Docker #567
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| schedule: | |
| - cron: '30 05 * * *' # Run daily for main branch | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| release: | |
| types: [ published ] # Trigger on release publication | |
| workflow_dispatch: | |
| concurrency: | |
| group: docker-publish-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # For sigstore cosign ephemeral identity | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| # Only run these steps for pushes to main or scheduled runs, not for PRs | |
| - name: Install cosign | |
| if: github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=pr | |
| type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }} | |
| type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| type=semver,pattern={{major}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| type=match,pattern=v(.*),group=1,enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| type=raw,value=latest,enable=${{ github.event_name == 'release' }} | |
| # For PRs, build but don't push | |
| - name: Build Docker image (PR only) | |
| if: github.event_name == 'pull_request' | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./Containerfile | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # For non-PRs (push to main or scheduled runs), build and push | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| if: github.event_name != 'pull_request' | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./Containerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign the published Docker image | |
| if: github.event_name != 'pull_request' | |
| env: | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| run: | | |
| echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | |