Merge pull request #694 from hydazz/main

chore: remove jenkins

Author: hydazz

.github/actions/bake-vars/action.yaml

@@ -0,0 +1,33 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+name: Bake Vars
+description: Reads platforms and version for a given variant from docker-bake.hcl
+
+inputs:
+  variant:
+    description: Variant name (main, noml, cuda, openvino)
+    required: true
+
+outputs:
+  platforms:
+    description: Platforms array as JSON string
+    value: ${{ steps.opts.outputs.platforms }}
+  version:
+    description: Upstream immich version (v-stripped)
+    value: ${{ steps.opts.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - id: opts
+      shell: bash
+      env:
+        VARIANT: ${{ inputs.variant }}
+      run: |-
+        BAKE=$(docker buildx bake "image-${VARIANT}" --print --progress=quiet)
+        PLATFORMS=$(jq --raw-output --compact-output ".target.\"image-${VARIANT}\".platforms" <<<"$BAKE")
+        VERSION=$(jq --raw-output ".target.\"image-${VARIANT}\".args.IMMICH_VERSION" <<<"$BAKE" | sed 's/^v//')
+        {
+          echo "platforms=${PLATFORMS}"
+          echo "version=${VERSION}"
+        } >>"$GITHUB_OUTPUT"

.github/labeler.yaml

@@ -0,0 +1,26 @@
+---
+area/image:
+  - changed-files:
+      - any-glob-to-any-file:
+          - Dockerfile
+          - docker-bake.hcl
+          - root/**/*
+area/github:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .github/**/*
+area/mise:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .mise.toml
+area/renovate:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .renovate/**/*
+          - .renovaterc.json5
+area/tests:
+  - changed-files:
+      - any-glob-to-any-file:
+          - go.mod
+          - go.sum
+          - tests/**/*

.github/labels.yaml

@@ -0,0 +1,24 @@
+---
+# Areas
+- name: area/image
+  color: 0e8a16
+- name: area/github
+  color: 0e8a16
+- name: area/mise
+  color: 0e8a16
+- name: area/renovate
+  color: 0e8a16
+- name: area/tests
+  color: 0e8a16
+# Semantic Types
+- name: type/digest
+  color: ffeC19
+- name: type/patch
+  color: ffeC19
+- name: type/minor
+  color: ff9800
+- name: type/major
+  color: f6412d
+# Uncategorized
+- name: stale
+  color: c5def5

