build.yml

name: Build and push container images

on:
  workflow_dispatch:
  schedule:
    - cron: '0 1 * * 0' # weekly refresh on Sunday at 1am
  push:
    branches: [main]
    paths:
      - 'Dockerfile'
      - '.github/workflows/build.yml'

env:
  COSIGN_EXPERIMENTAL: 1
  REGISTRY_IMAGE: zenjoy/ruby

jobs:
  build:
    name: Build image
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        ruby: ['3.0']
        debian: ['bullseye']
        include:
          - os: ubuntu-latest
            platform: linux/amd64
          # - os: ubuntu-22.04-arm
          #   platform: linux/arm64

    permissions:
      id-token: write # keyless Cosign signatures
      packages: write # GHCR
      contents: write # git tags

    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

      - name: Parse ruby version
        id: prepare
        run: |
          RUBY_VERSION=$(grep -Eo 'RUBY_VERSION ${{ matrix.ruby }}.[0-9]+$' Dockerfile | cut -d ' ' -f2)
          MAJOR=$(echo $RUBY_VERSION | cut -d . -f 1)
          MINOR=$(echo $RUBY_VERSION | cut -d . -f 2)
          PATCH=$(echo $RUBY_VERSION | cut -d . -f 3)
          TODAY=$(date +%Y-%m-%d)
          echo "major=$MAJOR" | tee -a $GITHUB_OUTPUT
          echo "minor=$MINOR" | tee -a $GITHUB_OUTPUT
          echo "patch=$PATCH" | tee -a $GITHUB_OUTPUT
          echo "version=$RUBY_VERSION" | tee -a $GITHUB_OUTPUT
          echo "today=${TODAY}" | tee -a $GITHUB_OUTPUT

      - name: Generate build tag from head
        id: branch
        run: |
          export GIT_REF=${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}
          echo "branch=$(echo ${GIT_REF,,} | sed 's/[^a-zA-Z0-9]/-/g')" | tee -a $GITHUB_OUTPUT

      - name: Generate Docker metadata with ruby version
        uses: docker/metadata-action@v4
        id: metadata
        with:
          flavor: |
            latest=${{ matrix.ruby == '3.3' }}
          images: |
            docker.io/${{ env.REGISTRY_IMAGE }}
            ghcr.io/${{ env.REGISTRY_IMAGE }}
          tags: |
            type=semver,pattern={{version}},value=v${{ steps.prepare.outputs.version }}
            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.prepare.outputs.version }}
          labels: |
            org.opencontainers.image.title=ruby

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.2.0

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_PASSWORD }}

      - name: Login to GitHub Container Repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build container image
        uses: docker/build-push-action@v6
        id: build
        with:
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          build-args: |
            BUILD_AT=${{ steps.prepare.outputs.today }}
            RUBY=${{ matrix.ruby }}
            DEBIAN=${{ matrix.debian }}
          platforms: ${{ matrix.platform }}
          outputs: |
            type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
          cache-from: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache
          cache-to: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache,mode=max

      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.ruby }}-${{ matrix.debian }}-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

      - name: Sign container images
        run: |
          cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST"
          cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST"
        env:
          IMAGE_NAME: ${{ env.REGISTRY_IMAGE }}
          IMAGE_DIGEST: ${{ steps.build.outputs.digest }}

  merge:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        ruby: ['3.0', '3.1', '3.2', '3.3']
        debian: ['bookworm']
    needs:
      - build
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-${{ matrix.ruby }}-${{ matrix.debian }}-*
          merge-multiple: true

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_PASSWORD }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}