build == 'true'
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: linux/amd64
            runner: ubuntu-latest
            suffix: amd64
          - platform: linux/arm64
            runner: ubuntu-24.04-arm
            suffix: arm64
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0  # Fetch all history for better versioning

      # Set up Docker Buildx
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: latest

      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ghcr.io/${{ github.repository_owner }}/cuprate-docker
          flavor: |
            suffix=-${{ matrix.suffix }}
          tags: |
            type=raw,value=latest
            type=raw,value=${{ needs.check-upstream-tag.outputs.version }}
            type=sha,format=short
            type=ref,event=branch
            type=ref,event=tag

      - name: Build and push Docker image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: true
          platforms: ${{ matrix.platform }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            CUPRATE_TAG=${{ needs.check-upstream-tag.outputs.cuprate_tag }}
            BUILD_DATE=${{ github.event.head_commit.timestamp }}
            VCS_REF=${{ github.sha }}
            VERSION=${{ needs.check-upstream-tag.outputs.version }}
          # Arch-isolated caching to prevent cross-arch cache collisions
          cache-from: |
            type=gha
            type=registry,ref=ghcr.io/${{ github.repository_owner }}/cuprate-docker:buildcache-${{ matrix.suffix }}
          cache-to: |
            type=gha,mode=max
            type=registry,ref=ghcr.io/${{ github.repository_owner }}/cuprate-docker:buildcache-${{ matrix.suffix }},mode=max
          # Provenance/SBOM must be disabled when manually merging per-arch images
          # with imagetools create, otherwise attestation manifests are picked up
          # as platform variants and corrupt the multi-arch manifest list.
          provenance: false
          sbom: false

  merge-manifests:
    needs: [check-upstream-tag, build-arch]
    if: needs.check-upstream-tag.outputs.should_build == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ghcr.io/${{ github.repository_owner }}/cuprate-docker
          tags: |
            type=raw,value=latest
            type=raw,value=${{ needs.check-upstream-tag.outputs.version }}
            type=sha,format=short
            type=ref,event=branch
            type=ref,event=tag

      - name: Create and push multi-arch manifest list
        run: |
          TAG_ARGS=""
          while IFS= read -r tag; do
            if [ -n "$tag" ]; then
              TAG_ARGS="$TAG_ARGS -t $tag"
            fi
          done <<< "${{ steps.meta.outputs.tags }}"

          SOURCE_AMD64="ghcr.io/${{ github.repository_owner }}/cuprate-docker:${{ needs.check-upstream-tag.outputs.version }}-amd64"
          SOURCE_ARM64="ghcr.io/${{ github.repository_owner }}/cuprate-docker:${{ needs.check-upstream-tag.outputs.version }}-arm64"

          echo "Creating manifest list with tags: $TAG_ARGS"
          echo "Source images: $SOURCE_AMD64 $SOURCE_ARM64"

          docker buildx imagetools create \
            $TAG_ARGS \
            "$SOURCE_AMD64" \
            "$SOURCE_ARM64"