Improve tagger coverage and accuracy (#1789) #952
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: GHCR Publish | |
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| on: | |
| push: | |
| branches: [main] | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: Version to build and tag (e.g., 0.0.13) | |
| required: true | |
| type: string | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - arch: linux/amd64 | |
| runner: ubuntu-latest | |
| - arch: linux/arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v4 | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| - name: Prepare platform slug | |
| id: platform | |
| run: | | |
| echo "slug=$(echo '${{ matrix.arch }}' | tr '/' '-')" >> "$GITHUB_OUTPUT" | |
| # Build and push by digest (no tag yet) | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| platforms: ${{ matrix.arch }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| cache-from: type=gha,scope=ghcr-${{ steps.platform.outputs.slug }} | |
| cache-to: type=gha,mode=max,scope=ghcr-${{ steps.platform.outputs.slug }} | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: digests-${{ steps.platform.outputs.slug }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v8 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| # Install the cosign tool | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v4.1.2 | |
| with: | |
| cosign-release: v2.1.1 | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Normalize version: strip leading 'v' if present | |
| - name: Normalize version | |
| if: github.event_name == 'workflow_dispatch' | |
| id: normalize | |
| run: | | |
| RAW_VERSION="${{ inputs.version }}" | |
| VERSION="${RAW_VERSION#v}" | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| # main push -> :main | |
| type=ref,event=branch | |
| # GitHub Release -> v1.2.3, 1.2, 1, latest | |
| type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }} | |
| type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'release' }} | |
| type=semver,pattern={{major}},enable=${{ github.event_name == 'release' }} | |
| type=raw,value=latest,enable=${{ github.event_name == 'release' }} | |
| # Manual dispatch -> input version + latest | |
| type=raw,value=${{ steps.normalize.outputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
| type=raw,value=latest,enable=${{ github.event_name == 'workflow_dispatch' }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} |