-
Notifications
You must be signed in to change notification settings - Fork 1
116 lines (116 loc) · 5.18 KB
/
publish-docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# https://docs.github.com/en/actions/publishing-packages/publishing-docker-images
# https://docs.docker.com/build/ci/github-actions/manage-tags-labels/
# https://docs.docker.com/build/ci/github-actions/push-multi-registries/
name: Publish Docker Image Workflow
on:
# publish only after a successful release since we need the version tag
release:
types: [published]
workflow_dispatch: {}
jobs:
publish-docker:
# don't run the job if the PR is a draft to save resources
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/using-jobs/using-concurrency
# concurrency can be used to limit the number of jobs running at the same time for the whole repo
# to prevent using too many resources when too many PRs are opened or commits pushed
# For example, the ability to run workflows concurrently means that if multiple commits are pushed to a repository in quick succession, each push could trigger a separate workflow run, and these runs will execute concurrently.
#
# use case: for example, when someone pushes a commit to a PR, the workflow will be triggered again
# we want to cancel previous jobs and only run the latest one
concurrency:
# at most there will be 1 job running at the same time for the whole repo
# and 1 pending job
# previous pending jobs will be cancelled if a new one is triggered
group: ${{ github.workflow }}-${{ github.ref }}
# we can use cancel-in-progress to cancel the previous job if a new one is triggered
# cancel-in-progress: true
permissions:
contents: read
packages: write
attestations: write
name: Publish Docker Job
steps:
- name: Checkout latest code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
# seetup CI using a private composite action
- name: Setup CI environment
uses: ./.github/actions/ci-setup
# # build and deploy, no need to run checks and tests since we alrady did that in PR job
- name: Build project
run: ./gradlew war
# prepare tags for docker
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
with:
# list of Docker images to use as base name for tags
# ghcr for github container registry
# gipo999 for docker hub
images: |
ghcr.io/gipo999/tomcat-webapp-boilerplate
gipo999/tomcat-webapp-boilerplate
# generate Docker tags based on the following events/attributes
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
## DOCKER BUILD AND PUSH to GHCR
# setup docker environment
- name: Setup DOCKER environment
uses: ./.github/actions/docker-setup
# authenticate to GHCR and Docker Hub
- name: Login to GHCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
- name: Login to Docker Hub
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# get the version from the tag of the release ( we have it thanks to the release event )
- name: set version as env var
shell: bash
run: |
NEW_VERSION=$(echo "${GITHUB_REF}" | cut -d "/" -f3 | cut -d "v" -f2-) # 1.0.0-dev.1
echo "New version: ${NEW_VERSION}"
echo "Github username: ${GITHUB_ACTOR}"
echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
- name: Build and push Docker image
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
load: false
push: true
sbom: true
# push: ${{ github.event_name != 'pull_request' }} # can conditionally push
provenance: mode=max
#
# tags
# default tags generated above + latest for both registries
tags: |
${{ steps.meta.outputs.tags }}
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
# in docker, labels are needed to store metadata about the image and for provenance
labels: ${{ steps.meta.outputs.labels }}
#
#
# this may not be needed. Looks like as default build-push-action already does this
# https://docs.docker.com/build/ci/github-actions/attestations/
# - name: Generate artifact attestation
# uses: actions/attest-build-provenance@v1
# with:
# subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
# subject-digest: ${{ steps.push.outputs.digest }}
# push-to-registry: true