Use alpine version #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push container images | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| paths: | |
| - Dockerfile | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - Dockerfile | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| COSIGN_EXPERIMENTAL: 1 | |
| jobs: | |
| metadata: | |
| name: Get image and repo details | |
| runs-on: ubuntu-latest | |
| outputs: | |
| name: ${{ steps.name.outputs.name }} | |
| title: ${{ steps.title.outputs.title }} | |
| version: ${{ steps.version.outputs.version }} | |
| branch: ${{ steps.branch.outputs.branch }} | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| platforms: linux/amd64,linux/arm64 | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Generate docker-compliant image name | |
| id: name | |
| run: echo "name=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT | |
| - name: Generate OCI image title | |
| id: title | |
| run: | |
| echo "title=$(echo ${GITHUB_REPOSITORY#*/} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT | |
| - name: Parse Caddy version | |
| id: version | |
| run: | |
| echo "version=$(grep -Eo 'caddy:[0-9]+\.[0-9]+\.[0-9]+-alpine$' Dockerfile | cut -d ':' | |
| -f2 | cut -d '-' -f1)" | tee -a $GITHUB_OUTPUT | |
| - name: Generate build tag from head | |
| id: branch | |
| run: | | |
| export GIT_REF=${GITHUB_HEAD_REF:-$GITHUB_REF_NAME} | |
| echo "branch=$(echo ${GIT_REF,,} | sed 's/[^a-zA-Z0-9]/-/g')" | tee -a $GITHUB_OUTPUT | |
| - name: Generate Docker metadata with Caddy version | |
| uses: docker/metadata-action@v5 | |
| id: metadata | |
| with: | |
| images: | | |
| docker.io/${{ steps.name.outputs.name }} | |
| ghcr.io/${{ steps.name.outputs.name }} | |
| tags: | | |
| type=semver,pattern={{version}},value=v${{ steps.version.outputs.version }} | |
| type=semver,pattern={{major}}.{{minor}},value=v${{ steps.version.outputs.version }} | |
| type=semver,pattern={{major}},value=v${{ steps.version.outputs.version }} | |
| labels: | | |
| org.opencontainers.image.title=${{ steps.title.outputs.title }} | |
| build: | |
| name: Build container image | |
| runs-on: ubuntu-latest | |
| needs: [metadata] | |
| permissions: | |
| id-token: write # keyless Cosign signatures | |
| pull-requests: write # PR comments | |
| outputs: | |
| digest: ${{ steps.build.outputs.digest }} | |
| image-ref: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| id: build | |
| with: | |
| context: . | |
| push: true # to ttl.sh | |
| tags: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }} | |
| labels: ${{ needs.metadata.outputs.labels }} | |
| platforms: ${{ needs.metadata.outputs.platforms }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign container images | |
| run: | | |
| cosign sign --yes --recursive \ | |
| "ttl.sh/$IMAGE_NAME@$IMAGE_DIGEST" | |
| env: | |
| IMAGE_NAME: ${{ needs.metadata.outputs.name }} | |
| IMAGE_DIGEST: ${{ steps.build.outputs.digest }} | |
| trivy: | |
| name: Run Trivy scanner | |
| needs: [build] | |
| uses: ./.github/workflows/trivy.yml | |
| with: | |
| image-ref: ${{ needs.build.outputs.image-ref }} | |
| publish: | |
| name: Publish container image | |
| needs: [metadata, build, trivy] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # keyless Cosign signatures | |
| packages: write # GHCR | |
| contents: write # git tags | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_HUB_USER }} | |
| password: ${{ secrets.DOCKER_HUB_PASSWORD }} | |
| - name: Login to GitHub Container Repository | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Verify container images | |
| run: | | |
| cosign verify \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \ | |
| ${{ needs.build.outputs.image-ref }} | |
| - name: Publish container image | |
| uses: docker/build-push-action@v5 | |
| id: publish | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.metadata.outputs.tags }} | |
| labels: ${{ needs.metadata.outputs.labels }} | |
| platforms: ${{ needs.metadata.outputs.platforms }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign container images | |
| run: | | |
| cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST" | |
| cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST" | |
| env: | |
| IMAGE_NAME: ${{ needs.metadata.outputs.name }} | |
| IMAGE_DIGEST: ${{ steps.publish.outputs.digest }} | |
| - name: Push version tags | |
| run: | | |
| MAJOR=$(echo $CADDY_VERSION | cut -d . -f 1) | |
| MINOR=$(echo $CADDY_VERSION | cut -d . -f 2) | |
| git tag -f "v$MAJOR" | |
| git tag -f "v$MAJOR.$MINOR" | |
| git tag -f "v$CADDY_VERSION" | |
| git push -f -u origin "v$MAJOR" | |
| git push -f -u origin "v$MAJOR.$MINOR" | |
| git push -f -u origin "v$CADDY_VERSION" | |
| env: | |
| CADDY_VERSION: ${{ needs.metadata.outputs.version }} |