add the ability to set aliases per network #72
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds and optionally pushes a Docker image to GHCR and Docker Hub | |
| # under multiple repository aliases (auto_docker_proxy and traefik_network_connector). | |
| # | |
| # Triggers: | |
| # 1. Push to 'main' branch (builds and pushes as 'latest') | |
| # 2. Push of tags 'v*.*.*' (builds and pushes as SemVer) | |
| # 3. Pull Requests (build only by default; add label 'ci:push-image' to also push) | |
| # | |
| # Features: | |
| # - Multi-platform build | |
| # - Multi-registry push (GHCR & Docker Hub) | |
| # - GitHub Actions cache | |
| # - Cosign OIDC signing for main/tag pushes | |
| name: Build and Push Docker (Multi-Repo Alias) | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - 'v*.*.*' # Trigger on version tags like v1.0.0 | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| jobs: | |
| build-push-sign: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # Required for OIDC signing | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Determine push strategy | |
| id: strategy | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }} | |
| shell: bash | |
| run: | | |
| if [[ "$EVENT_NAME" == "push" ]]; then | |
| echo "Push event: build and push." | |
| echo "should_push=true" >> "$GITHUB_OUTPUT" | |
| elif [[ "$EVENT_NAME" == "pull_request" ]]; then | |
| # Push only if the 'ci:push-image' label is present on the PR | |
| HAS_LABEL=$(echo "$PR_LABELS" | grep -c '"ci:push-image"' || true) | |
| if [[ "$HAS_LABEL" -gt 0 ]]; then | |
| echo "PR has 'ci:push-image' label: build and push." | |
| echo "should_push=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "PR without 'ci:push-image' label: build only." | |
| echo "should_push=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| echo "should_push=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Log in to GitHub Container Registry | |
| if: steps.strategy.outputs.should_push == 'true' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to Docker Hub | |
| if: steps.strategy.outputs.should_push == 'true' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Docker metadata (multi-repo) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| # Define all four image names. The generated tags will be applied to each of them. | |
| images: | | |
| ghcr.io/obeone/auto_docker_proxy | |
| docker.io/obeoneorg/auto_docker_proxy | |
| ghcr.io/obeone/traefik_network_connector | |
| docker.io/obeoneorg/traefik_network_connector | |
| tags: | | |
| # For pushes to the 'main' branch, tag the image as 'latest'. | |
| type=ref,event=branch,enable=${{ github.ref_name == 'main' }},prefix=,suffix=latest | |
| # For 'v*.*.*' tags, generate SemVer tags (e.g., v1.2.3, v1.2, v1). | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| # For 'pull_request' events, tag the image as 'pr-XXX' (where XXX is the PR number). | |
| type=ref,event=pr | |
| - name: Build (and push if applicable) | |
| id: build-and-push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: ${{ steps.strategy.outputs.should_push == 'true' }} | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| linux/i386 | |
| linux/armhf | |
| linux/armel | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| # Pass the clean version (e.g., 1.0.0) extracted from metadata to the Dockerfile. | |
| VERSION=${{ steps.meta.outputs.version }} | |
| - name: Set up cosign | |
| if: steps.strategy.outputs.should_push == 'true' && github.event_name == 'push' | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign the container image with cosign | |
| # Only signs official images built from 'main' branch pushes or tag pushes. | |
| if: >- | |
| ${{ | |
| steps.strategy.outputs.should_push == 'true' && | |
| github.event_name == 'push' && | |
| (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) | |
| }} | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| shell: bash | |
| run: | | |
| if [ -z "${DIGEST}" ]; then | |
| echo "Digest is empty, aborting image signing." | |
| exit 1 | |
| fi | |
| echo "Signing digest: ${DIGEST}" | |
| IMAGES=( | |
| "ghcr.io/obeone/auto_docker_proxy" | |
| "docker.io/obeoneorg/auto_docker_proxy" | |
| "ghcr.io/obeone/traefik_network_connector" | |
| "docker.io/obeoneorg/traefik_network_connector" | |
| ) | |
| for image in "${IMAGES[@]}"; do | |
| echo "Signing ${image}@${DIGEST}" | |
| cosign sign --yes "${image}@${DIGEST}" | |
| done |