forked from upshift-docker/nut-upsd
-
Notifications
You must be signed in to change notification settings - Fork 4
139 lines (133 loc) · 6.83 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Publish Docker image
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
push-to-registry:
name: Push Docker image to Docker hub
runs-on: ubuntu-latest
environment:
name: Build Docker images
strategy:
fail-fast: false
max-parallel: 4
matrix:
include:
# All non supported by base image are commented
- { platform: "linux/arm64", platform-tag: "arm64" }
- { platform: "linux/amd64", platform-tag: "amd64" }
- { platform: "linux/arm/v7", platform-tag: "armv7" }
- { platform: "linux/arm/v6", platform-tag: "armv6" }
- { platform: "linux/ppc64le", platform-tag: "ppc64le" }
#- { platform: "linux/riscv64", platform-tag: "riscv64" }
- { platform: "linux/s390x", platform-tag: "s390x" }
- { platform: "linux/386", platform-tag: "386" }
#- { platform: "linux/mips64le", platform-tag: "mips64le" }
#- { platform: "linux/mips64", platform-tag: "mips64" }
steps:
- name: Check out the repository
uses: actions/checkout@v4
- name: Login to DockerHub
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ secrets.DOCKER_REPOSITORY_LOGIN }}
password: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }}
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push the image
run: make docker-build
env:
DOCKER_BUILDKIT: 1
PLATFORM: "${{ matrix.platform }}"
IMAGE_TAG: "docker.io/botsudo/nut-upsd:${{ matrix.platform-tag }}-latest"
ACTION: push
# Disable provenance to remove the attestation from the pushed image
# See: https://github.com/docker/buildx/issues/1509
# It makes: docker.io/botsudo/docker-rustpython:<arch>-latest a manifest list
# And docker manifest create does not like that
EXTRA_ARGS: "--provenance=false"
sign-manifest:
name: Sign the docker hub manifest
runs-on: ubuntu-latest
needs: push-to-registry
environment:
name: Build Docker images
steps:
- name: Login to DockerHub
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ secrets.DOCKER_REPOSITORY_LOGIN }}
password: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }}
- name: Create a manifest
env:
DOCKER_CLI_EXPERIMENTAL: enabled
run: |
docker manifest create docker.io/botsudo/nut-upsd:latest \
docker.io/botsudo/nut-upsd:arm64-latest \
docker.io/botsudo/nut-upsd:amd64-latest \
docker.io/botsudo/nut-upsd:armv7-latest \
docker.io/botsudo/nut-upsd:armv6-latest \
docker.io/botsudo/nut-upsd:ppc64le-latest \
docker.io/botsudo/nut-upsd:s390x-latest \
docker.io/botsudo/nut-upsd:386-latest \
--amend
- name: Sign the manifest
uses: sudo-bot/action-docker-sign@latest
with:
image-ref: "docker.io/botsudo/nut-upsd:latest"
private-key-id: "${{ vars.DOCKER_PRIVATE_KEY_ID }}"
private-key: ${{ secrets.DOCKER_PRIVATE_KEY }}
private-key-passphrase: ${{ secrets.DOCKER_PRIVATE_KEY_PASSPHRASE }}
private-key-name: "${{ vars.DOCKER_PRIVATE_KEY_NAME }}"
sign-manifest: true
notary-auth: "${{ secrets.DOCKER_REPOSITORY_LOGIN }}:${{ secrets.DOCKER_REPOSITORY_PASSWORD }}"
tags-cleanup:
runs-on: ubuntu-latest
needs: sign-manifest
name: Cleanup build tags
environment:
name: Build Docker images
steps:
- name: Install Docker hub-tool
run: |
curl -sL https://github.com/docker/hub-tool/releases/download/v0.4.6/hub-tool-linux-amd64.tar.gz -o hub-tool-linux.tar.gz
tar --strip-components=1 -xzf ./hub-tool-linux.tar.gz
./hub-tool --version
- name: Login hub-tool
run: |
# Fool the login command (https://github.com/docker/hub-tool/pull/198)
# ./hub-tool login
# Token commands thank to https://stackoverflow.com/a/59334315/5155484
HUB_TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" https://hub.docker.com/v2/users/login/ | jq -r .token)
USERNAME="$(printf '%s:' "$DOCKER_USERNAME" | base64 -w0)"
USER_PASS="$(printf '%s:%s' "$DOCKER_USERNAME" "$DOCKER_PASSWORD" | base64 -w0)"
mkdir -p ~/.docker/
printf '{"auths": {"hub-tool": {"auth": "%s"}, "hub-tool-refresh-token": {"auth": "%s"}, "hub-tool-token": { "auth": "%s", "identitytoken": "%s"}}}' \
"$USER_PASS" "$USERNAME" \
"$USERNAME" "$HUB_TOKEN" \
> ~/.docker/config.json
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_REPOSITORY_LOGIN }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }}
- name: Remove the temporary images via hub-tool
run: |
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:arm64-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:amd64-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:armv7-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:armv6-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:ppc64le-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:s390x-latest || true
./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:386-latest || true
./hub-tool tag ls --verbose docker.io/botsudo/nut-upsd
- name: Logout hub-tool
if: always()
run: rm ~/.docker/config.json