diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9e3045eb..180a8f49 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,129 +10,71 @@ on: # as this will break the latest and major tags jobs: - docker-build: - name: Build Docker - runs-on: ${{ matrix.arch.os }} + container-image-build-push: + name: Build and Push container Image if: | github.repository_owner == 'wg-easy' && startsWith(github.ref, 'refs/tags/v') permissions: packages: write - strategy: - fail-fast: false - matrix: - arch: - - platform: linux/amd64 - os: ubuntu-latest - - platform: linux/arm64 - os: ubuntu-24.04-arm - - platform: linux/arm/v7 - os: ubuntu-24.04-arm steps: - uses: actions/checkout@v5 - - name: Prepare - run: | - platform=${{ matrix.arch.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/wg-easy/wg-easy - flavor: | - latest=false - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - context: . - platforms: ${{ matrix.arch.platform }} - labels: ${{ steps.meta.outputs.labels }} - tags: ghcr.io/wg-easy/wg-easy - outputs: type=image,push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha,scope=build-${{ env.PLATFORM_PAIR }} - cache-to: type=gha,mode=min,scope=build-${{ env.PLATFORM_PAIR }} - - - name: Export digest - run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 - - docker-merge: - name: Merge & Deploy Docker - runs-on: ubuntu-latest - if: | - github.repository_owner == 'wg-easy' && - startsWith(github.ref, 'refs/tags/v') - permissions: - packages: write - needs: docker-build - steps: - - name: Download digests - uses: actions/download-artifact@v5 + - name: Login to DockerHub + uses: docker/login-action@v3 with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Login to GitHub Container Registry + username: ${{ secrets.DOCKERHUB_USERNAME }} # TODO + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker meta + - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: + # TODO Check if this is the correct image images: | - ghcr.io/wg-easy/wg-easy - flavor: | - latest=false + ${{ secrets.DOCKERHUB_USERNAME }}/wg-easy/wg-easy + ghcr.io/${{ github.repository }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf 'ghcr.io/wg-easy/wg-easy@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ghcr.io/wg-easy/wg-easy:${{ steps.meta.outputs.version }} + - uses: docker/build-push-action@v6 + id: push + with: + context: . + push: true + platforms: linux/amd64,linux/arm64,linux/arm/v7 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + # NOTE - Optimization: Compress images with zstd because extraction it's a lot faster and the image is also smaller + outputs: type=image,compression=zstd,force-compression=true + # TODO Cache may require no scope if this is the only built image + # https://docs.docker.com/build/cache/backends/gha/#scope + cache-from: type=gha,scope=build + # TODO - Not sure how big the cache get's but you have to maybe change this back to min + # https://docs.docker.com/build/cache/backends/#cache-mode + cache-to: type=gha,mode=max,scope=build + + - name: Generate artifact attestation (ghcr.io) + uses: actions/attest-build-provenance@v3 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true docs: name: Build & Deploy Docs @@ -142,7 +84,7 @@ jobs: startsWith(github.ref, 'refs/tags/v') permissions: contents: write - needs: docker-merge + needs: container-image-build-push steps: - uses: actions/checkout@v5