v4.8.0 #572
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "src/**" | |
| - "Dockerfile" | |
| - "go.mod" | |
| - "go.sum" | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| concurrency: | |
| group: build-${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| build: | |
| name: build (${{ matrix.platform }}) | |
| runs-on: ${{ matrix.runner }} | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| platform: linux/amd64 | |
| arch: x86_64 | |
| - runner: ubuntu-24.04-arm | |
| platform: linux/arm64 | |
| arch: aarch64 | |
| - runner: ubuntu-24.04-arm | |
| platform: linux/arm/v7 | |
| arch: armv7 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0 | |
| with: | |
| images: | | |
| ${{ github.repository }} | |
| ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=edge | |
| type=ref,event=branch,enable={{is_not_default_branch}} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| - name: Set up QEMU (${{ matrix.platform }}) | |
| if: matrix.platform == 'linux/arm/v7' | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0 | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push (${{ matrix.platform }}) | |
| id: docker_build | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| outputs: type=image,push-by-digest=true,name-canonical=true,push=true | |
| annotations: ${{ steps.docker_meta.outputs.annotations }} | |
| labels: ${{ steps.docker_meta.outputs.labels }} | |
| tags: | | |
| ${{ github.repository }} | |
| ghcr.io/${{ github.repository }} | |
| cache-from: type=gha,scope=${{ matrix.platform }} | |
| cache-to: type=gha,scope=${{ matrix.platform }},mode=max | |
| sbom: true | |
| build-args: | | |
| TibiaDataBuildBuilder=github | |
| TibiaDataBuildRelease=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }} | |
| TibiaDataBuildCommit=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
| - name: Export digest | |
| run: | | |
| mkdir -p ${{ runner.temp }}/digests | |
| digest="${{ steps.docker_build.outputs.digest }}" | |
| touch "${{ runner.temp }}/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| id: upload_digests | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1 | |
| with: | |
| name: digests-${{ matrix.arch }} | |
| path: ${{ runner.temp }}/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Attest digest (per-arch) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0 | |
| with: | |
| subject-name: digests-${{ matrix.arch }} | |
| subject-digest: sha256:${{ steps.upload_digests.outputs.artifact-digest }} | |
| manifest: | |
| name: build (multi-arch) | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| outputs: | |
| docker_build_digest: ${{ steps.docker_build.outputs.digest }} | |
| docker_meta_version: ${{ steps.docker_meta.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0 | |
| with: | |
| images: | | |
| ${{ github.repository }} | |
| ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=edge | |
| type=ref,event=branch,enable={{is_not_default_branch}} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| - name: Download digests | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1 | |
| with: | |
| path: ${{ runner.temp }}/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 #v4.1.1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| id: docker_build | |
| working-directory: ${{ runner.temp }}/digests | |
| run: | | |
| # Create the manifest list and push to both registries | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| --annotation "index:org.opencontainers.image.created=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.created'] }}" \ | |
| --annotation "index:org.opencontainers.image.description=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.description'] }}" \ | |
| --annotation "index:org.opencontainers.image.licenses=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.licenses'] }}" \ | |
| --annotation "index:org.opencontainers.image.revision=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }}" \ | |
| --annotation "index:org.opencontainers.image.source=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.source'] }}" \ | |
| --annotation "index:org.opencontainers.image.version=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}" \ | |
| $(printf '${{ github.repository }}@sha256:%s ' *) \ | |
| $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *) | |
| # Get the digest of the created manifest list | |
| DIGEST=$(docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json .Manifest.Digest }}' | jq -r .) | |
| echo "digest=$DIGEST" >> $GITHUB_OUTPUT | |
| - name: Attest docker build (DockerHub) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0 | |
| with: | |
| subject-name: index.docker.io/${{ github.repository }} | |
| subject-digest: ${{ steps.docker_build.outputs.digest }} | |
| push-to-registry: true | |
| - name: Attest docker build (GitHub Container Registry) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.docker_build.outputs.digest }} | |
| push-to-registry: true | |
| - name: Cosign sign images (GitHub OIDC) | |
| run: | | |
| cosign sign --yes \ | |
| ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| cosign sign --yes \ | |
| ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| - name: Inspect images (GitHub Container Registry) | |
| run: | | |
| docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} | |
| echo "::group::Manifest" | |
| docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json .Manifest }}' | |
| echo "::endgroup::" | |
| echo "::group::Image (linux/amd64)" | |
| docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .Image "linux/amd64") }}' | |
| echo "::endgroup::" | |
| echo "::group::Provenance (linux/amd64)" | |
| docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64") }}' | |
| echo "::endgroup::" | |
| echo "::group::SBOM (linux/amd64)" | |
| docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64") }}' | |
| echo "::endgroup::" | |
| - name: Verify cosign signatures | |
| run: | | |
| echo "::group::Verify signature (DockerHub)" | |
| cosign verify \ | |
| --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| echo "::endgroup::" | |
| echo "::group::Verify signature (GitHub Container Registry)" | |
| cosign verify \ | |
| --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| echo "::endgroup::" | |
| argocd: | |
| if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main') | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| needs: | |
| - build | |
| - manifest | |
| steps: | |
| - name: Determine the deployment subdomain | |
| id: determine_deployment | |
| run: | | |
| if [ "${{ github.event_name }}" == "release" ]; then | |
| echo "subdomain=api" >> $GITHUB_OUTPUT | |
| else | |
| echo "subdomain=dev" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Trigger workflow in tibiadata-argocd-app-of-apps repo | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 #v4.0.1 | |
| with: | |
| token: ${{ secrets.REPO_ACCESS_TOKEN }} | |
| repository: tibiadata/tibiadata-argocd-app-of-apps | |
| event-type: bump-tibiadata-api-go-image-sha | |
| client-payload: |- | |
| { | |
| "docker_digest": "${{ needs.manifest.outputs.docker_build_digest }}", | |
| "subdomain": "${{ steps.determine_deployment.outputs.subdomain }}" | |
| } | |
| helm-chart: | |
| if: github.event_name == 'release' | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - manifest | |
| steps: | |
| - name: Trigger workflow in tibiadata-helm-charts repo | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 #v4.0.1 | |
| with: | |
| token: ${{ secrets.REPO_ACCESS_TOKEN }} | |
| repository: tibiadata/tibiadata-helm-charts | |
| event-type: bump-helm-chart-release | |
| client-payload: |- | |
| { | |
| "chart_name": "${{ github.event.repository.name }}", | |
| "release_version": "${{ needs.manifest.outputs.docker_meta_version }}" | |
| } |