-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (129 loc) · 5.11 KB
/
publish-container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Build & Publish Containers
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
env:
REGISTRY: ghcr.io
jobs:
build:
if: github.repository_owner == 'Alwatr'
name: Build & Publish Containers
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: alpine
path: alpine
version:
short: 3
full: 3.17
- name: php
path: php/7.4-apache
version:
short: 7-apache
full: 7.4-apache
- name: php
path: php/7.4-fpm
version:
short: 7-fpm
full: 7.4-fpm
- name: php
path: php/8.2-fpm
version:
short: 8-fpm
full: 8.2-fpm
- name: wordpress
path: wordpress/php7.4
version:
short: 6-php7
full: 6.1-php7.4-fpm
- name: wordpress
path: wordpress/php8.2
version:
short: 6
full: 6.2-php8.2-fpm
permissions:
contents: read
packages: write
# actions: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: ⤵️ Checkout repository
uses: actions/[email protected]
- name: ❔ Check Container files changed
id: file_change
uses: dorny/[email protected]
with:
filters: |
container_folder:
./${{ matrix.path }}/*
# - name: ❔ Stop if files not changed
# if: ${{ steps.file_change.outputs.container_folder != 'true' }}
# run: |
# gh run cancel ${{ github.run_id }}
# gh run watch ${{ github.run_id }}
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: 🏗 Extract Docker metadata
id: meta
if: ${{ steps.file_change.outputs.container_folder == 'true' }}
uses: docker/[email protected]
with:
github-token: ${{secrets.GITHUB_TOKEN}}
images: name=${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.name}}
tags: |
type=raw,value=${{matrix.version.short}}
type=raw,value=${{matrix.version.full}}
labels: |
org.opencontainers.image.title="alwatr/${{matrix.name}}"
org.opencontainers.image.authors="S. Ali Mihandoost <[email protected]> (https://ali.mihandoost.com), S. Amir Mohammad Najafi <[email protected]> (https://njfamirm.ir/)"
org.opencontainers.image.source="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
org.opencontainers.image.licenses="MIT"
org.opencontainers.image.url="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
org.opencontainers.image.documentation="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
org.opencontainers.image.vendor="Alwatr"
- name: 🏗 Install cosign
if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
uses: sigstore/[email protected]
- name: 🏗 Setup Docker Buildx
if: ${{ steps.file_change.outputs.container_folder == 'true' }}
uses: docker/[email protected]
- name: 🏗 Cache Docker Layers
if: ${{ steps.file_change.outputs.container_folder == 'true' }}
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: container-${{ matrix.name }}
- name: 🏗 Log into registry ${{env.REGISTRY}}
if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
uses: docker/[email protected]
with:
registry: ${{env.REGISTRY}}
username: ${{github.repository_owner}}
password: ${{secrets.GITHUB_TOKEN}}
- name: 🚀 Build and push container image
if: ${{ steps.file_change.outputs.container_folder == 'true' }}
id: build_and_push
uses: docker/[email protected]
with:
context: ./${{matrix.path}}
push: ${{github.event_name != 'pull_request'}}
tags: ${{steps.meta.outputs.tags}}
labels: ${{steps.meta.outputs.labels}}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
# cache-from: type=gha
# cache-to: type=gha,mode=max
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- name: 🏗 Sign the image with GitHub OIDC Token
if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
env:
COSIGN_EXPERIMENTAL: 'true'
run: echo "${{steps.meta.outputs.tags}}" | xargs -I {} cosign sign --yes {}@${{steps.build_and_push.outputs.digest}}