Skip to content

Commit 3c19184

Browse files
MagicalTuxclaude
andcommitted
CI: publish the container image to GHCR (manual + after each release)
New docker.yml builds the Dockerfile and pushes ghcr.io/karpeleslab/decryptd :<version> + :latest. Triggers: * workflow_dispatch — build any existing release on demand (blank tag = latest), so the image can be published without cutting a new version; * workflow_run after "Release" — new releases also ship an image. It pulls the pinned release asset, so it runs after the release exists (never a bare tag push, which would 404). Uses the built-in GITHUB_TOKEN with packages: write; checkout@v6. Dockerfile download gains --retry. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 503b1c9 commit 3c19184

2 files changed

Lines changed: 70 additions & 1 deletion

File tree

.github/workflows/docker.yml

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
name: Docker
2+
3+
# Build the container image and push it to GHCR, tagged with the release version
4+
# and `latest`. Two triggers:
5+
# * manual — run it for any existing release (blank tag = the latest release);
6+
# * automatic — after the Release workflow finishes, so a new release also ships
7+
# an image.
8+
# The image pulls the pinned release asset (`.../download/<tag>/...`), which the
9+
# Release must have published first — hence "after Release", never a bare tag push.
10+
on:
11+
workflow_dispatch:
12+
inputs:
13+
tag:
14+
description: "Release tag to build (e.g. v0.1.19). Blank = latest release."
15+
required: false
16+
type: string
17+
workflow_run:
18+
workflows: ["Release"]
19+
types: [completed]
20+
21+
permissions:
22+
contents: read
23+
packages: write
24+
25+
jobs:
26+
publish:
27+
name: Build & push to GHCR
28+
runs-on: ubuntu-latest
29+
# On the automatic trigger, only proceed if the Release actually succeeded.
30+
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
31+
steps:
32+
- uses: actions/checkout@v6
33+
- uses: docker/setup-buildx-action@v3
34+
- name: Log in to GHCR
35+
uses: docker/login-action@v3
36+
with:
37+
registry: ghcr.io
38+
username: ${{ github.actor }}
39+
password: ${{ secrets.GITHUB_TOKEN }}
40+
- name: Resolve tag + release asset URL
41+
id: meta
42+
env:
43+
GH_TOKEN: ${{ github.token }}
44+
run: |
45+
if [ "${{ github.event_name }}" = "workflow_run" ]; then
46+
tag="${{ github.event.workflow_run.head_branch }}"
47+
else
48+
tag="${{ inputs.tag }}"
49+
fi
50+
# Fall back to the newest release (covers a blank manual input, and a
51+
# workflow_run whose head_branch isn't the tag).
52+
if [ -z "$tag" ]; then
53+
tag="$(gh release view --repo "$GITHUB_REPOSITORY" --json tagName -q .tagName)"
54+
fi
55+
repo="ghcr.io/${GITHUB_REPOSITORY,,}" # GHCR names are lowercase
56+
ver="${tag#v}" # v0.1.19 -> 0.1.19
57+
echo "building $repo for $tag"
58+
echo "tags=${repo}:${ver},${repo}:latest" >> "$GITHUB_OUTPUT"
59+
echo "asset=https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/decryptd-linux-x86_64.tar.gz" >> "$GITHUB_OUTPUT"
60+
- name: Build & push
61+
uses: docker/build-push-action@v6
62+
with:
63+
context: .
64+
platforms: linux/amd64
65+
push: true
66+
tags: ${{ steps.meta.outputs.tags }}
67+
build-args: |
68+
DECRYPTD_URL=${{ steps.meta.outputs.asset }}

Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ ARG DECRYPTD_URL=https://github.com/KarpelesLab/decryptd/releases/latest/downloa
3131
RUN set -eux; \
3232
apt-get update; \
3333
apt-get install -y --no-install-recommends ca-certificates curl; \
34-
curl -fSL "$DECRYPTD_URL" | tar -xz --no-same-owner -C /usr/local/bin decryptd; \
34+
curl -fSL --retry 5 --retry-delay 3 --retry-all-errors "$DECRYPTD_URL" \
35+
| tar -xz --no-same-owner -C /usr/local/bin decryptd; \
3536
chmod +x /usr/local/bin/decryptd; \
3637
apt-get purge -y --auto-remove curl ca-certificates; \
3738
rm -rf /var/lib/apt/lists/*

0 commit comments

Comments
 (0)