| |
| |
|
|
| name: Docker Build and Push |
|
|
| on: |
| |
| push: |
| branches: |
| - main |
| - master |
| |
| paths: |
| - 'Dockerfile' |
| - 'docker-compose.yml' |
| - 'docker-entrypoint.sh' |
| - 'docker-healthcheck.sh' |
| - 'src/**' |
| - 'pyproject.toml' |
| - 'uv.lock' |
| - '.github/workflows/docker-build.yml' |
| |
| |
| pull_request: |
| branches: |
| - main |
| - master |
| |
| |
| workflow_dispatch: |
| inputs: |
| push_image: |
| description: '是否推送镜像到注册表' |
| required: false |
| default: 'true' |
| type: boolean |
|
|
| env: |
| |
| IMAGE_NAME: landppt |
| |
| PLATFORMS: linux/amd64 |
|
|
| jobs: |
| build: |
| name: Build Docker Image |
| runs-on: ubuntu-latest |
| |
| permissions: |
| contents: read |
| packages: write |
| |
| steps: |
| |
| - name: Checkout Repository |
| uses: actions/checkout@v4 |
| |
| |
| - name: Free Disk Space |
| run: | |
| sudo rm -rf /usr/share/dotnet |
| sudo rm -rf /usr/local/lib/android |
| sudo rm -rf /opt/ghc |
| sudo rm -rf /opt/hostedtoolcache/CodeQL |
| sudo docker system prune -af |
| df -h |
| |
| |
| - name: Set up Docker Buildx |
| uses: docker/setup-buildx-action@v3 |
| |
| |
| - name: Login to GitHub Container Registry |
| if: github.event_name != 'pull_request' |
| uses: docker/login-action@v3 |
| with: |
| registry: ghcr.io |
| username: ${{ github.actor }} |
| password: ${{ secrets.GITHUB_TOKEN }} |
| |
| |
| |
| - name: Login to Docker Hub |
| if: github.event_name != 'pull_request' |
| uses: docker/login-action@v3 |
| with: |
| username: ${{ secrets.DOCKERHUB_USERNAME }} |
| password: ${{ secrets.DOCKERHUB_TOKEN }} |
| continue-on-error: true |
| |
| |
| - name: Extract Docker Metadata |
| id: meta |
| uses: docker/metadata-action@v5 |
| with: |
| images: | |
| ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} |
| ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }} |
| tags: | |
| # 最新标签(仅在 main/master 分支) |
| type=raw,value=latest,enable={{is_default_branch}} |
| # Git 短 SHA |
| type=sha,prefix= |
| # 分支名称 |
| type=ref,event=branch |
| # PR 编号 |
| type=ref,event=pr |
| # 语义化版本(如果有标签) |
| type=semver,pattern={{version}} |
| type=semver,pattern={{major}}.{{minor}} |
| # 日期标签 |
| type=raw,value={{date 'YYYYMMDD-HHmmss'}} |
| |
| |
| - name: Build and Push Docker Image |
| uses: docker/build-push-action@v5 |
| with: |
| context: . |
| file: ./Dockerfile |
| platforms: ${{ env.PLATFORMS }} |
| |
| push: ${{ github.event_name != 'pull_request' && (github.event.inputs.push_image != 'false') }} |
| tags: ${{ steps.meta.outputs.tags }} |
| labels: ${{ steps.meta.outputs.labels }} |
| |
| cache-from: type=gha |
| cache-to: type=gha,mode=max |
| |
| build-args: | |
| BUILDTIME=${{ github.event.repository.updated_at }} |
| VERSION=${{ github.sha }} |
| |
| |
| - name: Image Digest |
| run: | |
| echo "### Docker Image Built Successfully! :rocket:" >> $GITHUB_STEP_SUMMARY |
| echo "" >> $GITHUB_STEP_SUMMARY |
| echo "**Image Tags:**" >> $GITHUB_STEP_SUMMARY |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |
| echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |
| |
| |
| security-scan: |
| name: Security Scan |
| runs-on: ubuntu-latest |
| needs: build |
| if: github.event_name != 'pull_request' |
| |
| steps: |
| - name: Checkout Repository |
| uses: actions/checkout@v4 |
| |
| |
| - name: Run Trivy vulnerability scanner |
| uses: aquasecurity/trivy-action@master |
| with: |
| scan-type: 'config' |
| scan-ref: '.' |
| format: 'sarif' |
| output: 'trivy-results.sarif' |
| continue-on-error: true |
| |
| |
| - name: Upload Trivy scan results |
| uses: github/codeql-action/upload-sarif@v3 |
| with: |
| sarif_file: 'trivy-results.sarif' |
| continue-on-error: true |
|
|