-
Notifications
You must be signed in to change notification settings - Fork 2
88 lines (78 loc) · 3.27 KB
/
Copy pathdocker.yml
File metadata and controls
88 lines (78 loc) · 3.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Docker image build + publish to ghcr.io.
#
# Triggers:
# - push to `main` → publish `latest` + `sha-<sha>`
# - tag push `v*` → publish `v<tag>` + `latest`
# - workflow_dispatch (manual) → publish `manual-<run_id>`
# - pull_request to `main` → build only, no push (CI smoke)
#
# Image: ghcr.io/<owner>/nullis-shepherd
# Auth: GITHUB_TOKEN (scoped to packages:write below).
#
# Pinned action SHAs match the style of `.github/workflows/ci.yml`.
name: docker
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
branches: [main]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
name: build + push (${{ github.event_name }})
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Docker buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
- name: Log in to ghcr.io
if: github.event_name != 'pull_request'
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compute image metadata
id: meta
uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
# `latest` on push to main, independent of which branch is default.
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
type=ref,event=tag
# `sha-<short>` on every event so a soak run can pin an
# exact build.
type=sha,prefix=sha-,format=short
# manual-<run_id> for workflow_dispatch.
type=raw,value=manual-${{ github.run_id }},enable=${{ github.event_name == 'workflow_dispatch' }}
# `pr-<n>` on pull-request builds so the smoke artefact
# is identifiable. PR builds are NOT pushed (see `push:`).
type=ref,event=pr,prefix=pr-
- name: Build + push
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
with:
context: .
file: ./Dockerfile
# Push on every non-PR event; PR builds are local-only smoke.
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Layer cache via the registry: the previous successful
# build's intermediate layers are reused so a Cargo.toml-only
# change re-compiles only the changed crate.
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max,ignore-error=true
# `amd64` is enough for the soak VM. Add `arm64` once an
# operator surfaces a real need; multi-arch ~2x the build.
platforms: linux/amd64