mirror of
https://github.com/umami-software/umami.git
synced 2026-02-04 12:47:13 +01:00
bf4e6ea96f
Originally just wanted to add the standard opencontainer labels that docker/metadata provide but with "mr-smithers-excellent" seemed to only half implement docker support, and a higher risk than docker for supply chain issues, so I went all out and also added cosign to sign the images. Docker metadata tags supports all the custom code to create version tags, out of the box and fully maintained Also dropped the manual workflow, just merged it into cd.yml since you can select tags when you manual dispatch, and thats less to maintain
101 lines
2.9 KiB
YAML
101 lines
2.9 KiB
YAML
name: Create docker images
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
- main
|
|
- dev
|
|
# Publish semver tags as releases.
|
|
tags: [ 'v*.*.*' ]
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
- main
|
|
- dev
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
build:
|
|
name: Build, push, and deploy
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
# This is used to complete the identity challenge
|
|
# with sigstore/fulcio when running outside of PRs.
|
|
id-token: write
|
|
|
|
strategy:
|
|
matrix:
|
|
db-type: [postgresql, mysql]
|
|
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
|
|
# Install the cosign tool except on PR
|
|
# https://github.com/sigstore/cosign-installer
|
|
- name: Install cosign
|
|
if: github.event_name != 'pull_request'
|
|
uses: sigstore/cosign-installer@v3
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log into registry docker.io
|
|
if: github.event_name != 'pull_request' && github.repository == 'umami-software/umami'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: docker.io
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Log into ghcr registry
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }}
|
|
ghcr.io/${{ github.repository }}
|
|
flavor: |
|
|
latest=auto
|
|
prefix=${{ matrix.db-type }}-
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
|
|
# output 1.1.2
|
|
type=semver,pattern={{version}}
|
|
# output 1.1
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
# output 1
|
|
type=semver,pattern={{major}}
|
|
|
|
- name: Build and push Docker image
|
|
id: build-and-push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64
|
|
build-args: DATABASE_TYPE=${{ matrix.db-type }}
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
# Sign the resulting Docker image digest except on PRs.
|
|
- name: Sign the published Docker image
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
env:
|
|
TAGS: ${{ steps.meta.outputs.tags }}
|
|
DIGEST: ${{ steps.build-and-push.outputs.digest }}
|
|
run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
|