name: Release & Deploy Docker on: push: branches: - '**' permissions: contents: write packages: write id-token: write jobs: release: runs-on: ubuntu-24.04 if: github.ref == 'refs/heads/main' outputs: new_release_published: ${{ steps.semantic.outputs.new_release_published }} new_release_version: ${{ steps.semantic.outputs.new_release_version }} steps: - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 - name: Import GPG key and configure signing env: GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | echo "$GPG_PRIVATE_KEY" | gpg --batch --import KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | tail -n1 | awk '{print $2}' | cut -d'/' -f2) echo "use-agent" >> ~/.gnupg/gpg.conf echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf git config --global user.signingkey "$KEY_ID" git config --global commit.gpgsign true git config --global gpg.program gpg git config --global gpg.format openpgp export GPG_TTY=$(tty) echo "test" | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --pinentry-mode loopback -u "$KEY_ID" -s >/dev/null echo "Using GPG key: $KEY_ID" - name: Run semantic-release id: semantic uses: cycjimmy/semantic-release-action@v5 with: extra_plugins: | @semantic-release/changelog @semantic-release/git @semantic-release/github @semantic-release/commit-analyzer @semantic-release/release-notes-generator conventional-changelog-conventionalcommits env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GIT_AUTHOR_NAME: semantic-release-bot GIT_COMMITTER_NAME: semantic-release-bot GIT_AUTHOR_EMAIL: arlind@sulej.ch GIT_COMMITTER_EMAIL: arlind@sulej.ch docker: runs-on: ubuntu-24.04 needs: release if: github.ref == 'refs/heads/main' && needs.release.outputs.new_release_published == 'true' steps: - name: Checkout repository uses: actions/checkout@v5 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Normalize repository owner to lowercase run: echo "OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV - name: Build and push build-stage image uses: docker/build-push-action@v6 with: context: . file: Dockerfile.build platforms: linux/amd64 push: true provenance: false cache-from: type=gha cache-to: type=gha,mode=max tags: | ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-latest ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }} - name: Build and push main image uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386,linux/ppc64le,linux/riscv64,linux/s390x push: true provenance: false cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILD_IMAGE=ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:build-latest tags: | ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:latest ghcr.io/${{ env.OWNER_LC }}/${{ vars.IMAGE_NAME }}:${{ needs.release.outputs.new_release_version }} deploy: runs-on: ubuntu-24.04 needs: release if: always() steps: - name: Trigger Cloudflare Pages deploy run: | curl -X POST "${{ secrets.CF_DEPLOY_HOOK_URL }}"