diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 6569954ea..a4934e797 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: inputs: version: - description: 'Optional image version (e.g. 3.0.0, v3.0.0, or 3.0.0-beta.1)' + description: 'Optional image version (e.g. 3.0.0, beta)' required: false default: '' @@ -18,20 +18,17 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - uses: actions/checkout@v5 + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Log into GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Log into Docker Hub if: github.repository == 'umami-software/umami' uses: docker/login-action@v3 @@ -40,53 +37,62 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Compute version tags - id: compute + - name: Log into GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Normalize manual input if provided + - name: Normalize manual version + id: normalize run: | INPUT="${{ github.event.inputs.version }}" - REF_TYPE="${{ github.ref_type }}" - REF_NAME="${{ github.ref_name }}" - - # Determine version source if [[ -n "$INPUT" ]]; then VERSION="${INPUT#v}" - elif [[ "$REF_TYPE" == "tag" ]]; then - VERSION="${REF_NAME#v}" - else - VERSION="" - fi - - TAGS="" - - if [[ -n "$VERSION" ]]; then MAJOR=$(echo "$VERSION" | cut -d. -f1) MINOR=$(echo "$VERSION" | cut -d. -f2) - - if [[ "$VERSION" == *-* ]]; then - # prerelease: only version tag - TAGS="$VERSION" - else - # stable release: version + hierarchy + latest - TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},postgresql-latest,latest" - fi + echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV else - # Non-tag build (e.g. from main branch) - TAGS="${REF_NAME}" + echo "version_tags=" >> $GITHUB_ENV fi - echo "tags=$TAGS" >> $GITHUB_OUTPUT - echo "Computed tags: $TAGS" + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: | + umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }} + ghcr.io/${{ github.repository }} + flavor: | + latest=auto + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }} + type=ref,event=branch + type=sha - name: Build and push Docker image - id: build + id: build-and-push uses: docker/build-push-action@v6 with: context: . - push: true platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: false - tags: | - ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }} - ${{ github.repository == 'umami-software/umami' && format('umamisoftware/umami:{0}', steps.compute.outputs.tags) || '' }} + provenance: false # disable automatic attestations + + # Generate a local provenance attestation instead of uploading signatures + - name: Generate provenance attestation + run: | + cosign attest --yes \ + --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \ + --type slsaprovenance \ + ${{ steps.meta.outputs.tags }} + diff --git a/README.md b/README.md index d3791e269..6d166d8c8 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ docker compose up -d Alternatively, to pull just the Umami Docker image with PostgreSQL support: ```bash -docker pull docker.umami.is/umami-software/umami:latest +docker pull docker.umami.is/umami-software/umami:postgresql-latest ``` ---