vNext

.github/workflows/ci.yaml

@@ -12,123 +12,46 @@ on:
 env:
   REGISTRY_IMAGE: ghcr.io/yubiuser/webchanges
 
+permissions:
+  contents: read
+
 jobs:
+  build-prepare:
+    runs-on: ubuntu-24.04
+    outputs:
+      REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }}
+    steps:
+      # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
+      - run: echo "Exposing env vars for reusable workflow"
   build:
-    runs-on: ${{ matrix.runner }}
+    uses: docker/github-builder/.github/workflows/build.yml@v1.4.0
     permissions:
       contents: read
-      packages: write
-    strategy:
-      fail-fast: true
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-    steps:
-
-      - name: Prepare name for digest up/download
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-      -
-        name: Checkout Code
-        uses: actions/checkout@v6.0.2
-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4.0.0
-
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4.0.0
-
-      -
-        name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: |
-            ${{ env.REGISTRY_IMAGE }}
-      -
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      -
-        name: Build and push Docker image
-        uses: docker/build-push-action@v7.0.0
-        id: build
-        with:
-          context: .
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          provenance: false
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' }}
-
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-      - name: Upload digest
-        uses: actions/upload-artifact@v7.0.0
-        with:
-          name: digests-${{ env.PLATFORM_PAIR }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
+      packages: write # required to push to GHCR
+      id-token: write # for signing attestation(s) with GitHub OIDC Token
     needs:
-      - build
-    if: |
-      github.actor != 'dependabot[bot]'
-      && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' )
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v8.0.1
-        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4.0.0
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: |
-            ${{ env.REGISTRY_IMAGE }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha,enable=${{ github.event_name == 'workflow_dispatch' }}
-            type=ref,event=pr
-            type=ref,event=branch
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4.0.0
-        with:
-          registry: ghcr.io
+      - build-prepare
+    with:
+      runner: auto
+      distribute: true
+      setup-qemu: true
+      output: image
+      cache: true
+      cache-scope: build
+      push: ${{ github.actor != 'dependabot[bot]' && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) }}
+      meta-images: ${{ needs.build-prepare.outputs.REGISTRY_IMAGE }}
+      meta-tags: |
+        type=semver,pattern={{version}}
+        type=semver,pattern={{major}}.{{minor}}
+        type=semver,pattern={{major}}
+        type=sha,enable=${{ github.event_name == 'workflow_dispatch' }}
+        type=ref,event=pr
+        type=ref,event=branch
+      platforms: linux/amd64,linux/arm64
+      # FIXME: GHCR does not support the referrers API and spams the registry with sha-tagged images when cosigned: https://github.com/docker/github-builder/issues/109
+      sign: false
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect --raw ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
-
+          password: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 ARG webchanges_tag=v3.34.1
 
-FROM python:3.14.1-alpine3.22 AS builder
+FROM python:3.14.3-alpine3.22 AS builder
 ARG webchanges_tag
 ENV PYTHONUTF8=1
 
@@ -60,7 +60,7 @@ RUN python3 -m PyInstaller -F --strip webchanges.py
 
 
 
-FROM alpine:3.23 AS deploy
+FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS deploy
 ENV APP_USER=webchanges
 ENV PYTHONUTF8=1
 RUN apk add --no-cache tini