update docker.yml to create and publish a docker image to dockerhub

2026-02-23 18:54:19 -08:00
parent d83da1b818
commit 44a0c44036
1 changed files with 26 additions and 120 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,144 +11,50 @@ on:
      - "!.github/workflows/**"
      - ".github/workflows/docker.yml"
    branches:
-      - "main"
+      - "dock-dev"
    tags:
      - "v?[0-9]+.[0-9]+.[0-9]*"
  workflow_dispatch:
 env:
  REGISTRY: ghcr.io
 jobs:
-  prepare:
+  push_to_registry:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    outputs:
      image-name: ${{ steps.image.outputs.name }}
      tags: ${{ steps.meta.outputs.tags }}
      labels: ${{ steps.meta.outputs.labels }}
      package-name: ${{ steps.package.outputs.name }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set lowercase image name
        id: image
        run: |
          echo "name=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT
      - name: Set package name
        id: package
        run: |
          echo "name=$(basename ${GITHUB_REPOSITORY,,})" >> $GITHUB_OUTPUT
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}
          tags: |
            type=ref,event=branch,enable={{is_not_default_branch}}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=nightly,enable={{is_default_branch}}
      - name: Compute final tags
        id: final-tags
        run: |
          readarray -t tags <<< "${{ steps.meta.outputs.tags }}"
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            tag="${{ github.ref_name }}"
            if [[ "$tag" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              full_latest="${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:latest"
              # Check if latest is already in tags to avoid duplicates
              if ! printf '%s\n' "${tags[@]}" | grep -q "^$full_latest$"; then
                tags+=("$full_latest")
              fi
            fi
          fi
          # Set multiline output
          echo "tags<<EOF" >> $GITHUB_OUTPUT
          printf '%s\n' "${tags[@]}" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT
  build:
    needs: prepare
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
      packages: write
-    strategy:
+      contents: read
-      matrix:
+      attestations: write
-        include:
+      id-token: write
          - platform: amd64
            runner: ubuntu-latest
            suffix: amd64
            cache-scope: amd64
          - platform: arm64
            runner: ubuntu-24.04-arm
            suffix: arm64
            cache-scope: arm64
    steps:
-      - name: Checkout repository
+      - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
-      - name: Set up Docker Buildx
+      - name: Log in to Docker Hub
-        uses: docker/setup-buildx-action@v3
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
-          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKERHUB_USER }}
-          username: ${{ github.actor }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Compute suffixed tags
+      - name: Extract metadata (tags, labels) for Docker
-        id: tags
+        id: meta
-        run: |
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
-          readarray -t tags <<< "${{ needs.prepare.outputs.tags }}"
+        with:
-          suffixed=()
+          images: ubufugu/dockipelago
          for t in "${tags[@]}"; do
            suffixed+=("$t-${{ matrix.suffix }}")
          done
          echo "tags=$(IFS=','; echo "${suffixed[*]}")" >> $GITHUB_OUTPUT
      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: push
        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/${{ matrix.platform }}
          push: true
-          tags: ${{ steps.tags.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ needs.prepare.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.cache-scope }}
          cache-to: type=gha,mode=max,scope=${{ matrix.cache-scope }}
          provenance: false
-  manifest:
+      - name: Generate artifact attestation
-    needs: [prepare, build]
+        uses: actions/attest-build-provenance@v3
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
-          registry: ${{ env.REGISTRY }}
+          subject-name: index.docker.io/ubufugu/dockipelago
-          username: ${{ github.actor }}
+          subject-digest: ${{ steps.push.outputs.digest }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          push-to-registry: true
      - name: Create and push multi-arch manifest
        run: |
          readarray -t tag_array <<< "${{ needs.prepare.outputs.tags }}"
          for tag in "${tag_array[@]}"; do
            docker manifest create "$tag" \
              "$tag-amd64" \
              "$tag-arm64"
            docker manifest push "$tag"
          done