Update multi-build.yaml (#315) #161
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: multi-build | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- Dockerfile | |
- entrypoint.js | |
- .github/workflows/multi-build.yaml | |
tags: | |
- v* | |
workflow_dispatch: | |
inputs: | |
manual-tag: | |
description: 'Manual Tag' | |
required: true | |
default: 'manual' | |
type: string | |
ghost_version: | |
description: 'Ghost version' | |
required: true | |
default: '5.86.2' | |
type: string | |
env: | |
GHCR_IMAGE: ghcr.io/${{ github.repository }} | |
DOCKER_IMAGE: docker.io/${{ secrets.DOCKER_USER }}/${{ github.event.repository.name }} | |
permissions: | |
contents: read | |
jobs: | |
build: | |
permissions: | |
attestations: write | |
actions: read | |
checks: write | |
contents: write | |
deployments: none | |
id-token: write | |
issues: read | |
discussions: read | |
packages: write | |
pages: none | |
pull-requests: read | |
repository-projects: read | |
security-events: read | |
statuses: read | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: true | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
steps: | |
- | |
name: Prepare | |
id: prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- | |
name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- | |
name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- | |
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch) | |
id: versions | |
env: | |
GITHUB_EVENT_NAME: ${{ github.event_name }} | |
run: | | |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV | |
else | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV | |
fi | |
- | |
name: Show Ghost version | |
continue-on-error: true | |
run: | | |
echo "output of step for GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }}" | |
echo "output of step for MANUAL_TAG=${{ steps.versions.outputs.MANUAL_TAG }}" | |
echo "output of env for GHOST_VERSION=\"$(echo $GHOST_VERSION)\"" | |
echo "output of env for MANUAL_TAG=\"$(echo $MANUAL_TAG)\"" | |
- name: Docker meta default | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
if: ${{ matrix.platform == 'linux/arm64' || env.PLATFORM_PAIR == 'linux-arm64' }} | |
continue-on-error: false | |
with: | |
platforms: arm64 | |
image: tonistiigi/binfmt:qemu-v8.1.5 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Build and push by digest | |
id: build | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
env: | |
DOCKER_BUILDKIT: 1 | |
with: | |
context: . | |
platforms: ${{ matrix.platform }} | |
labels: ${{ steps.meta.outputs.labels }} | |
annotations: ${{ steps.meta.outputs.annotations }} | |
build-args: GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }} | |
outputs: type=image,name=${{ env.GHCR_IMAGE }},push-by-digest=true,name-canonical=true,push=true,oci-mediatypes=true | |
# provenance: false | |
cache-from: type=gha,ignore-error=true | |
cache-to: type=gha,ignore-error=true | |
- | |
name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- | |
name: Upload digest | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: digests-${{ env.PLATFORM_PAIR }} | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 15 | |
merge: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
permissions: | |
attestations: write | |
actions: read | |
checks: read | |
contents: read | |
deployments: none | |
id-token: write | |
issues: read | |
discussions: read | |
packages: write | |
pages: none | |
pull-requests: read | |
repository-projects: read | |
security-events: read | |
statuses: read | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
continue-on-error: true | |
- | |
name: Download digests | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: /tmp/digests | |
pattern: digests-* | |
merge-multiple: true | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
with: | |
driver-opts: | | |
network=host | |
- | |
name: Set up GHOST_VERSION and MANUAL_TAG values, depending on event type (push or workflow_dispatch) | |
id: versions | |
env: | |
GITHUB_EVENT_NAME: ${{ github.event_name }} | |
run: | | |
if [ ${{ env.GITHUB_EVENT_NAME }} == workflow_dispatch ]; then | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_OUTPUT | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=${{ github.event.inputs.ghost_version }}" >> $GITHUB_ENV | |
echo "MANUAL_TAG=${{ github.event.inputs.manual-tag }}" >> $GITHUB_ENV | |
else | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_OUTPUT | |
echo "GHOST_VERSION=$(curl -s https://api.github.com/repos/tryghost/ghost/releases/latest | jq '.name' | sed 's/\"//g')" >> $GITHUB_ENV | |
fi | |
- | |
name: Docker meta | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
env: | |
GHOST_VERSION: "v${{ steps.versions.outputs.GHOST_VERSION }}" | |
with: | |
images: ${{ env.GHCR_IMAGE }} | |
annotations: | | |
type=org.opencontainers.image.description,value=${{ github.event.repository.description }} | |
tags: | | |
type=raw,value=main,enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=latest,enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=${{ env.GHOST_VERSION }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
type=raw,value=${{ github.event.inputs.manual-tag }},enable=${{ github.event_name == 'workflow_dispatch' }} | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Get execution timestamp with RFC3339 format | |
id: timestamp | |
run: | | |
echo "timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT | |
- | |
name: Create manifest list and pushs | |
working-directory: /tmp/digests | |
id: manifest-annotate | |
continue-on-error: true | |
run: | | |
docker buildx imagetools create \ | |
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
--annotation='index:org.opencontainers.image.description=${{ github.event.repository.description }}' \ | |
--annotation='index:org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}' \ | |
--annotation='index:org.opencontainers.image.url=${{ github.event.repository.url }}' \ | |
--annotation='index:org.opencontainers.image.source=${{ github.event.repository.url }}' \ | |
--annotation='index:io.artifacthub.package.readme-url=https://raw.githubusercontent.com/sredevopsorg/ghost-on-kubernetes/main/README.md' \ | |
--annotation='index:org.opencontainers.image.vendor=SREDevOps.org' \ | |
--annotation='index:io.artifacthub.package.maintainers=[{"name":"Nicolas Georger","email":"info@sredevops.org"}]' \ | |
--annotation='index:io.artifacthub.package.alternative-locations=oci://index.docker.io/ngeorger/ghost-on-kubernetes' \ | |
--annotation='index:io.artifacthub.package.logo-url=https://raw.githubusercontent.com/sredevopsorg/.github/main/SREDevOpsOrg-Logo.png' \ | |
--annotation='index:io.artifacthub.package.keywords=ghost, blog, cms' \ | |
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *) | |
- | |
name: Create manifest list and pushs | |
working-directory: /tmp/digests | |
id: manifest | |
if: steps.manifest-annotate.outcome == 'failure' | |
run: | | |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *) | |
- | |
name: Inspect image | |
id: inspect | |
continue-on-error: true | |
run: | | |
echo "DIGEST_0=$(docker buildx imagetools inspect --raw ${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} | jq -r '.manifests[0].digest')" >> $GITHUB_OUTPUT | |
- name: Sign image with a key | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST_0} " | |
done | |
cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${images} | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
DIGEST_0: ${{ steps.inspect.outputs.DIGEST_0 }} | |
- | |
name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
continue-on-error: true | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASS }} | |
- | |
name: Push to Docker Hub | |
continue-on-error: true | |
run: | | |
docker buildx imagetools create \ | |
--tag ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} \ | |
--tag ${{ env.DOCKER_IMAGE }}:latest \ | |
--tag ${{ env.DOCKER_IMAGE }}:v${{ steps.versions.outputs.GHOST_VERSION }} \ | |
${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }} |