JoySafeter/.github/workflows/docker-build.yml at b94531d9eeafbcc69e13b6c4b9f55e466898559d · jd-opensource/JoySafeter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: Docker Build and Push

on:
  push:
    branches:
      - main
      - develop
    tags:
      - 'v*.*.*'
  pull_request:
    branches:
      - main
      - develop
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  IMAGE_PREFIX: jd-opensource

jobs:
  # =============================================================================
  # Main application images (backend, frontend, init)
  # Triggered on all pushes/PRs to main/develop branches
  # =============================================================================
  build-and-push:
    name: Build and Push Docker Images
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    strategy:
      matrix:
        image:
          - name: joysafeter-backend
            context: ./backend
            dockerfile: ./deploy/docker/backend.Dockerfile
          - name: joysafeter-frontend
            context: ./frontend
            dockerfile: ./deploy/docker/frontend.Dockerfile
          - name: joysafeter-openclaw
            context: ./deploy/openclaw
            dockerfile: ./deploy/openclaw/Dockerfile


    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/${{ matrix.image.name }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.image.context }}
          file: ${{ matrix.image.dockerfile }}
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
            PIP_INDEX_URL=https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple
            UV_INDEX_URL=https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple

  # =============================================================================
  # Sandbox image (independent, only triggered when sandbox files change)
  # This image contains security tools and doesn't depend on application source code
  # =============================================================================
  check-sandbox-changes:
    name: Check Sandbox File Changes
    runs-on: ubuntu-latest
    outputs:
      sandbox_changed: ${{ steps.filter.outputs.sandbox }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Check for sandbox file changes
        uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
            sandbox:
              - 'deploy/docker/sandbox.Dockerfile'
              - 'deploy/docker/configs/**'
              - 'deploy/docker/entrypoint.sh'

  build-sandbox:
    name: Build and Push Sandbox Image
    runs-on: ubuntu-latest
    needs: check-sandbox-changes
    # Build sandbox only when:
    # 1. Sandbox-related files changed (push/PR)
    # 2. Manual trigger (workflow_dispatch)
    # 3. Tag push (for releases)
    if: |
      needs.check-sandbox-changes.outputs.sandbox_changed == 'true' ||
      github.event_name == 'workflow_dispatch' ||
      startsWith(github.ref, 'refs/tags/')
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/joysafeter-sandbox
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Build and push Sandbox image
        uses: docker/build-push-action@v5
        with:
          context: ./deploy/docker
          file: ./deploy/docker/sandbox.Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max