reverse-proxy/.github/workflows/release.yml at main · mvdschee/reverse-proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: release

on:
   push:
      tags:
         - "v*.*.*"
   workflow_dispatch:

env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}

jobs:
   build:
      name: build (${{ matrix.platform }})
      runs-on: ${{ matrix.runner }}
      permissions:
         contents: read
         packages: write
      strategy:
         fail-fast: false
         matrix:
            include:
               - platform: linux/amd64
                 runner: ubuntu-latest
               - platform: linux/arm64
                 runner: ubuntu-24.04-arm

      steps:
         - name: Checkout
           uses: actions/checkout@v5

         - name: Set up Docker Buildx
           uses: docker/setup-buildx-action@v4

         # dhi.io is gated: the builder pulls dhi.io/alpine-base:*-dev and
         # the runtime stage pulls dhi.io/alpine-base:3.23.
         - name: Login to Docker Hub (for dhi.io)
           uses: docker/login-action@v4
           with:
              registry: dhi.io
              username: ${{ secrets.DOCKERHUB_USERNAME }}
              password: ${{ secrets.DOCKERHUB_TOKEN }}

         # Push login to docker.io (default registry). Same creds as dhi.io,
         # but a separate registry endpoint so we can push the public image.
         - name: Login to Docker Hub (push)
           uses: docker/login-action@v4
           with:
              username: ${{ secrets.DOCKERHUB_USERNAME }}
              password: ${{ secrets.DOCKERHUB_TOKEN }}

         - name: Login to GHCR
           uses: docker/login-action@v4
           with:
              registry: ${{ env.REGISTRY }}
              username: ${{ github.actor }}
              password: ${{ secrets.GITHUB_TOKEN }}

         - name: Extract image metadata
           id: meta
           uses: docker/metadata-action@v6
           with:
              images: |
                 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                 docker.io/${{ secrets.DOCKERHUB_USERNAME }}/reverse-proxy

         # Build the per-arch image and push it by digest only. The "merge"
         # job below stitches the digests into one multi-arch manifest.
         - name: Build and push by digest
           id: build
           uses: docker/build-push-action@v7
           with:
              context: .
              file: .docker/Dockerfile
              platforms: ${{ matrix.platform }}
              labels: ${{ steps.meta.outputs.labels }}
              cache-from: type=gha,scope=${{ matrix.platform }}
              cache-to: type=gha,scope=${{ matrix.platform }},mode=max
              outputs: type=image,"name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},docker.io/${{ secrets.DOCKERHUB_USERNAME }}/reverse-proxy",push-by-digest=true,name-canonical=true,push=true

         - name: Export digest
           run: |
              mkdir -p /tmp/digests
              digest="${{ steps.build.outputs.digest }}"
              touch "/tmp/digests/${digest#sha256:}"

         - name: Upload digest
           uses: actions/upload-artifact@v7
           with:
              name: digest-${{ strategy.job-index }}
              path: /tmp/digests/*
              if-no-files-found: error
              retention-days: 1

   merge:
      name: merge multi-arch manifest
      needs: build
      runs-on: ubuntu-latest
      permissions:
         contents: read
         packages: write

      steps:
         - name: Download digests
           uses: actions/download-artifact@v8
           with:
              path: /tmp/digests
              pattern: digest-*
              merge-multiple: true

         - name: Set up Docker Buildx
           uses: docker/setup-buildx-action@v4

         - name: Login to GHCR
           uses: docker/login-action@v4
           with:
              registry: ${{ env.REGISTRY }}
              username: ${{ github.actor }}
              password: ${{ secrets.GITHUB_TOKEN }}

         - name: Login to Docker Hub (push)
           uses: docker/login-action@v4
           with:
              username: ${{ secrets.DOCKERHUB_USERNAME }}
              password: ${{ secrets.DOCKERHUB_TOKEN }}

         - name: Extract image metadata
           id: meta
           uses: docker/metadata-action@v6
           with:
              images: |
                 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                 docker.io/${{ secrets.DOCKERHUB_USERNAME }}/reverse-proxy
              tags: |
                 type=semver,pattern={{version}}
                 type=semver,pattern={{major}}.{{minor}}
                 type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}

         - name: Create multi-arch manifest
           working-directory: /tmp/digests
           run: |
              docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
                $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)

         - name: Inspect image
           run: |
              docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}