diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 00000000..bbd94e7d --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,173 @@ +# Inspired by https://github.com/sredevopsorg/multi-arch-docker-github-workflow +name: Docker Image CI + +on: + push: + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + workflow_dispatch: + inputs: + upstream_tag: + description: "Upstream tag of nextcloud/notify_push to build" + required: false + +jobs: + build: + runs-on: ${{ matrix.runner }} + + permissions: + contents: read + packages: write + + strategy: + fail-fast: false + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + - platform: linux/arm64 + runner: ubuntu-24.04-arm + + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + repository: ${{ inputs.upstream_tag && 'nextcloud/notify_push' || github.repository }} + ref: ${{ inputs.upstream_tag || github.ref_name }} + + - name: Log in to GitHub Packages + uses: docker/login-action@v4 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Lower case docker image name + id: image + uses: ASzc/change-string-case-action@v8 + with: + string: ${{ github.repository }} + + - name: Sanitize upstream tag + if: inputs.upstream_tag != '' + id: tag + run: echo "value=${INPUT_TAG#v}" >> $GITHUB_OUTPUT + env: + INPUT_TAG: ${{ inputs.upstream_tag }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v6 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=ref,event=tag + type=raw,value=latest + type=raw,value=${{ steps.tag.outputs.value }},enable=${{ inputs.upstream_tag != '' }} + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v7 + with: + context: . + platforms: ${{ matrix.platform }} + labels: ${{ steps.meta.outputs.labels }} + outputs: type=image,name=ghcr.io/${{ steps.image.outputs.lowercase }},push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha,scope=${{ matrix.platform }} + cache-to: type=gha,mode=max,scope=${{ matrix.platform }} + + - name: Export digest + run: | + mkdir -p /tmp/digests + touch "/tmp/digests/${DIGEST#sha256:}" + env: + DIGEST: ${{ steps.build.outputs.digest }} + + - name: Upload digest + uses: actions/upload-artifact@v7 + with: + name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + needs: build + + permissions: + contents: read + packages: write + + steps: + - name: Download digests + uses: actions/download-artifact@v8 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Log in to GitHub Packages + uses: docker/login-action@v4 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Lower case docker image name + id: image + uses: ASzc/change-string-case-action@v8 + with: + string: ${{ github.repository }} + + - name: Sanitize upstream tag + if: inputs.upstream_tag != '' + id: tag + run: echo "value=${INPUT_TAG#v}" >> $GITHUB_OUTPUT + env: + INPUT_TAG: ${{ inputs.upstream_tag }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v6 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=ref,event=tag + type=raw,value=latest + type=raw,value=${{ steps.tag.outputs.value }},enable=${{ inputs.upstream_tag != '' }} + + - name: Get timestamp + id: timestamp + run: echo "timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT + + - name: Create and push manifest + id: manifest + working-directory: /tmp/digests + continue-on-error: true + run: | + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + --annotation='index:org.opencontainers.image.description=${{ github.event.repository.description }}' \ + --annotation='index:org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}' \ + --annotation='index:org.opencontainers.image.url=${{ github.event.repository.url }}' \ + --annotation='index:org.opencontainers.image.source=${{ github.event.repository.url }}' \ + $(printf 'ghcr.io/${{ steps.image.outputs.lowercase }}@sha256:%s ' *) + + - name: Create and push manifest (without annotations) + if: steps.manifest.outcome == 'failure' + working-directory: /tmp/digests + run: | + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf 'ghcr.io/${{ steps.image.outputs.lowercase }}@sha256:%s ' *) + + - name: Inspect manifest + run: | + docker buildx imagetools inspect 'ghcr.io/${{ steps.image.outputs.lowercase }}:${{ steps.meta.outputs.version }}'