Update #284
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image Build and Publish | |
| on: | |
| schedule: | |
| - cron: '0 0 1 * *' | |
| push: | |
| branches: [ "main" ] | |
| tags: [ 'v*' ] | |
| concurrency: | |
| group: "build" | |
| cancel-in-progress: false | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - id: set-filters | |
| run: | | |
| python3 -c " | |
| import yaml, os | |
| with open('config.yml', 'r') as f: | |
| config = yaml.safe_load(f) | |
| images = config.get('images', []) | |
| filters = {img['name']: [f\"{img['context'].lstrip('./')}/**\"] for img in images} | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as f: | |
| f.write('filters<<EOF\n') | |
| f.write(yaml.dump(filters)) | |
| f.write('EOF\n') | |
| " | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: ${{ steps.set-filters.outputs.filters }} | |
| - id: generate-matrix | |
| run: | | |
| python3 -c " | |
| import yaml, json, os | |
| with open('config.yml', 'r') as f: | |
| config = yaml.safe_load(f) | |
| images = config.get('images', []) | |
| changes = json.loads(os.environ.get('CHANGES', '[]')) | |
| event = os.environ.get('EVENT_NAME') | |
| ref_type = os.environ.get('REF_TYPE') | |
| is_build_all = event in ['schedule', 'workflow_dispatch'] or ref_type == 'tag' | |
| if is_build_all: | |
| matrix = images | |
| else: | |
| matrix = [img for img in images if img['name'] in changes] | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as f: | |
| f.write(f'matrix={json.dumps(matrix)}\n') | |
| " | |
| env: | |
| CHANGES: ${{ steps.filter.outputs.changes }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| REF_TYPE: ${{ github.ref_type }} | |
| build: | |
| name: Build ${{ matrix.name }} Dockerfile and Push | |
| needs: prepare | |
| if: needs.prepare.outputs.matrix != '[]' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJSON(needs.prepare.outputs.matrix) }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| artifact-metadata: write | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker Image Metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ matrix.image }} | |
| tags: | | |
| type=raw,value=latest | |
| type=ref,event=tag | |
| - name: Build and Push Docker Image | |
| id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.context }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate Build Attestation (SLSA) | |
| uses: actions/attest-build-provenance@v4 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ matrix.image }} | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| push-to-registry: true |