-
Notifications
You must be signed in to change notification settings - Fork 0
125 lines (110 loc) · 4.12 KB
/
publish-container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Publish Container Images
on:
push:
branches: [ main ]
tags: [ 'v*' ]
workflow_dispatch:
# Set explicit permissions - only grant what's needed
permissions:
contents: read # Needed to check out the repository
packages: write # Needed to push to GitHub Container Registry
# The following permissions are NOT needed and should remain at default (none):
# - issues
# - pull-requests
# - actions
# - security-events
# - id-token
# - deployments
jobs:
push-to-registry:
name: Push containers to GitHub Container Registry
runs-on: ubuntu-latest
# Job-level permissions are already set at workflow level
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Create certificate file for build
run: |
mkdir -p certs/org
# Function to create certificate from parts
create_cert_from_parts() {
# Start with an empty file
: > certs/org/ca-bundle.pem
# Add each available part (up to 20 parts)
for i in {1..20}; do
SECRET_NAME="CA_BUNDLE_PART$i"
if [ -n "$(eval echo \${{ secrets.$SECRET_NAME }})" ]; then
echo "Adding certificate part $i"
echo "$(eval echo \${{ secrets.$SECRET_NAME }})" >> certs/org/ca-bundle.pem
else
# Stop when we run out of parts
break
fi
done
echo "Using CA certificate assembled from multiple parts"
}
# First try using single secret
if [ -n "${{ secrets.CA_BUNDLE }}" ]; then
echo "${{ secrets.CA_BUNDLE }}" > certs/org/ca-bundle.pem
echo "Using CA certificate from single secret"
# Next try using split certificate parts
elif [ -n "${{ secrets.CA_BUNDLE_PART1 }}" ]; then
create_cert_from_parts
else
# Fallback to empty file
touch certs/org/empty-ca-bundle.pem
echo "Using empty CA certificate file"
fi
# Modified to ensure Dockerfiles exist instead of relying on symlinks
- name: Prepare Dockerfiles
run: |
# Instead of relying on symlinks, directly reference the actual files
echo "Using Dockerfile for full build"
echo "Using Dockerfile.optimized for minimal build"
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,format=long
- name: Build and push minimal container
uses: docker/build-push-action@v4
with:
context: .
# Directly use the actual Dockerfile.optimized instead of a symlink
file: ./Dockerfile.optimized
push: true
tags: |
ghcr.io/${{ github.repository }}:minimal
${{ steps.meta.outputs.tags }}-minimal
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Build and push full container
uses: docker/build-push-action@v4
with:
context: .
# Directly use the actual Dockerfile instead of a symlink
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:full
${{ steps.meta.outputs.tags }}-full
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILD_TYPE=full
cache-from: type=gha
cache-to: type=gha,mode=max