mirror of
https://github.com/BEDOLAGA-DEV/remnawave-bedolaga-telegram-bot.git
synced 2026-04-25 23:46:19 +00:00
87b83f59c6
The x-release-please-version markers in workflow files were stuck at v3.7.0 since commit5070bb34removed them from extra-files (GitHub Actions returns 403 when release-please tries to modify .github/workflows/ via GITHUB_TOKEN). Instead of hardcoding the version, read it from .release-please-manifest.json at build time. This file is always kept in sync by release-please and does not require workflow file write permissions. --- Маркеры x-release-please-version в workflow-файлах застряли на v3.7.0 после коммита5070bb34, который удалил их из extra-files (GitHub Actions возвращает 403 при попытке release-please изменить .github/workflows/ через GITHUB_TOKEN). Вместо хардкода версии теперь читаем её из .release-please-manifest.json во время сборки. Этот файл всегда синхронизируется release-please и не требует прав на запись в workflow-файлы.
145 lines
5.6 KiB
YAML
145 lines
5.6 KiB
YAML
name: Build and Publish Docker Image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- dev
|
|
tags:
|
|
- 'v*'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- dev
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
build-and-push:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to Container Registry
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Get version info
|
|
id: version
|
|
run: |
|
|
SHORT_SHA=$(git rev-parse --short HEAD)
|
|
echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
|
|
echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
|
|
|
|
# Read base version from release-please manifest (single source of truth)
|
|
BASE_VERSION=$(jq -r '."."' .release-please-manifest.json)
|
|
|
|
if [[ $GITHUB_REF == refs/tags/* ]]; then
|
|
VERSION=${GITHUB_REF#refs/tags/}
|
|
echo "🏷️ Building release version: $VERSION"
|
|
elif [[ $GITHUB_REF == refs/heads/main ]]; then
|
|
VERSION="v${BASE_VERSION}-${SHORT_SHA}"
|
|
echo "🚀 Building main version: $VERSION"
|
|
elif [[ $GITHUB_REF == refs/heads/dev ]]; then
|
|
VERSION="v${BASE_VERSION}-dev-${SHORT_SHA}"
|
|
echo "🧪 Building dev version: $VERSION"
|
|
else
|
|
VERSION="v${BASE_VERSION}-pr-${SHORT_SHA}"
|
|
echo "🔀 Building PR version: $VERSION"
|
|
fi
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
|
|
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
|
|
echo "should_push=false" >> $GITHUB_OUTPUT
|
|
echo "⚠️ PR - only build without push"
|
|
else
|
|
echo "should_push=true" >> $GITHUB_OUTPUT
|
|
echo "✅ Push/Tag - will push"
|
|
fi
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=raw,value=latest,enable={{is_default_branch}}
|
|
type=raw,value=dev,enable=${{ github.ref == 'refs/heads/dev' }}
|
|
type=raw,value=${{ steps.version.outputs.version }}
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
platforms: linux/amd64,linux/arm64
|
|
push: ${{ steps.version.outputs.should_push }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
VERSION=${{ steps.version.outputs.version }}
|
|
BUILD_DATE=${{ steps.version.outputs.build_date }}
|
|
VCS_REF=${{ steps.version.outputs.short_sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Generate security report
|
|
uses: docker/scout-action@v1
|
|
if: github.event_name == 'pull_request'
|
|
with:
|
|
command: quickview,compare
|
|
image: ${{ steps.meta.outputs.tags }}
|
|
to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
|
|
ignore-unchanged: true
|
|
only-severities: critical,high
|
|
write-comment: true
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
continue-on-error: true
|
|
|
|
- name: Build Summary
|
|
if: steps.version.outputs.should_push == 'true'
|
|
run: |
|
|
echo "## 🚀 Docker Build Summary" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Parameter | Value |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|----------|----------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Version** | \`${{ steps.version.outputs.version }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Commit** | \`${{ steps.version.outputs.short_sha }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Build Date** | \`${{ steps.version.outputs.build_date }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Registry** | \`${{ env.REGISTRY }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Image** | \`${{ env.IMAGE_NAME }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Branch** | \`${{ github.ref_name }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Status** | ✅ Published |" >> $GITHUB_STEP_SUMMARY
|
|
|
|
- name: Build Summary (No Push)
|
|
if: steps.version.outputs.should_push == 'false'
|
|
run: |
|
|
echo "## 🔨 Docker Build Summary (Test Only)" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Parameter | Value |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|----------|----------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Version** | \`${{ steps.version.outputs.version }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Commit** | \`${{ steps.version.outputs.short_sha }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Build Date** | \`${{ steps.version.outputs.build_date }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| **Status** | ✅ Built successfully (without publishing) |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "⚠️ **Note:** Image built but not published as this is a pull request." >> $GITHUB_STEP_SUMMARY
|