tor-docker/.github/workflows/docker.yml at main · rgst-io/tor-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: docker

on:
  push:
    branches: [main]
  pull_request: {}

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:
    name: build (${{ matrix.platform }})
    runs-on: ubuntu-24.04${{ matrix.platform == 'linux/arm64' && '-arm' || ''}}
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    permissions:
      id-token: write
      packages: write
      contents: read
      attestations: write
    env:
      PLATFORM: ${{ matrix.platform }}

    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Build time variables
        run: |-
          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
          echo "TOR_VERSION=$(tr -d '\n' <VERSION)" >>"$GITHUB_ENV"
      - name: Skip if already published
        env:
          FULL_DOCKER_IMAGE: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}"
          GH_TOKEN: ${{ github.token }}
        run: |-
          echo "Checking if $FULL_DOCKER_IMAGE exists ..."
          if docker manifest inspect "$FULL_DOCKER_IMAGE" &>/dev/null; then
            echo "$FULL_DOCKER_IMAGE already exists, skipping build"
            gh run cancel "$GITHUB_RUN_ID"
            exit 0
          fi
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Download Gentoo
        run: ./scripts/fetch-gentoo.sh "${PLATFORM##*/}"
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      - name: Build and push image
        uses: docker/build-push-action@v7
        id: build
        env:
          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
        with:
          context: .
          sbom: true
          provenance: mode=max
          labels: ${{ steps.meta.outputs.labels }}
          build-args: TOR_VERSION=${{ env.TOR_VERSION }}
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          outputs: type=image,rewrite-timestamp=true,push-by-digest=true,name-canonical=true,push=${{ github.event_name == 'push' }}
      - name: Export digest
        run: |-
          mkdir -p "${{ runner.temp }}/digests"
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Escape platform (/ -> -)
        id: platform
        run: echo "escaped=${PLATFORM//\//-}" >"$GITHUB_OUTPUT"
      - name: Upload digest
        uses: actions/upload-artifact@v7
        with:
          name: digests-${{ steps.platform.outputs.escaped }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
      - name: Attest
        uses: actions/attest-build-provenance@v4
        id: attest
        if: ${{ github.event_name == 'push' }}
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true

  merge:
    if: ${{ github.event_name == 'push' }}
    runs-on: ubuntu-24.04
    needs:
      - build
    permissions:
      id-token: write
      packages: write
      contents: read
      attestations: write
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Build time variables
        run: |-
          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
          echo "TOR_VERSION=$(tr -d '\n' <VERSION)" >>"$GITHUB_ENV"
      - name: Download digests
        uses: actions/download-artifact@v8
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      - name: Create manifest
        id: manifest
        env:
          FULL_DOCKER_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}
          DOCKER_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          RUNNER_TEMP: ${{ runner.temp }}
        run: |-
          readarray -t digests < <(find "$RUNNER_TEMP/digests" -type f | xargs -n1 basename | xargs printf "$DOCKER_IMAGE@sha256:%s\n")
          docker buildx imagetools create -t "$FULL_DOCKER_IMAGE" "${digests[@]}"
          docker buildx imagetools inspect "$FULL_DOCKER_IMAGE"
          echo "digest=$(docker buildx imagetools inspect "$FULL_DOCKER_IMAGE" | grep "Digest:" | awk '{ print $2 }')" >"$GITHUB_OUTPUT"
      - name: Attest
        uses: actions/attest-build-provenance@v4
        id: attest
        if: ${{ github.event_name == 'push' }}
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.manifest.outputs.digest }}
          push-to-registry: true