build.yml

name: Build and push container images

on:
  workflow_dispatch:
  schedule:
    - cron: '0 1 * * 0' # weekly refresh on Sunday at 1am
  push:
    branches: [main]
    paths:
      - 'Dockerfile'
      - '.github/workflows/build.yml'

env:
  COSIGN_EXPERIMENTAL: 1
  REGISTRY_IMAGE: zenjoy/ruby
  DEBIAN: bullseye

jobs:
  build:
    name: Build Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        ruby: ['3.0', '3.1']
        os: [ubuntu-latest, ubuntu-22.04-arm]
        include:
          - os: ubuntu-latest
            platform: linux/amd64
          - os: ubuntu-22.04-arm
            platform: linux/arm64

    permissions:
      id-token: write # keyless Cosign signatures
      packages: write # GHCR
      contents: write # git tags

    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

      - name: Parse ruby version
        id: prepare
        run: |
          RUBY_VERSION=$(grep -Eo 'RUBY_VERSION ${{ matrix.ruby }}.[0-9]+$' Dockerfile | cut -d ' ' -f2)
          MAJOR=$(echo $RUBY_VERSION | cut -d . -f 1)
          MINOR=$(echo $RUBY_VERSION | cut -d . -f 2)
          PATCH=$(echo $RUBY_VERSION | cut -d . -f 3)
          TODAY=$(date +%Y-%m-%d)
          echo "major=$MAJOR" | tee -a $GITHUB_OUTPUT
          echo "minor=$MINOR" | tee -a $GITHUB_OUTPUT
          echo "patch=$PATCH" | tee -a $GITHUB_OUTPUT
          echo "version=$RUBY_VERSION" | tee -a $GITHUB_OUTPUT
          echo "today=${TODAY}" | tee -a $GITHUB_OUTPUT

      - name: Generate build tag from head
        id: branch
        run: |
          export GIT_REF=${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}
          echo "branch=$(echo ${GIT_REF,,} | sed 's/[^a-zA-Z0-9]/-/g')" | tee -a $GITHUB_OUTPUT

      - name: Generate Docker metadata with ruby version
        uses: docker/metadata-action@v5
        id: metadata
        with:
          flavor: |
            latest=${{ matrix.ruby == '3.3' }}
          images: |
            docker.io/${{ env.REGISTRY_IMAGE }}
            ghcr.io/${{ env.REGISTRY_IMAGE }}
          tags: |
            type=semver,pattern={{version}},value=v${{ steps.prepare.outputs.version }}
            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.prepare.outputs.version }}
          labels: |
            org.opencontainers.image.title=ruby

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.2.0

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_PASSWORD }}

      - name: Login to GitHub Container Repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build container image
        uses: docker/build-push-action@v6
        id: build
        with:
          labels: ${{ steps.metadata.outputs.labels }}
          build-args: |
            BUILD_AT=${{ steps.prepare.outputs.today }}
            RUBY=${{ matrix.ruby }}
            DEBIAN=bullseye
          platforms: ${{ matrix.platform }}
          outputs: |
            type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
          cache-from: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache
          cache-to: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache,mode=max

      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.ruby }}-${{ env.DEBIAN }}-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

      # - name: Sign container images
      #   run: |
      #     cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST"
      #     cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST"
      #   env:
      #     IMAGE_NAME: ${{ env.REGISTRY_IMAGE }}
      #     IMAGE_DIGEST: ${{ steps.build.outputs.digest }}

  merge:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        ruby: ['3.0', '3.1']

    needs:
      - build

    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-${{ matrix.ruby }}-${{ env.DEBIAN }}-*
          merge-multiple: true

      - name: Parse ruby version
        id: prepare
        run: |
          RUBY_VERSION=$(grep -Eo 'RUBY_VERSION ${{ matrix.ruby }}.[0-9]+$' Dockerfile | cut -d ' ' -f2)
          MAJOR=$(echo $RUBY_VERSION | cut -d . -f 1)
          MINOR=$(echo $RUBY_VERSION | cut -d . -f 2)
          PATCH=$(echo $RUBY_VERSION | cut -d . -f 3)
          TODAY=$(date +%Y-%m-%d)
          echo "major=$MAJOR" | tee -a $GITHUB_OUTPUT
          echo "minor=$MINOR" | tee -a $GITHUB_OUTPUT
          echo "patch=$PATCH" | tee -a $GITHUB_OUTPUT
          echo "version=$RUBY_VERSION" | tee -a $GITHUB_OUTPUT
          echo "today=${TODAY}" | tee -a $GITHUB_OUTPUT

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Generate Docker metadata with ruby version
        uses: docker/metadata-action@v5
        id: metadata
        with:
          flavor: |
            latest=${{ matrix.ruby == '3.3' }}
          images: |
            docker.io/${{ env.REGISTRY_IMAGE }}
            ghcr.io/${{ env.REGISTRY_IMAGE }}
          tags: |
            type=semver,pattern={{version}},value=v${{ steps.prepare.outputs.version }}
            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.prepare.outputs.version }}
          labels: |
            org.opencontainers.image.title=ruby

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_PASSWORD }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}