.github/workflows/build.yaml

@@ -0,0 +1,256 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      variant:
+        type: string
+        description: Variant name (main, noml, cuda, openvino)
+        required: true
+      release:
+        type: boolean
+        description: Release
+        required: true
+
+jobs:
+  plan:
+    name: Plan
+    runs-on: ubuntu-latest
+    outputs:
+      platforms: ${{ steps.opts.outputs.platforms }}
+      version: ${{ steps.opts.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get Bake Vars
+        uses: ./.github/actions/bake-vars
+        id: opts
+        with:
+          variant: ${{ inputs.variant }}
+
+      - name: Build Variant Metadata
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        id: meta
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/immich
+          flavor: latest=false
+          tags: |
+            ${{ inputs.variant == 'main' && format(
+              'type=raw,value=latest,enable={0}
+              type=semver,pattern={{{{version}}}},value={1},enable={0}
+              type=semver,pattern={{{{major}}}}.{{{{minor}}}},value={1},enable={0}
+              type=semver,pattern={{{{major}}}},value={1},enable={0}',
+              inputs.release, steps.opts.outputs.version
+            ) || format(
+              'type=raw,value={0},enable={1}
+              type=semver,pattern={{{{version}}}}-{0},value={2},enable={1}
+              type=semver,pattern={{{{major}}}}.{{{{minor}}}}-{0},value={2},enable={1}
+              type=semver,pattern={{{{major}}}}-{0},value={2},enable={1}',
+              inputs.variant, inputs.release, steps.opts.outputs.version
+            ) }}
+            type=raw,value=sandbox-${{ inputs.variant }},enable=${{ ! inputs.release }}
+
+      - name: Upload Bake Metadata
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ inputs.variant }}-bake-metadata
+          path: ${{ steps.meta.outputs.bake-file }}
+          if-no-files-found: error
+          retention-days: 1
+
+  build:
+    name: Build (${{ matrix.platform }})
+    needs:
+      - plan
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.plan.outputs.platforms) }}
+    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get Target Architecture
+        uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
+        id: target
+        with:
+          script: |-
+            core.setOutput('arch', '${{ matrix.platform }}'.split('/').pop());
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Download Bake Metadata
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ${{ inputs.variant }}-bake-metadata
+          path: ${{ runner.temp }}
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build Variant
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        id: bake
+        with:
+          files: |
+            ./docker-bake.hcl
+            cwd://${{ runner.temp }}/docker-metadata-action-bake.json
+          targets: image-${{ inputs.variant }}
+          set: |
+            *.platform=${{ matrix.platform }}
+            *.cache-from=${{ format('type=registry,ref=ghcr.io/{0}/immich-cache:{1}-{2}', github.repository_owner, inputs.variant, steps.target.outputs.arch) }}
+            *.cache-to=${{ inputs.release && format('type=registry,ref=ghcr.io/{0}/immich-cache:{1}-{2},mode=max,compression=zstd,force-compression=true', github.repository_owner, inputs.variant, steps.target.outputs.arch) || '' }}
+            *.labels.org.opencontainers.image.title=immich-${{ inputs.variant }}
+            *.labels.org.opencontainers.image.version=${{ needs.plan.outputs.version }}
+            *.labels.org.opencontainers.image.revision=${{ github.sha }}
+            *.labels.org.opencontainers.image.vendor=${{ github.repository_owner }}
+            *.output=type=image,name=ghcr.io/${{ github.repository_owner }}/immich,push-by-digest=true,name-canonical=true,push=true,compression=zstd,force-compression=true
+            *.tags=
+
+      - name: Export Digest
+        env:
+          METADATA: ${{ steps.bake.outputs.metadata }}
+          TARGET: image-${{ inputs.variant }}
+        run: |-
+          mkdir -p ${{ runner.temp }}/digests
+          DIGEST=$(jq -r --arg t "$TARGET" '.[$t]["containerimage.digest"]' <<<"$METADATA")
+          test -n "$DIGEST" || { echo "::error::bake metadata had no digest for target $TARGET"; jq . <<<"$METADATA"; exit 1; }
+          touch "${{ runner.temp }}/digests/${DIGEST#sha256:}"
+
+      - name: Upload Digest
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ inputs.variant }}-digests-${{ steps.target.outputs.arch }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    name: Merge
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
+    steps:
+      - name: Download Bake Metadata
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ${{ inputs.variant }}-bake-metadata
+          path: ${{ runner.temp }}
+
+      - name: Download Digests
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: ${{ inputs.variant }}-digests-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Create Manifest List and Push
+        working-directory: ${{ runner.temp }}/digests
+        env:
+          OWNER: ${{ github.repository_owner }}
+          META: ${{ runner.temp }}/docker-metadata-action-bake.json
+        run: |-
+          docker buildx imagetools create \
+              $(jq --raw-output --compact-output ".target.\"docker-metadata-action\".tags | map(select(startswith(\"ghcr.io/$OWNER/immich\")) | \"-t \" + .) | join(\" \")" "$META") \
+              $(printf "ghcr.io/$OWNER/immich@sha256:%s " *)
+
+      - name: Inspect Image
+        env:
+          OWNER: ${{ github.repository_owner }}
+          META: ${{ runner.temp }}/docker-metadata-action-bake.json
+        run: |-
+          TAG=$(jq --raw-output '.target."docker-metadata-action".args.DOCKER_META_VERSION' "$META")
+          docker buildx imagetools inspect "ghcr.io/$OWNER/immich:$TAG"
+
+      - name: Export Digest
+        id: digest
+        env:
+          OWNER: ${{ github.repository_owner }}
+          META: ${{ runner.temp }}/docker-metadata-action-bake.json
+        run: |-
+          TAG=$(jq --raw-output '.target."docker-metadata-action".args.DOCKER_META_VERSION' "$META")
+          DIGEST=$(docker buildx imagetools inspect "ghcr.io/$OWNER/immich:$TAG" --format '{{ json . }}' | jq --raw-output '.manifest.digest')
+          echo "digest=$DIGEST" >>"$GITHUB_OUTPUT"
+
+  attest:
+    name: Attest
+    needs:
+      - merge
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Upload Dependency Snapshot
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          dependency-snapshot: true
+          image: ghcr.io/${{ github.repository_owner }}/immich@${{ needs.merge.outputs.digest }}
+
+      - name: Attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          push-to-registry: true
+          subject-name: ghcr.io/${{ github.repository_owner }}/immich
+          subject-digest: ${{ needs.merge.outputs.digest }}
+
+      - name: Verify Attestation
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          gh attestation verify \
+            --repo ${{ github.repository }} \
+            oci://ghcr.io/${{ github.repository_owner }}/immich@${{ needs.merge.outputs.digest }}
+
+  test:
+    if: ${{ ! inputs.release }}
+    name: Test
+    needs:
+      - merge
+      - attest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Run Tests
+        env:
+          TEST_IMAGE: ghcr.io/${{ github.repository_owner }}/immich@${{ needs.merge.outputs.digest }}
+          VARIANT: ${{ inputs.variant }}
+        run: |-
+          go test -v -timeout 15m ./tests/...

.github/workflows/codeql.yaml

@@ -0,0 +1,45 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: CodeQL
+
+on:
+  schedule:
+    - cron: 30 1 * * *
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+            source-root: .
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          source-root: ${{ matrix.source-root }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          category: language:${{ matrix.language }}