From 6ee93f7ac92a49ece115024e46d2dce51c963ebf Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Fri, 7 Nov 2025 12:21:17 -0800 Subject: [PATCH 1/4] Updated README and cd.yml. --- .github/workflows/cd.yml | 59 ++++++++++++++++++++++------------------ README.md | 2 +- 2 files changed, 34 insertions(+), 27 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index a4934e797..534b23210 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: inputs: version: - description: 'Optional image version (e.g. 3.0.0, beta)' + description: 'Optional image version (e.g. 3.0.0, v3.0.0, or 3.0.0-beta.1)' required: false default: '' @@ -29,6 +29,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Log into GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Log into Docker Hub if: github.repository == 'umami-software/umami' uses: docker/login-action@v3 @@ -37,27 +44,29 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Log into GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Normalize manual input if provided - - name: Normalize manual version - id: normalize + # Compute tags for the image + - name: Compute version tags + id: compute run: | INPUT="${{ github.event.inputs.version }}" + TAGS="" + if [[ -n "$INPUT" ]]; then - VERSION="${INPUT#v}" + VERSION="${INPUT#v}" # strip leading v MAJOR=$(echo "$VERSION" | cut -d. -f1) MINOR=$(echo "$VERSION" | cut -d. -f2) - echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV - else - echo "version_tags=" >> $GITHUB_ENV + + # prereleases (e.g., 3.0.0-beta) do NOT get 'latest' + if [[ "$VERSION" == *-* ]]; then + TAGS="${VERSION}" + else + TAGS="${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" + fi fi + echo "tags=$TAGS" >> $GITHUB_OUTPUT + echo "Computed tags: $TAGS" + - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 @@ -65,34 +74,32 @@ jobs: images: | umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }} ghcr.io/${{ github.repository }} - flavor: | - latest=auto tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }} + type=semver,pattern={{version}},enable=${{ github.ref_type == 'tag' }} + type=semver,pattern={{major}}.{{minor}},enable=${{ github.ref_type == 'tag' }} + type=semver,pattern={{major}},enable=${{ github.ref_type == 'tag' }} + type=raw,value=${{ steps.compute.outputs.tags }},enable=${{ steps.compute.outputs.tags != '' }} type=ref,event=branch type=sha + # Build and push images - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v6 with: context: . - platforms: linux/amd64,linux/arm64 push: true + platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: false # disable automatic attestations + provenance: false # disable automatic registry attestations - # Generate a local provenance attestation instead of uploading signatures - - name: Generate provenance attestation + # Generate a local provenance attestation (not uploaded) + - name: Generate local provenance attestation run: | cosign attest --yes \ --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \ --type slsaprovenance \ ${{ steps.meta.outputs.tags }} - diff --git a/README.md b/README.md index 6d166d8c8..d3791e269 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ docker compose up -d Alternatively, to pull just the Umami Docker image with PostgreSQL support: ```bash -docker pull docker.umami.is/umami-software/umami:postgresql-latest +docker pull docker.umami.is/umami-software/umami:latest ``` --- From 8119dae3c3d951f9525c3d2e03587f451dd9dc14 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Fri, 7 Nov 2025 13:59:50 -0800 Subject: [PATCH 2/4] Updated GH workflow. --- .github/workflows/cd.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 534b23210..f44d17689 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -23,9 +23,6 @@ jobs: steps: - uses: actions/checkout@v5 - - name: Install cosign - uses: sigstore/cosign-installer@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -95,11 +92,3 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max provenance: false # disable automatic registry attestations - - # Generate a local provenance attestation (not uploaded) - - name: Generate local provenance attestation - run: | - cosign attest --yes \ - --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \ - --type slsaprovenance \ - ${{ steps.meta.outputs.tags }} From e3ca002d77827430e7df155da31ffcc4b9c8aa13 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Fri, 7 Nov 2025 14:35:05 -0800 Subject: [PATCH 3/4] Fixed tags in build. --- .github/workflows/cd.yml | 51 +++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 27 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f44d17689..f21f58aa1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -18,7 +18,6 @@ jobs: permissions: contents: read packages: write - id-token: write steps: - uses: actions/checkout@v5 @@ -41,54 +40,52 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - # Compute tags for the image - name: Compute version tags id: compute run: | INPUT="${{ github.event.inputs.version }}" + REF_TYPE="${{ github.ref_type }}" + REF_NAME="${{ github.ref_name }}" + + # Determine version source + if [[ -n "$INPUT" ]]; then + VERSION="${INPUT#v}" + elif [[ "$REF_TYPE" == "tag" ]]; then + VERSION="${REF_NAME#v}" + else + VERSION="" + fi + TAGS="" - if [[ -n "$INPUT" ]]; then - VERSION="${INPUT#v}" # strip leading v + if [[ -n "$VERSION" ]]; then MAJOR=$(echo "$VERSION" | cut -d. -f1) MINOR=$(echo "$VERSION" | cut -d. -f2) - # prereleases (e.g., 3.0.0-beta) do NOT get 'latest' if [[ "$VERSION" == *-* ]]; then - TAGS="${VERSION}" + # prerelease: only version tag + TAGS="$VERSION" else - TAGS="${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" + # stable release: version + hierarchy + latest + TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},latest" fi + else + # Non-tag build (e.g. from main branch) + TAGS="${REF_NAME}" fi echo "tags=$TAGS" >> $GITHUB_OUTPUT echo "Computed tags: $TAGS" - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: | - umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }} - ghcr.io/${{ github.repository }} - tags: | - type=semver,pattern={{version}},enable=${{ github.ref_type == 'tag' }} - type=semver,pattern={{major}}.{{minor}},enable=${{ github.ref_type == 'tag' }} - type=semver,pattern={{major}},enable=${{ github.ref_type == 'tag' }} - type=raw,value=${{ steps.compute.outputs.tags }},enable=${{ steps.compute.outputs.tags != '' }} - type=ref,event=branch - type=sha - - # Build and push images - name: Build and push Docker image - id: build-and-push uses: docker/build-push-action@v6 with: context: . push: true platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + tags: | + umamisoftware/umami:${{ steps.compute.outputs.tags }} + ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: false # disable automatic registry attestations + provenance: false From de6515139e5067375dc62601b5fb699846bfe161 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Fri, 7 Nov 2025 18:17:51 -0800 Subject: [PATCH 4/4] Fixed Docker permissions. --- .github/workflows/cd.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f21f58aa1..6569954ea 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -67,7 +67,7 @@ jobs: TAGS="$VERSION" else # stable release: version + hierarchy + latest - TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},latest" + TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},postgresql-latest,latest" fi else # Non-tag build (e.g. from main branch) @@ -78,14 +78,15 @@ jobs: echo "Computed tags: $TAGS" - name: Build and push Docker image + id: build uses: docker/build-push-action@v6 with: context: . push: true platforms: linux/amd64,linux/arm64 - tags: | - umamisoftware/umami:${{ steps.compute.outputs.tags }} - ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max provenance: false + tags: | + ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }} + ${{ github.repository == 'umami-software/umami' && format('umamisoftware/umami:{0}', steps.compute.outputs.tags) || '' }}