duplistatus/.github/workflows/docker-image.yml at master · wsj-br/duplistatus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
name: Build and Publish Docker Image

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag_as_latest:
        description: "Tag this build as 'latest' (only for manual runs)"
        required: false
        default: false
        type: boolean

# ─────────────────────────────────────────────────────────────
# Strategy: Build each architecture on its NATIVE runner, then
# merge the per-arch digests into a single multi-arch manifest.
# This eliminates QEMU emulation entirely.
#
# Available free runners for public repos (as of early 2025):
#   • ubuntu-latest        → x86_64
#   • ubuntu-latest-arm64  → arm64  (public preview)
# ─────────────────────────────────────────────────────────────

jobs:
  # ──────────────────────────────────────────────────────────
  # 1. Prepare: extract version and "latest" flag once
  # ──────────────────────────────────────────────────────────
  prepare:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.package_version.outputs.version }}
      is_latest: ${{ steps.is_latest.outputs.is_latest }}
    permissions:
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Get package.json version
        id: package_version
        run: |
          VERSION=$(node -p "require('./package.json').version")
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "Package version: $VERSION"

      - name: Check if this is the latest release
        id: is_latest
        run: |
          # For release event, compare this release's tag to the newest tag in the repo (by version).
          # For workflow_dispatch, use the optional "tag_as_latest" input.
          if [ "${{ github.event_name }}" = "release" ]; then
            CURRENT_TAG="${{ github.event.release.tag_name }}"
            LATEST_TAG=$(git tag -l --sort=-v:refname 2>/dev/null | head -1 || echo "")
            if [ -n "$LATEST_TAG" ] && [ "$LATEST_TAG" = "$CURRENT_TAG" ]; then
              echo "is_latest=true" >> $GITHUB_OUTPUT
              echo "This is the latest release ($CURRENT_TAG)"
            else
              echo "is_latest=false" >> $GITHUB_OUTPUT
              echo "This is not the latest release (current=$CURRENT_TAG, latest=$LATEST_TAG)"
            fi
          else
            if [ "${{ github.event.inputs.tag_as_latest }}" = "true" ]; then
              echo "is_latest=true" >> $GITHUB_OUTPUT
              echo "Manual run: tagging as latest (user requested)"
            else
              echo "is_latest=false" >> $GITHUB_OUTPUT
              echo "Manual run: not tagging as latest"
            fi
          fi

  # ──────────────────────────────────────────────────────────
  # 2. Build: run each arch natively in parallel
  # ──────────────────────────────────────────────────────────
  build:
    needs: prepare
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-latest
            platform: linux/amd64
            arch_suffix: amd64
          - runner: ubuntu-24.04-arm  # or ubuntu-22.04-arm
            platform: linux/arm64
            arch_suffix: arm64
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
      packages: write
    outputs:
      # Each matrix leg exposes its digest via a unique output key
      digest-amd64: ${{ steps.set_digest.outputs.digest-amd64 }}
      digest-arm64: ${{ steps.set_digest.outputs.digest-arm64 }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Build and push a per-architecture image by digest (no tag).
      # Tags are applied later in the merge step.
      - name: Build and push by digest (GHCR)
        id: build_ghcr
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: ${{ matrix.platform }}
          outputs: type=image,name=ghcr.io/${{ github.repository }},push-by-digest=true,name-canonical=true,push=true

      - name: Build and push by digest (Docker Hub)
        id: build_dockerhub
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: ${{ matrix.platform }}
          outputs: type=image,name=${{ secrets.DOCKERHUB_USERNAME }}/duplistatus,push-by-digest=true,name-canonical=true,push=true

      # Export digests for the merge step
      - name: Export digests
        run: |
          mkdir -p /tmp/digests/ghcr /tmp/digests/dockerhub
          digest_ghcr="${{ steps.build_ghcr.outputs.digest }}"
          digest_dh="${{ steps.build_dockerhub.outputs.digest }}"
          touch "/tmp/digests/ghcr/${digest_ghcr#sha256:}"
          touch "/tmp/digests/dockerhub/${digest_dh#sha256:}"

      - name: Upload GHCR digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-ghcr-${{ matrix.arch_suffix }}
          path: /tmp/digests/ghcr/*
          if-no-files-found: error
          retention-days: 1

      - name: Upload Docker Hub digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-dockerhub-${{ matrix.arch_suffix }}
          path: /tmp/digests/dockerhub/*
          if-no-files-found: error
          retention-days: 1

  # ──────────────────────────────────────────────────────────
  # 3. Merge: create multi-arch manifests and apply tags
  # ──────────────────────────────────────────────────────────
  merge:
    needs: [prepare, build]
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      # ── Download all per-arch digests ──
      - name: Download GHCR digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests/ghcr
          pattern: digests-ghcr-*
          merge-multiple: true

      - name: Download Docker Hub digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests/dockerhub
          pattern: digests-dockerhub-*
          merge-multiple: true

      # ── Login to registries ──
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # ── Compute tags ──
      # Always tag with version (e.g. 1.3.1). When is_latest, also tag as latest.
      - name: Compute image tags
        id: tags
        run: |
          VERSION="${{ needs.prepare.outputs.version }}"
          IS_LATEST="${{ needs.prepare.outputs.is_latest }}"

          # GHCR: version tag always, latest when requested or when release is latest
          GHCR_TAGS="-t ghcr.io/${{ github.repository }}:${VERSION}"
          if [ "$IS_LATEST" = "true" ]; then
            GHCR_TAGS="${GHCR_TAGS} -t ghcr.io/${{ github.repository }}:latest"
          fi

          # Docker Hub: same
          DH_IMAGE="${{ secrets.DOCKERHUB_USERNAME }}/duplistatus"
          DH_TAGS="-t ${DH_IMAGE}:${VERSION}"
          if [ "$IS_LATEST" = "true" ]; then
            DH_TAGS="${DH_TAGS} -t ${DH_IMAGE}:latest"
          fi

          echo "ghcr_tags=${GHCR_TAGS}" >> $GITHUB_OUTPUT
          echo "dh_tags=${DH_TAGS}" >> $GITHUB_OUTPUT
          echo "version_tag=${VERSION}" >> $GITHUB_OUTPUT

      # ── Create and push multi-arch manifests ──
      - name: Create multi-arch manifest (GHCR)
        working-directory: /tmp/digests/ghcr
        run: |
          docker buildx imagetools create \
            ${{ steps.tags.outputs.ghcr_tags }} \
            $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)

      - name: Create multi-arch manifest (Docker Hub)
        working-directory: /tmp/digests/dockerhub
        run: |
          docker buildx imagetools create \
            ${{ steps.tags.outputs.dh_tags }} \
            $(printf '${{ secrets.DOCKERHUB_USERNAME }}/duplistatus@sha256:%s ' *)

      # ── Verify ──
      - name: Inspect GHCR manifest
        run: |
          docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.version_tag }}

      - name: Inspect Docker Hub manifest
        run: |
          docker buildx imagetools inspect ${{ secrets.DOCKERHUB_USERNAME }}/duplistatus:${{ steps.tags.outputs.version_tag }}