From 68bb381ece3fca103ddb6f5c2197046de70be498 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 13:24:14 +0100 Subject: [PATCH 1/8] docker: Bump docker/build-push-action to v6 --- .github/workflows/ci-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index deb811a2b..41454ae46 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -15,7 +15,7 @@ jobs: - name: Set up buildx uses: docker/setup-buildx-action@v3 - name: Build image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64 From a82881b7d3a01f002c2cc15151f6c50ed5cdbc92 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 13:33:23 +0100 Subject: [PATCH 2/8] docker: Tag and push images to GHCR automatically Co-authored-by: BrailleBennett Co-authored-by: TheSuperGamer20578 --- .github/workflows/ci-docker.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 41454ae46..691c8e813 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -5,6 +5,8 @@ on: [push, pull_request] jobs: build: runs-on: ubuntu-latest + permissions: + packages: write steps: - name: Checkout uses: actions/checkout@v4 @@ -14,12 +16,25 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up buildx uses: docker/setup-buildx-action@v3 + - name: Login to ghcr.io + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Generate version information + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} - name: Build image uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64 - push: false + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} pull: true cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} From cc3d2af15f100d6b3a23a4cb252a40b67fe6e006 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 13:45:19 +0100 Subject: [PATCH 3/8] docker: Generate build provenance attestations Co-authored-by: BrailleBennett Co-authored-by: TheSuperGamer20578 --- .github/workflows/ci-docker.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 691c8e813..82e152a9c 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -6,6 +6,8 @@ jobs: build: runs-on: ubuntu-latest permissions: + attestations: write + id-token: write packages: write steps: - name: Checkout @@ -28,6 +30,7 @@ jobs: with: images: ghcr.io/${{ github.repository }} - name: Build image + id: build uses: docker/build-push-action@v6 with: context: . @@ -38,3 +41,9 @@ jobs: pull: true cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} + - name: Generate build provenance attestation + uses: actions/attest-build-provenance@v2 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true From ca3dfcdf17947b09b525fe593e2ac8bf17602a4c Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 14:04:57 +0100 Subject: [PATCH 4/8] docker: Push semver tags if a version tag is pushed --- .github/workflows/ci-docker.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 82e152a9c..cb09fc936 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -29,6 +29,14 @@ jobs: uses: docker/metadata-action@v5 with: images: ghcr.io/${{ github.repository }} + tags: | + type=schedule + type=ref,event=branch + type=ref,event=tag,enable=${{ !startsWith(github.ref, 'refs/tags/v') }} + type=ref,event=pr + type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} + type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} + type=semver,pattern={{major}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} - name: Build image id: build uses: docker/build-push-action@v6 From 660ec5bc601f075860f77d4330cf2c37fa2180c2 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 14:14:38 +0100 Subject: [PATCH 5/8] docker: Restrict tagging 'latest' to version tags --- .github/workflows/ci-docker.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index cb09fc936..6965c773d 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -37,6 +37,8 @@ jobs: type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} type=semver,pattern={{major}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} + flavor: | + latest=${{ startsWith(github.ref, 'refs/tags/v') }} - name: Build image id: build uses: docker/build-push-action@v6 From cbdae5b15eedd5237199f0539ffc6d6b7d92e185 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 14:29:40 +0100 Subject: [PATCH 6/8] Add a changelog entry for publishing to GHCR --- docs/changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/changelog.md b/docs/changelog.md index b19745463..b5303c5f4 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -93,6 +93,7 @@ Use past tense when adding new entries; sign your name off when you add or chang * Rewrote the `.dockerignore` file into a denylist. (@timschumi) * Added CI for Docker images. (@timschumi) * Fixed Cursed Flares kicking players for invalid buff. (@Arthri) +* Added automatic publishing of Docker images to GHCR. (@timschumi) ## TShock 5.2 * An additional option `pvpwithnoteam` is added at `PvPMode` to enable PVP with no team. (@CelestialAnarchy, #2617, @ATFGK) From d54711651b9f2732f8200db238c710561e126e2d Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sat, 4 Jan 2025 14:36:58 +0100 Subject: [PATCH 7/8] docker: Update documentation for officially provided Docker images --- docs/docker.md | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index ca0185103..afc4bdfc9 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -14,32 +14,27 @@ Open ports can also be passed through using `-p :`. For Example: ```bash -# Building the image using buildx and loading it into docker -docker buildx build -t tshock:latest --load . - -# Running the image docker run -p 7777:7777 -p 7878:7878 \ -v /home/cider/tshock/:/tshock \ -v /home/cider/.local/share/Terraria/Worlds:/worlds \ -v /home/cider/tshock/plugins:/plugins \ - --rm -it tshock:latest \ + --rm -it ghcr.io/pryaxis/tshock:latest \ -world /worlds/backflip.wld -motd "OMFG DOCKER" ``` -## Building for Other Platforms +## Building custom images -Using `docker buildx`, you could build [multi-platform images](https://docs.docker.com/build/building/multi-platform/) for TShock. +Occasionally, it may be necessary to adjust TShock with customizations that are not included in the upstream project. +Therefore, these changes are also not available in the officially provided Docker images. + +To build and load a Docker image from your local checkout, use the following `buildx` command: -For Example: ```bash -# Building the image using buildx and loading it into docker -docker buildx build -t tshock:linux-arm64 --platform linux/arm64 --load . +docker buildx build -t tshock:latest --load . +``` -# Running the image -docker run -p 7777:7777 -p 7878:7878 \ - -v /home/cider/tshock/:/tshock \ - -v /home/cider/.local/share/Terraria/Worlds:/worlds \ - -v /home/cider/tshock/plugins:/plugins \ - --rm -it tshock:linux-arm64 \ - -world /worlds/backflip.wld -motd "ARM64 ftw" +It is also possible to build [multi-platform images](https://docs.docker.com/build/building/multi-platform/) for TShock (e.g. an image targeting `arm64`, on a host that is not `arm64`): + +```bash +docker buildx build -t tshock:linux-arm64 --platform linux/arm64 --load . ``` From 02ce8fdf0deac5c52a98070d9970fbd1b5654490 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Sun, 5 Jan 2025 01:30:28 +0100 Subject: [PATCH 8/8] docker: Don't push to the registry for Pull Requests This requires more thought on how to handle secrets, and whether to just omit it permanently. --- .github/workflows/ci-docker.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 6965c773d..3d47d3c67 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -45,13 +45,14 @@ jobs: with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64 - push: true + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} pull: true cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} - name: Generate build provenance attestation + if: ${{ github.event_name != 'pull_request' }} uses: actions/attest-build-provenance@v2 with: subject-name: ghcr.io/${{ github.repository }}