Skip to content

add the ability to set aliases per network #72

add the ability to set aliases per network

add the ability to set aliases per network #72

# This workflow builds and optionally pushes a Docker image to GHCR and Docker Hub
# under multiple repository aliases (auto_docker_proxy and traefik_network_connector).
#
# Triggers:
# 1. Push to 'main' branch (builds and pushes as 'latest')
# 2. Push of tags 'v*.*.*' (builds and pushes as SemVer)
# 3. Pull Requests (build only by default; add label 'ci:push-image' to also push)
#
# Features:
# - Multi-platform build
# - Multi-registry push (GHCR & Docker Hub)
# - GitHub Actions cache
# - Cosign OIDC signing for main/tag pushes
name: Build and Push Docker (Multi-Repo Alias)
on:
push:
branches:
- main
tags:
- 'v*.*.*' # Trigger on version tags like v1.0.0
pull_request:
types: [opened, synchronize, reopened, labeled]
jobs:
build-push-sign:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Required for OIDC signing
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Determine push strategy
id: strategy
env:
EVENT_NAME: ${{ github.event_name }}
PR_LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
shell: bash
run: |
if [[ "$EVENT_NAME" == "push" ]]; then
echo "Push event: build and push."
echo "should_push=true" >> "$GITHUB_OUTPUT"
elif [[ "$EVENT_NAME" == "pull_request" ]]; then
# Push only if the 'ci:push-image' label is present on the PR
HAS_LABEL=$(echo "$PR_LABELS" | grep -c '"ci:push-image"' || true)
if [[ "$HAS_LABEL" -gt 0 ]]; then
echo "PR has 'ci:push-image' label: build and push."
echo "should_push=true" >> "$GITHUB_OUTPUT"
else
echo "PR without 'ci:push-image' label: build only."
echo "should_push=false" >> "$GITHUB_OUTPUT"
fi
else
echo "should_push=false" >> "$GITHUB_OUTPUT"
fi
- name: Log in to GitHub Container Registry
if: steps.strategy.outputs.should_push == 'true'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to Docker Hub
if: steps.strategy.outputs.should_push == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker metadata (multi-repo)
id: meta
uses: docker/metadata-action@v5
with:
# Define all four image names. The generated tags will be applied to each of them.
images: |
ghcr.io/obeone/auto_docker_proxy
docker.io/obeoneorg/auto_docker_proxy
ghcr.io/obeone/traefik_network_connector
docker.io/obeoneorg/traefik_network_connector
tags: |
# For pushes to the 'main' branch, tag the image as 'latest'.
type=ref,event=branch,enable=${{ github.ref_name == 'main' }},prefix=,suffix=latest
# For 'v*.*.*' tags, generate SemVer tags (e.g., v1.2.3, v1.2, v1).
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# For 'pull_request' events, tag the image as 'pr-XXX' (where XXX is the PR number).
type=ref,event=pr
- name: Build (and push if applicable)
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: ${{ steps.strategy.outputs.should_push == 'true' }}
platforms: |
linux/amd64
linux/arm64
linux/i386
linux/armhf
linux/armel
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
# Pass the clean version (e.g., 1.0.0) extracted from metadata to the Dockerfile.
VERSION=${{ steps.meta.outputs.version }}
- name: Set up cosign
if: steps.strategy.outputs.should_push == 'true' && github.event_name == 'push'
uses: sigstore/cosign-installer@v3
- name: Sign the container image with cosign
# Only signs official images built from 'main' branch pushes or tag pushes.
if: >-
${{
steps.strategy.outputs.should_push == 'true' &&
github.event_name == 'push' &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
}}
env:
COSIGN_EXPERIMENTAL: true
DIGEST: ${{ steps.build-and-push.outputs.digest }}
shell: bash
run: |
if [ -z "${DIGEST}" ]; then
echo "Digest is empty, aborting image signing."
exit 1
fi
echo "Signing digest: ${DIGEST}"
IMAGES=(
"ghcr.io/obeone/auto_docker_proxy"
"docker.io/obeoneorg/auto_docker_proxy"
"ghcr.io/obeone/traefik_network_connector"
"docker.io/obeoneorg/traefik_network_connector"
)
for image in "${IMAGES[@]}"; do
echo "Signing ${image}@${DIGEST}"
cosign sign --yes "${image}@${DIGEST}"
done