Arlind/sulej.ch
1
0
Fork 0
mirror of https://github.com/Arlind-dev/sulej.ch.git synced 2025-12-01 17:35:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): rework image creation add a dev build

Browse Source 
chore(ci): enable provenance and enrich OCI metadata for docker images

chore(ci): align dev and prod docker builds with multi-arch release

chore(ci): enable provenance mode=max for image build

chore(ci): fix multi-arch build to support provenance mode=max

chore(docker): install corepack in build image with npm

chore(ci): use action for gpg import
This commit is contained in:
Arlind
2025-10-16 16:13:38 +02:00
parent 1601d979df
commit 5f19f10ad0
3 changed files with 127 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
.github/workflows/main.yml vendored
View File

@@ -5,15 +5,21 @@ on:
branches:
- '**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: write
packages: write
id-token: write
contents: read
jobs:
release:
runs-on: ubuntu-24.04
if: github.ref == 'refs/heads/main'
timeout-minutes: 20
permissions:
contents: write
outputs:
new_release_published: ${{ steps.semantic.outputs.new_release_published }}
@@ -24,27 +30,20 @@ jobs:
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Import GPG key and configure signing
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
git_config_global: true
- name: Configure git user
run: |
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | tail -n1 | awk '{print $2}' | cut -d'/' -f2)
echo "use-agent" >> ~/.gnupg/gpg.conf
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
git config --global user.signingkey "$KEY_ID"
git config --global commit.gpgsign true
git config --global gpg.program gpg
git config --global gpg.format openpgp
export GPG_TTY=$(tty)
echo "test" | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --pinentry-mode loopback -u "$KEY_ID" -s >/dev/null
echo "Using GPG key: $KEY_ID"
git config --global user.name "Arlind-dev"
git config --global user.email "arlind@sulej.ch"
- name: Run semantic-release
id: semantic
@@ -59,14 +58,20 @@ jobs:
conventional-changelog-conventionalcommits
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_AUTHOR_NAME: semantic-release-bot
GIT_COMMITTER_NAME: semantic-release-bot
GIT_AUTHOR_NAME: Arlind-dev
GIT_COMMITTER_NAME: Arlind-dev
GIT_AUTHOR_EMAIL: arlind@sulej.ch
GIT_COMMITTER_EMAIL: arlind@sulej.ch
docker:
docker-prod:
runs-on: ubuntu-24.04
needs: release
needs: [release]
if: github.ref == 'refs/heads/main' && needs.release.outputs.new_release_published == 'true'
timeout-minutes: 60
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
@@ -82,8 +87,13 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Normalize repository owner to lowercase
run: echo "OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV
- name: Prepare build metadata
id: meta
run: |
echo "owner_lc=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
- name: Build and push build-stage image
uses: docker/build-push-action@v6
@@ -92,32 +102,108 @@ jobs:
file: Dockerfile.build
platforms: linux/amd64
push: true
provenance: false
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=registry,oci-mediatypes=true
tags: |
ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-latest
ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }}
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-latest
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }}
- name: Build and push main image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386,linux/ppc64le,linux/riscv64,linux/s390x
push: true
provenance: false
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=registry,oci-mediatypes=true
build-args: |
BUILD_IMAGE=ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-latest
BUILD_IMAGE=ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }}
tags: |
ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:latest
ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:${{ needs.release.outputs.new_release_version }}
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:latest
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:${{ needs.release.outputs.new_release_version }}
docker-dev:
runs-on: ubuntu-24.04
if: github.ref != 'refs/heads/main'
timeout-minutes: 60
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Prepare metadata and branch vars
id: meta
run: |
echo "owner_lc=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
BRANCH_NAME=${GITHUB_REF#refs/heads/}
SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr '/' '-' | tr '_' '-' | tr -cd '[:alnum:]-')
echo "sanitized_branch=$SANITIZED_BRANCH" >> "$GITHUB_OUTPUT"
echo "sha_short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
- name: Build and push build-stage image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.build
platforms: linux/amd64
push: true
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=registry,oci-mediatypes=true
tags: |
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
- name: Build and push main image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386,linux/ppc64le,linux/riscv64,linux/s390x
push: true
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=registry,oci-mediatypes=true
build-args: |
BUILD_IMAGE=ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
tags: |
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
deploy:
runs-on: ubuntu-24.04
needs: release
if: github.ref == 'refs/heads/main'
timeout-minutes: 10
permissions:
contents: read
steps:
- name: Trigger Cloudflare Pages deploy
run: |