2929 branches :
3030 - main
3131 - ' release-*'
32+
3233jobs :
3334 build_image :
3435 runs-on : ubuntu-latest
@@ -40,38 +41,80 @@ jobs:
4041 uses : actions/checkout@v4
4142
4243 - name : Set up QEMU
43- uses : docker/setup-qemu-action@v3
44- with :
45- image : tonistiigi/binfmt:qemu-v7.0.0
46- platforms : all
44+ # Replaces docker/setup-qemu-action.
45+ # Keep this because docker-bake.hcl builds both amd64 and arm64.
46+ run : |
47+ docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0 --install all
4748
4849name : Set up Docker Build
49- uses : docker/setup-buildx-action@v3
50+ # Replaces docker/setup-buildx-action.
51+ # Create a named builder and bootstrap it so bake can use multi-platform builds.
52+ run : |
53+ docker buildx create --name builder --use || docker buildx use builder
54+ docker buildx inspect --bootstrap
5055
5156name : Log in to the Container registry
52- uses : docker/login-action@v3
53- with :
54- registry : ghcr.io
55- username : ${{ github.actor }}
56- password : ${{ secrets.GITHUB_TOKEN }}
57+ # Replaces docker/login-action.
58+ # PRs do not push images, so skip login there.
59+ if : github.event_name != 'pull_request'
60+ run : |
61+ echo " ${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
5762
5863name : Extract metadata (tags, labels) for Docker
5964 id : meta
60- uses : docker/metadata-action@v5
61- with :
62- images : |
63- ghcr.io/${{ github.repository }}
64- tags : |
65- type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
66- type=sha,prefix=,format=short
67- type=semver,pattern={{version}}
68- type=semver,pattern={{major}}.{{minor}}
65+ # Replaces docker/metadata-action.
66+ #
67+ # The original workflow only consumed meta.outputs.bake-file.
68+ # We keep the same contract by generating a small temporary bake file
69+ # that augments the `docker-metadata-action` target defined in docker-bake.hcl.
70+ #
71+ # This preserves the existing `docker buildx bake -f ... -f ... bake-platform`
72+ # flow with a minimal diff.
73+ shell : bash
74+ run : |
75+ set -euo pipefail
76+
77+ BAKE_FILE="$(mktemp)"
78+ IMAGE="ghcr.io/${GITHUB_REPOSITORY}"
79+ SHORT_SHA="${GITHUB_SHA::7}"
80+
81+ TAGS=()
82+ TAGS+=("\"${IMAGE}:${SHORT_SHA}\"")
83+
84+ # Match the original raw tag on the main branch.
85+ if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
86+ TAGS+=("\"${IMAGE}:main\"")
87+ fi
88+
89+ # Note: the original type=semver patterns are omitted here.
90+ # The workflow triggers on 'release-*-rc*' tags, which are not valid
91+ # semver (docker/metadata-action requires vX.Y.Z or X.Y.Z format), so
92+ # the original action produced no semver tags either.
93+
94+ cat > "${BAKE_FILE}" <<EOF
95+ target "docker-metadata-action" {
96+ tags = [$(IFS=,; echo "${TAGS[*]}")]
97+ labels = {
98+ "org.opencontainers.image.source" = "https://github.com/${GITHUB_REPOSITORY}"
99+ "org.opencontainers.image.revision" = "${GITHUB_SHA}"
100+ }
101+ }
102+ EOF
103+
104+ echo "bake-file=${BAKE_FILE}" >> "${GITHUB_OUTPUT}"
69105
70106name : Build and push Docker images (supported platforms)
71- uses : docker/bake-action@v5
72- with :
73- files : |
74- .github/workflows/docker-bake.hcl
75- ${{ steps.meta.outputs.bake-file }}
76- targets : bake-platform
77- push : ${{ github.event_name != 'pull_request' }}
107+ # Replaces docker/bake-action while preserving the same inputs:
108+ # - the checked-in docker-bake.hcl
109+ # - the generated metadata bake file from the previous step
110+ run : |
111+ set -euo pipefail
112+ CMD=(docker buildx bake
113+ -f .github/workflows/docker-bake.hcl
114+ -f "${{ steps.meta.outputs.bake-file }}"
115+ bake-platform
116+ )
117+ if [[ "${{ github.event_name }}" != "pull_request" ]]; then
118+ CMD+=(--push)
119+ fi
120+ "${CMD[@]}"
0 commit comments