fuck-github-ci/.github/workflows/build_release_image.yml at cc0098312f0ee2c5817f903c634508594e43f5cf · ayaka-notes/fuck-github-ci · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# ---------------------------------
# This workflow is used to build release images
# and push them to GitHub Container Registry
#
# Published at:
#     ghcr.io/ayaka-notes/overleaf-pro/
#
# ---------------------------------

name: Build Release Image

# Controls when the workflow will run
on:
  workflow_dispatch:

env:
  GHCR_REGISTRY: ghcr.io
  REGISTRY_IMAGE: ghcr.io/${{ github.repository }}

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
        - platform: linux/amd64
          runner: ubuntu-latest
        - platform: linux/arm64
          runner: ubuntu-24.04-arm
    runs-on: ${{ matrix.runner }}
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@main
        with:
          repository: ayaka-notes/overleaf-pro
          ref: server-pro
      - name: Resolve MONOREPO_REVISION
        run: |
          echo "MONOREPO_REVISION=$(git rev-parse HEAD)" >> "$GITHUB_ENV"
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{github.actor}}
          password: ${{ secrets.ORGTOKEN }}

      # --- We need to sync package-lock.json/i18 to ensure consistency ---
      - name: "Sync package-lock.json And Prepare .dockerignore"
        run: |
          docker run --rm -v "$(pwd)":/workspace -w /workspace node:22.18.0 npm install --package-lock-only --ignore-scripts
          docker run --rm -v "$(pwd)/services/web/":/overleaf/services/web -w /overleaf/services/web ghcr.io/ayaka-notes/overleaf-pro/dev:webpack npm run extract-translations
          cd ./server-ce/
          cp .dockerignore ../

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push by digest
        id: build_base
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./server-ce/Dockerfile-base
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          tags: ${{ env.REGISTRY_IMAGE }}-base
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          provenance: false
          sbom: false
      - name: Build app and push by digest
        id: build_app
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./server-ce/Dockerfile
          platforms: ${{ matrix.platform }}
          build-args: |
            OVERLEAF_BASE_TAG=${{ env.REGISTRY_IMAGE }}-base@${{ steps.build_base.outputs.digest }}
          labels: |
            ${{ steps.meta.outputs.labels }}
            com.overleaf.pro.revision=${{ env.MONOREPO_REVISION }}
          tags: ${{ env.REGISTRY_IMAGE }}
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          provenance: false
          sbom: false

      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build_app.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1

  merge:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Login to GHCR Hub
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{github.actor}}
          password: ${{ secrets.ORGTOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=raw,value=server-pro
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}

      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:server-pro