docs: sync README composes with hardened config and add socket troubl… #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Docker | |
| on: | |
| workflow_call: | |
| inputs: | |
| push: | |
| description: "Push image to registry" | |
| required: false | |
| type: boolean | |
| default: true | |
| push: | |
| branches: [main] | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: [main] | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: kolapsis/maintenant | |
| jobs: | |
| build: | |
| name: Build Docker Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Validate required secrets | |
| run: | | |
| if [ -z "$LICENSE_PUBLIC_KEY" ]; then | |
| echo "::error::LICENSE_PUBLIC_KEY secret is not set. Aborting build." | |
| exit 1 | |
| fi | |
| env: | |
| LICENSE_PUBLIC_KEY: ${{ secrets.LICENSE_PUBLIC_KEY }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Compute build metadata | |
| run: | | |
| # VERSION: strip leading 'v' from tag, or use ref name | |
| if [[ "$GITHUB_REF" == refs/tags/v* ]]; then | |
| echo "BUILD_VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_ENV" | |
| echo "IMAGE_TAG=${GITHUB_REF_NAME#v}" >> "$GITHUB_ENV" | |
| else | |
| echo "BUILD_VERSION=${GITHUB_REF_NAME}" >> "$GITHUB_ENV" | |
| fi | |
| # BUILD_DATE: ISO 8601 timestamp | |
| echo "BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_ENV" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }} | |
| type=sha,prefix=,format=short,enable=${{ github.ref == 'refs/heads/main' }} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' && (inputs.push || startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') }} | |
| provenance: false | |
| tags: | | |
| ${{ steps.meta.outputs.tags }} | |
| ${{ env.IMAGE_TAG && format('{0}/{1}:{2}', env.REGISTRY, env.IMAGE_NAME, env.IMAGE_TAG) || '' }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| VERSION=${{ env.BUILD_VERSION }} | |
| COMMIT=${{ github.sha }} | |
| BUILD_DATE=${{ env.BUILD_DATE }} | |
| LICENSE_PUBLIC_KEY=${{ secrets.LICENSE_PUBLIC_KEY }} |