diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index a4934e79..6569954e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: inputs: version: - description: 'Optional image version (e.g. 3.0.0, beta)' + description: 'Optional image version (e.g. 3.0.0, v3.0.0, or 3.0.0-beta.1)' required: false default: '' @@ -18,17 +18,20 @@ jobs: permissions: contents: read packages: write - id-token: write steps: - uses: actions/checkout@v5 - - name: Install cosign - uses: sigstore/cosign-installer@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Log into GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Log into Docker Hub if: github.repository == 'umami-software/umami' uses: docker/login-action@v3 @@ -37,62 +40,53 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Log into GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Normalize manual input if provided - - name: Normalize manual version - id: normalize + - name: Compute version tags + id: compute run: | INPUT="${{ github.event.inputs.version }}" + REF_TYPE="${{ github.ref_type }}" + REF_NAME="${{ github.ref_name }}" + + # Determine version source if [[ -n "$INPUT" ]]; then VERSION="${INPUT#v}" - MAJOR=$(echo "$VERSION" | cut -d. -f1) - MINOR=$(echo "$VERSION" | cut -d. -f2) - echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV + elif [[ "$REF_TYPE" == "tag" ]]; then + VERSION="${REF_NAME#v}" else - echo "version_tags=" >> $GITHUB_ENV + VERSION="" fi - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: | - umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }} - ghcr.io/${{ github.repository }} - flavor: | - latest=auto - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }} - type=ref,event=branch - type=sha + TAGS="" + + if [[ -n "$VERSION" ]]; then + MAJOR=$(echo "$VERSION" | cut -d. -f1) + MINOR=$(echo "$VERSION" | cut -d. -f2) + + if [[ "$VERSION" == *-* ]]; then + # prerelease: only version tag + TAGS="$VERSION" + else + # stable release: version + hierarchy + latest + TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},postgresql-latest,latest" + fi + else + # Non-tag build (e.g. from main branch) + TAGS="${REF_NAME}" + fi + + echo "tags=$TAGS" >> $GITHUB_OUTPUT + echo "Computed tags: $TAGS" - name: Build and push Docker image - id: build-and-push + id: build uses: docker/build-push-action@v6 with: context: . - platforms: linux/amd64,linux/arm64 push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max - provenance: false # disable automatic attestations - - # Generate a local provenance attestation instead of uploading signatures - - name: Generate provenance attestation - run: | - cosign attest --yes \ - --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \ - --type slsaprovenance \ - ${{ steps.meta.outputs.tags }} - + provenance: false + tags: | + ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }} + ${{ github.repository == 'umami-software/umami' && format('umamisoftware/umami:{0}', steps.compute.outputs.tags) || '' }} diff --git a/README.md b/README.md index 6d166d8c..d3791e26 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ docker compose up -d Alternatively, to pull just the Umami Docker image with PostgreSQL support: ```bash -docker pull docker.umami.is/umami-software/umami:postgresql-latest +docker pull docker.umami.is/umami-software/umami:latest ``` ---