mirror of
https://github.com/Arlind-dev/sulej.ch.git
synced 2025-12-01 09:35:13 +01:00
Arlind Sulejmani
5f19f10ad0
chore(ci): enable provenance and enrich OCI metadata for docker images chore(ci): align dev and prod docker builds with multi-arch release chore(ci): enable provenance mode=max for image build chore(ci): fix multi-arch build to support provenance mode=max chore(docker): install corepack in build image with npm chore(ci): use action for gpg import
211 lines
6.7 KiB
YAML
211 lines
6.7 KiB
YAML
name: Semantic Release, Build & Deploy
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- '**'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-24.04
|
|
if: github.ref == 'refs/heads/main'
|
|
timeout-minutes: 20
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
outputs:
|
|
new_release_published: ${{ steps.semantic.outputs.new_release_published }}
|
|
new_release_version: ${{ steps.semantic.outputs.new_release_version }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Import GPG key and configure signing
|
|
uses: crazy-max/ghaction-import-gpg@v6
|
|
with:
|
|
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
passphrase: ${{ secrets.GPG_PASSPHRASE }}
|
|
git_user_signingkey: true
|
|
git_commit_gpgsign: true
|
|
git_config_global: true
|
|
|
|
- name: Configure git user
|
|
run: |
|
|
git config --global user.name "Arlind-dev"
|
|
git config --global user.email "arlind@sulej.ch"
|
|
|
|
- name: Run semantic-release
|
|
id: semantic
|
|
uses: cycjimmy/semantic-release-action@v5
|
|
with:
|
|
extra_plugins: |
|
|
@semantic-release/changelog
|
|
@semantic-release/git
|
|
@semantic-release/github
|
|
@semantic-release/commit-analyzer
|
|
@semantic-release/release-notes-generator
|
|
conventional-changelog-conventionalcommits
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GIT_AUTHOR_NAME: Arlind-dev
|
|
GIT_COMMITTER_NAME: Arlind-dev
|
|
GIT_AUTHOR_EMAIL: arlind@sulej.ch
|
|
GIT_COMMITTER_EMAIL: arlind@sulej.ch
|
|
|
|
docker-prod:
|
|
runs-on: ubuntu-24.04
|
|
needs: [release]
|
|
if: github.ref == 'refs/heads/main' && needs.release.outputs.new_release_published == 'true'
|
|
timeout-minutes: 60
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Prepare build metadata
|
|
id: meta
|
|
run: |
|
|
echo "owner_lc=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
|
|
echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
|
|
|
|
|
|
|
|
- name: Build and push build-stage image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: Dockerfile.build
|
|
platforms: linux/amd64
|
|
push: true
|
|
provenance: mode=max
|
|
sbom: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
outputs: type=registry,oci-mediatypes=true
|
|
tags: |
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-latest
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }}
|
|
|
|
- name: Build and push main image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386,linux/ppc64le,linux/riscv64,linux/s390x
|
|
push: true
|
|
provenance: mode=max
|
|
sbom: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
outputs: type=registry,oci-mediatypes=true
|
|
build-args: |
|
|
BUILD_IMAGE=ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ needs.release.outputs.new_release_version }}
|
|
tags: |
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:latest
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:${{ needs.release.outputs.new_release_version }}
|
|
|
|
docker-dev:
|
|
runs-on: ubuntu-24.04
|
|
if: github.ref != 'refs/heads/main'
|
|
timeout-minutes: 60
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Prepare metadata and branch vars
|
|
id: meta
|
|
run: |
|
|
echo "owner_lc=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
|
|
BRANCH_NAME=${GITHUB_REF#refs/heads/}
|
|
SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr '/' '-' | tr '_' '-' | tr -cd '[:alnum:]-')
|
|
echo "sanitized_branch=$SANITIZED_BRANCH" >> "$GITHUB_OUTPUT"
|
|
echo "sha_short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
|
|
echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
|
|
|
|
|
|
|
|
- name: Build and push build-stage image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: Dockerfile.build
|
|
platforms: linux/amd64
|
|
push: true
|
|
provenance: mode=max
|
|
sbom: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
outputs: type=registry,oci-mediatypes=true
|
|
tags: |
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
|
|
|
|
- name: Build and push main image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386,linux/ppc64le,linux/riscv64,linux/s390x
|
|
push: true
|
|
provenance: mode=max
|
|
sbom: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
outputs: type=registry,oci-mediatypes=true
|
|
build-args: |
|
|
BUILD_IMAGE=ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:build-${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
|
|
tags: |
|
|
ghcr.io/${{ steps.meta.outputs.owner_lc }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.sanitized_branch }}-${{ steps.meta.outputs.sha_short }}
|
|
|
|
deploy:
|
|
runs-on: ubuntu-24.04
|
|
needs: release
|
|
if: github.ref == 'refs/heads/main'
|
|
timeout-minutes: 10
|
|
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Trigger Cloudflare Pages deploy
|
|
run: |
|
|
curl -X POST "${{ secrets.CF_DEPLOY_HOOK_URL }}"
|