Skip to content

v4.8.0

v4.8.0 #572

Workflow file for this run

name: build
on:
push:
branches:
- main
paths:
- "src/**"
- "Dockerfile"
- "go.mod"
- "go.sum"
release:
types: [published]
workflow_dispatch:
concurrency:
group: build-${{ github.workflow }}-${{ github.ref }}
jobs:
build:
name: build (${{ matrix.platform }})
runs-on: ${{ matrix.runner }}
if: github.event_name != 'pull_request'
permissions:
attestations: write
contents: read
id-token: write
packages: write
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-24.04
platform: linux/amd64
arch: x86_64
- runner: ubuntu-24.04-arm
platform: linux/arm64
arch: aarch64
- runner: ubuntu-24.04-arm
platform: linux/arm/v7
arch: armv7
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
with:
images: |
${{ github.repository }}
ghcr.io/${{ github.repository }}
tags: |
type=edge
type=ref,event=branch,enable={{is_not_default_branch}}
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Set up QEMU (${{ matrix.platform }})
if: matrix.platform == 'linux/arm/v7'
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
with:
platforms: ${{ matrix.platform }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
- name: Login to DockerHub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push (${{ matrix.platform }})
id: docker_build
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
with:
context: .
platforms: ${{ matrix.platform }}
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
annotations: ${{ steps.docker_meta.outputs.annotations }}
labels: ${{ steps.docker_meta.outputs.labels }}
tags: |
${{ github.repository }}
ghcr.io/${{ github.repository }}
cache-from: type=gha,scope=${{ matrix.platform }}
cache-to: type=gha,scope=${{ matrix.platform }},mode=max
sbom: true
build-args: |
TibiaDataBuildBuilder=github
TibiaDataBuildRelease=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}
TibiaDataBuildCommit=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }}
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.docker_build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
id: upload_digests
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
with:
name: digests-${{ matrix.arch }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
- name: Attest digest (per-arch)
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0
with:
subject-name: digests-${{ matrix.arch }}
subject-digest: sha256:${{ steps.upload_digests.outputs.artifact-digest }}
manifest:
name: build (multi-arch)
runs-on: ubuntu-latest
needs:
- build
permissions:
attestations: write
contents: read
id-token: write
packages: write
outputs:
docker_build_digest: ${{ steps.docker_build.outputs.digest }}
docker_meta_version: ${{ steps.docker_meta.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
with:
images: |
${{ github.repository }}
ghcr.io/${{ github.repository }}
tags: |
type=edge
type=ref,event=branch,enable={{is_not_default_branch}}
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Download digests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 #v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
- name: Login to DockerHub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create manifest list and push
id: docker_build
working-directory: ${{ runner.temp }}/digests
run: |
# Create the manifest list and push to both registries
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
--annotation "index:org.opencontainers.image.created=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.created'] }}" \
--annotation "index:org.opencontainers.image.description=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.description'] }}" \
--annotation "index:org.opencontainers.image.licenses=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.licenses'] }}" \
--annotation "index:org.opencontainers.image.revision=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }}" \
--annotation "index:org.opencontainers.image.source=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.source'] }}" \
--annotation "index:org.opencontainers.image.version=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}" \
$(printf '${{ github.repository }}@sha256:%s ' *) \
$(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
# Get the digest of the created manifest list
DIGEST=$(docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json .Manifest.Digest }}' | jq -r .)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Attest docker build (DockerHub)
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0
with:
subject-name: index.docker.io/${{ github.repository }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Attest docker build (GitHub Container Registry)
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Cosign sign images (GitHub OIDC)
run: |
cosign sign --yes \
${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
cosign sign --yes \
ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
- name: Inspect images (GitHub Container Registry)
run: |
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }}
echo "::group::Manifest"
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json .Manifest }}'
echo "::endgroup::"
echo "::group::Image (linux/amd64)"
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .Image "linux/amd64") }}'
echo "::endgroup::"
echo "::group::Provenance (linux/amd64)"
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64") }}'
echo "::endgroup::"
echo "::group::SBOM (linux/amd64)"
docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64") }}'
echo "::endgroup::"
- name: Verify cosign signatures
run: |
echo "::group::Verify signature (DockerHub)"
cosign verify \
--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
echo "::endgroup::"
echo "::group::Verify signature (GitHub Container Registry)"
cosign verify \
--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
echo "::endgroup::"
argocd:
if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
runs-on: ubuntu-latest
permissions: {}
needs:
- build
- manifest
steps:
- name: Determine the deployment subdomain
id: determine_deployment
run: |
if [ "${{ github.event_name }}" == "release" ]; then
echo "subdomain=api" >> $GITHUB_OUTPUT
else
echo "subdomain=dev" >> $GITHUB_OUTPUT
fi
- name: Trigger workflow in tibiadata-argocd-app-of-apps repo
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 #v4.0.1
with:
token: ${{ secrets.REPO_ACCESS_TOKEN }}
repository: tibiadata/tibiadata-argocd-app-of-apps
event-type: bump-tibiadata-api-go-image-sha
client-payload: |-
{
"docker_digest": "${{ needs.manifest.outputs.docker_build_digest }}",
"subdomain": "${{ steps.determine_deployment.outputs.subdomain }}"
}
helm-chart:
if: github.event_name == 'release'
permissions:
contents: write
runs-on: ubuntu-latest
needs:
- build
- manifest
steps:
- name: Trigger workflow in tibiadata-helm-charts repo
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 #v4.0.1
with:
token: ${{ secrets.REPO_ACCESS_TOKEN }}
repository: tibiadata/tibiadata-helm-charts
event-type: bump-helm-chart-release
client-payload: |-
{
"chart_name": "${{ github.event.repository.name }}",
"release_version": "${{ needs.manifest.outputs.docker_meta_version }}"
}