-
Notifications
You must be signed in to change notification settings - Fork 11
132 lines (121 loc) · 4.93 KB
/
docker-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Docker CI
on:
# Disabled cronjobs first until we configured the change detection logic.
schedule:
- cron: '30 3 * * *'
push:
branches:
- "*"
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
# TODO: use paths-filter action later
paths:
- "Dockerfile"
- "vaultwarden-startup"
- "src/*"
- ".github/workflows/docker-ci.yml"
pull_request:
branches: [ main ]
workflow_dispatch:
env:
RHQCR_NAMESPACE: recaptime-dev/vaultwarden
GITLAB_MAUDEV_NAMESPACE: recaptime-dev/infra/docker/vaultwarden
GHCR_NAMESPACE: recaptime-dev/vaultwarden-docker
jobs:
docker-build:
name: Build and push
runs-on: ubuntu-latest
permissions:
contents: read
packages: write # use GITHUB_TOKEN instead of my PAT for security reasons
steps:
- name: Checkout repository
uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
#- name: Install CLI
# uses: dopplerhq/cli-action@41106dbef2e821dcf2250b0c936a616a438a278a
#- uses: dopplerhq/secrets-fetch-action@ff1719d1b7d1e1b0e44f24dcfec3a9b490ede905
# id: doppler
# if: github.event_name != 'pull_request'
# with:
# doppler-token: ${{ secrets.OCI_REGISTRY_DOPPLER_TOKEN }}
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Authenicate to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Authenticate to RHQCR
if: github.event_name != 'pull_request'
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: quay.io
username: ${{ secrets.RHQCR_BOT_USERNAME }}
password: ${{ secrets.RHQCR_BOT_PASSWORD }}
- name: Authenticate with dock.mau.dev
if: github.event_name != 'pull_request'
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: dock.mau.dev
username: ${{ secrets.RTDEVBOT_GITLAB_USERNAME_MAUDEV }}
password: ${{ secrets.RTDEVBOT_GITLAB_TOKEN_MAUDEV }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@906ecf0fc0a80f9110f79d9e6c04b1080f4a2621
with:
context: workflow
github-token: ${{github.token}}
images: |
ghcr.io/${{ env.GHCR_NAMESPACE }}
quay.io/${{ env.RHQCR_NAMESPACE }}
dock.mau.dev/${{ env.GITLAB_MAUDEV_NAMESPACE }}
labels: |
org.opencontainers.image.vendor=RecapTime.dev
org.opencontainers.image.authors=Andrei Jiroh Halili
org.opencontainers.image.title=RecapTime.dev's Vaultwarden Docker image
org.opencontainers.image.description=Custom Vaultwarden image, as used by Recap Time Squad for their instance.
tags: |
type=ref,prefix=branch-,event=branch
type=sha,format=long,prefix=commit-
type=raw,value=latest,enable={{is_default_branch}}
type=schedule,pattern=nightly
type=schedule,pattern={{date 'YYYYMMDDhhmmss'}},prefix=nightly-
# Then set up QEMU and Buildx so the Build and push action below will not trigger errors
- name: Set up QEMU
uses: docker/setup-qemu-action@8b562efa09ec1557a9e26f25a7c6292838acea94
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
# Fetch latest release via GitHub GraphQL API
# Note: Script generated with GitHub Copilot
- name: Get latest release
run: |
# Run the GitHub CLI command and extract the tag name using jq
tag_name=$(gh api graphql -f query='{
repository(owner: "dani-garcia", name: "vaultwarden") {
releases(first: 1) {
nodes {
tagName
}
}
}
}' --jq '.data.repository.releases.nodes[0].tagName')
# Set the tag name as a GitHub Actions output
echo "VAULTWARDEN_RELEASE=$tag_name" >> $GITHUB_ENV
env:
GH_TOKEN: ${{ github.token }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
uses: docker/build-push-action@7e094594beda23fc8f21fa31049f4b203e51096b
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
provenance: true
build-args: |
VAULTWARDEN_RELEASE=${{ env.VAULTWARDEN_RELEASE }}