diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1d4605d..b7c297e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,123 +12,46 @@ on: env: REGISTRY_IMAGE: ghcr.io/yubiuser/webchanges +permissions: + contents: read + jobs: + build-prepare: + runs-on: ubuntu-24.04 + outputs: + REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }} + steps: + # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 + - run: echo "Exposing env vars for reusable workflow" build: - runs-on: ${{ matrix.runner }} + uses: docker/github-builder/.github/workflows/build.yml@v1.4.0 permissions: contents: read - packages: write - strategy: - fail-fast: true - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: ubuntu-24.04-arm - steps: - - - name: Prepare name for digest up/download - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - - name: Checkout Code - uses: actions/checkout@v6.0.2 - - - - name: Set up QEMU - uses: docker/setup-qemu-action@v4.0.0 - - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 - - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ env.REGISTRY_IMAGE }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - - name: Build and push Docker image - uses: docker/build-push-action@v7.0.0 - id: build - with: - context: . - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - provenance: false - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' }} - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - name: Upload digest - uses: actions/upload-artifact@v7.0.0 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - runs-on: ubuntu-latest + packages: write # required to push to GHCR + id-token: write # for signing attestation(s) with GitHub OIDC Token needs: - - build - if: | - github.actor != 'dependabot[bot]' - && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) - permissions: - contents: read - packages: write - steps: - - name: Download digests - uses: actions/download-artifact@v8.0.1 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 - - name: Docker meta - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ env.REGISTRY_IMAGE }} - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha,enable=${{ github.event_name == 'workflow_dispatch' }} - type=ref,event=pr - type=ref,event=branch - - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 - with: - registry: ghcr.io + - build-prepare + with: + runner: auto + distribute: true + setup-qemu: true + output: image + cache: true + cache-scope: build + push: ${{ github.actor != 'dependabot[bot]' && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) }} + meta-images: ${{ needs.build-prepare.outputs.REGISTRY_IMAGE }} + meta-tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,enable=${{ github.event_name == 'workflow_dispatch' }} + type=ref,event=pr + type=ref,event=branch + platforms: linux/amd64,linux/arm64 + # FIXME: GHCR does not support the referrers API and spams the registry with sha-tagged images when cosigned: https://github.com/docker/github-builder/issues/109 + sign: false + secrets: + registry-auths: | + - registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - name: Inspect image - run: | - docker buildx imagetools inspect --raw ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - + password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 1f364fd..d517cd3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG webchanges_tag=v3.34.1 -FROM python:3.14.1-alpine3.22 AS builder +FROM python:3.14.3-alpine3.22 AS builder ARG webchanges_tag ENV PYTHONUTF8=1 @@ -60,7 +60,7 @@ RUN python3 -m PyInstaller -F --strip webchanges.py -FROM alpine:3.23 AS deploy +FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS deploy ENV APP_USER=webchanges ENV PYTHONUTF8=1 RUN apk add --no-cache tini