Migrate to docker actions

Originally just wanted to add the standard opencontainer labels that docker/metadata provide but with "mr-smithers-excellent" seemed to only half implement docker support, and a higher risk than docker for supply chain issues, so I went all out and also added cosign to sign the images. Docker metadata tags supports all the custom code to create version tags, out of the box and fully maintained Also dropped the manual workflow, just merged it into cd.yml since you can select tags when you manual dispatch, and thats less to maintain
2025-12-06 01:18:00 +01:00 · 2025-09-06 00:49:55 -07:00 · 2025-09-06 00:49:55 -07:00 · bf4e6ea96f
commit bf4e6ea96f
parent 1b6da0aaa0
3 changed files with 81 additions and 88 deletions
--- a/.github/workflows/cd-cloud.yml
+++ b/.github/workflows/cd-cloud.yml
@ -1,4 +1,4 @@
-name: Create docker images
+name: Create docker images (cloud)

 on:
  push:
--- a/.github/workflows/cd-manual.yml
+++ b/.github/workflows/cd-manual.yml
@ -1,58 +0,0 @@
-name: Create docker images (manual)
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        type: string
-        description: Version
-        required: true
-
-jobs:
-  build:
-    name: Build, push, and deploy
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        db-type: [postgresql, mysql]
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Extract version parts from input
-        id: extract_version
-        run: |
-          echo "version=$(echo ${{ github.event.inputs.version }})" >> $GITHUB_ENV
-          echo "major=$(echo ${{ github.event.inputs.version }} | cut -d. -f1)" >> $GITHUB_ENV
-          echo "minor=$(echo ${{ github.event.inputs.version }} | cut -d. -f2)" >> $GITHUB_ENV
-
-      - name: Generate tags
-        id: generate_tags
-        run: |
-          echo "tag_major=$(echo ${{ matrix.db-type }}-${{ env.major }})" >> $GITHUB_ENV
-          echo "tag_minor=$(echo ${{ matrix.db-type }}-${{ env.major }}.${{ env.minor }})" >> $GITHUB_ENV
-          echo "tag_patch=$(echo ${{ matrix.db-type }}-${{ env.version }})" >> $GITHUB_ENV
-          echo "tag_latest=$(echo ${{ matrix.db-type }}-latest)" >> $GITHUB_ENV
-
-      - uses: mr-smithers-excellent/docker-build-push@v6
-        name: Build & push Docker image to ghcr.io for ${{ matrix.db-type }}
-        with:
-          image: umami
-          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
-          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
-          registry: ghcr.io
-          multiPlatform: true
-          platform: linux/amd64,linux/arm64
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: mr-smithers-excellent/docker-build-push@v6
-        name: Build & push Docker image to docker.io for ${{ matrix.db-type }}
-        with:
-          image: umamisoftware/umami
-          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
-          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
-          registry: docker.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@ -1,50 +1,101 @@
 name: Create docker images

-on: [create]
+on:
+  push:
+    branches:
+      - master
+      - main
+      - dev
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches:
+      - master
+      - main
+      - dev
+  workflow_dispatch:

 jobs:
  build:
    name: Build, push, and deploy
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write

    strategy:
      matrix:
        db-type: [postgresql, mysql]

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5

-      - name: Set env
-        run: |
-          echo "NOW=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3

-      - name: Generate tags
-        id: generate_tags
-        run: |
-          echo "tag_patch=$(echo ${{ matrix.db-type }})-${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "tag_minor=$(echo ${{ matrix.db-type }})-$(echo ${GITHUB_REF#refs/tags/} | cut -d. -f1,2)" >> $GITHUB_ENV
-          echo "tag_major=$(echo ${{ matrix.db-type }})-$(echo ${GITHUB_REF#refs/tags/} | cut -d. -f1)" >> $GITHUB_ENV
-          echo "tag_latest=$(echo ${{ matrix.db-type }})-latest" >> $GITHUB_ENV
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3

-      - uses: mr-smithers-excellent/docker-build-push@v6
-        name: Build & push Docker image to ghcr.io for ${{ matrix.db-type }}
+      - name: Log into registry docker.io
+        if: github.event_name != 'pull_request' && github.repository == 'umami-software/umami' 
+        uses: docker/login-action@v3
        with:
-          image: umami
-          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
-          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
-          registry: ghcr.io
-          multiPlatform: true
-          platform: linux/amd64,linux/arm64
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: mr-smithers-excellent/docker-build-push@v6
-        name: Build & push Docker image to docker.io for ${{ matrix.db-type }}
-        with:
-          image: umamisoftware/umami
-          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
-          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log into ghcr registry 
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }}
+            ghcr.io/${{ github.repository }}
+          flavor: |
+            latest=auto
+            prefix=${{ matrix.db-type }}-
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+
+            # output 1.1.2
+            type=semver,pattern={{version}}
+            # output 1.1
+            type=semver,pattern={{major}}.{{minor}}
+            # output 1
+            type=semver,pattern={{major}}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          build-args: DATABASE_TYPE=${{ matrix.db-type }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"