jamesf/Perplexica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Perplexica/.github/workflows/docker-build.yml
Nick the Sick 5979f8321d
feat: build docker images in CI
2024-07-22 23:11:15 +02:00

146 lines
4.4 KiB
YAML
Raw Blame History

name: Publish Docker image
on:
schedule:
- cron: '24 0 * * 1'
workflow_dispatch:
push:
branches:
- 'master'
tags:
- 'v*'
pull_request:
branches:
- 'master'
env:
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 1
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3.3.0
with:
cosign-release: 'v2.2.2'
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata app
id: meta-app
uses: docker/metadata-action@v4.4.0
with:
images: ghcr.io/${{ env.IMAGE_NAME }}-app
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,format=long
- name: Extract Docker metadata backend
id: meta-backend
uses: docker/metadata-action@v4.4.0
with:
images: ghcr.io/${{ env.IMAGE_NAME }}-backend
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,format=long
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and Push App container images
uses: docker/build-push-action@v4
id: build-and-push-app
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta-app.outputs.tags }}
labels: ${{ steps.meta-app.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: ./app.dockerfile
- name: Build and Push Backend container images
uses: docker/build-push-action@v4
id: build-and-push-backend
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta-backend.outputs.tags }}
labels: ${{ steps.meta-backend.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: ./backend.dockerfile
- name: Sign the app images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push-app.outputs.digest }}
TAGS: ${{ steps.meta-app.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Sign the backend images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push-backend.outputs.digest }}
TAGS: ${{ steps.meta-backend.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Attest app
uses: actions/attest-build-provenance@v1
id: attest-app
with:
subject-name: ghcr.io/${{ env.IMAGE_NAME }}-app
subject-digest: ${{ steps.build-and-push-app.outputs.digest }}
push-to-registry: true
- name: Attest backend
uses: actions/attest-build-provenance@v1
id: attest-backend
with:
subject-name: ghcr.io/${{ env.IMAGE_NAME }}-backend
subject-digest: ${{ steps.build-and-push-backend.outputs.digest }}
push-to-registry: true
Reference in a new issue View git blame Copy permalink