name: Docker Build Smart Logic on: push: branches: - main tags: - 'v*' workflow_dispatch: env: REGISTRY_HOST: git.pi-farm.de IMAGE_BASE: ${{ gitea.repository }} jobs: build: name: Build amd64 & arm64 runs-on: buildx-multiarch steps: - name: Checkout repository uses: http://git.pi-farm.de/pi-farm/checkout@v4 with: fetch-depth: 0 fetch-tags: true - name: Dump context run: env | sort - name: Show ref info run: | echo "REF=$GITHUB_REF" echo "REF_TYPE=$GITHUB_REF_TYPE" echo "REF_NAME=$GITHUB_REF_NAME" - name: Dynamic Template Fix id: template_fix run: | if grep -q "{{.RepoName}}" README.md 2>/dev/null; then echo "Ersetze Platzhalter in README, docker-compose und LICENSE..." REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2) OWNER_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f1) BRANCH_NAME="${{ gitea.ref_name }}" sed -i "s|{{.RepoName}}|${REPO_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true sed -i "s|{{.OwnerName}}|${OWNER_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true sed -i "s|{{.BranchName}}|${BRANCH_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true git config user.name "Gitea Bot" git config user.email "bot@gitea.local" git add README.md docker-compose.yml LICENSE if git diff --staged --quiet; then echo "Keine Änderungen zum Committen." else git commit -m "docs: fix template placeholders [skip ci]" git push origin HEAD:${{ gitea.ref_name }} fi else echo "Platzhalter bereits ersetzt." fi - name: Detect version id: detect_version run: | echo "== Detect version ==" # Prüfen, ob wir auf einem Tag oder main-Branch sind if [ "$GITHUB_REF_TYPE" = "tag" ]; then VERSION="$GITHUB_REF_NAME" CLEAN_VERSION="${VERSION#v}" # entfernt führendes 'v' IS_TAG=true else VERSION="main" CLEAN_VERSION="main" IS_TAG=false fi echo "VERSION=$VERSION" echo "CLEAN_VERSION=$CLEAN_VERSION" echo "IS_TAG=$IS_TAG" # Env für alle weiteren Steps exportieren echo "VERSION=$VERSION" >> $GITHUB_ENV echo "CLEAN_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV echo "IS_TAG=$IS_TAG" >> $GITHUB_ENV - name: Set dynamic variables and check Dockerfiles id: check_files run: | if [ -s "Dockerfile" ]; then echo "Dockerfile gefunden und nicht leer. Build wird vorbereitet." echo "should_build=true" >> $GITEA_OUTPUT else echo "Dockerfile ist leer oder fehlt. Build wird übersprungen." echo "should_build=false" >> $GITEA_OUTPUT exit 0 fi AMD64_FILE="Dockerfile" if [ -s "Dockerfile.aarch64" ]; then echo "Spezielles Dockerfile.aarch64 erkannt." ARM64_FILE="Dockerfile.aarch64" else ARM64_FILE="Dockerfile" fi echo "IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}" >> $GITEA_ENV echo "CACHE_IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}-cache" >> $GITEA_ENV echo "AMD64_DOCKERFILE=$AMD64_FILE" >> $GITEA_ENV echo "ARM64_DOCKERFILE=$ARM64_FILE" >> $GITEA_ENV echo "BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITEA_ENV - name: Login to registry if: steps.check_files.outputs.should_build == 'true' run: | echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login \ ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin - name: Setup buildx if: steps.check_files.outputs.should_build == 'true' run: | docker buildx rm multiarch || true docker buildx create --name multiarch --driver docker-container --use docker buildx inspect --bootstrap - name: Compute Docker tags run: | if [[ "$IS_TAG" == "true" ]]; then DOCKER_TAGS="${IMAGE_NAME}:${VERSION},${IMAGE_NAME}:latest" else DOCKER_TAGS="${IMAGE_NAME}:main" fi echo "DOCKER_TAGS=$DOCKER_TAGS" >> $GITEA_ENV - name: Load versions.env safely shell: bash run: | echo "== Load versions.env ==" # Funktion zum sauberen Parsen parse_env() { grep -v '^#' versions.env | grep -v '^$' | while IFS='=' read -r key value; do # Entferne mögliche Whitespaces key=$(echo $key | xargs) value=$(echo $value | xargs) export $key="$value" done } parse_env # Fixen von Workflow-Variablen CLEAN_VERSION="${VERSION#v}" BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) # Write to Gitea env echo "BASE_IMAGE=$BASE_IMAGE" >> $GITEA_ENV echo "APP_VERSION=$APP_VERSION" >> $GITEA_ENV echo "TARGET_PLATFORMS=$TARGET_PLATFORMS" >> $GITEA_ENV echo "IMAGE_NAME=${REGISTRY_HOST}/$IMAGE_BASE" >> $GITEA_ENV echo "CACHE_IMAGE_NAME=${REGISTRY_HOST}/$IMAGE_BASE-cache" >> $GITEA_ENV echo "VERSION=$VERSION" >> $GITEA_ENV echo "CLEAN_VERSION=$CLEAN_VERSION" >> $GITEA_ENV echo "BUILD_DATE=$BUILD_DATE" >> $GITEA_ENV - name: Build & push multiarch if: steps.check_files.outputs.should_build == 'true' shell: bash run: | echo "== Multiarch Build Start ==" # versions.env direkt hier laden BASE_IMAGE=$(grep ^BASE_IMAGE= versions.env | cut -d '=' -f2-) APP_VERSION=$(grep ^APP_VERSION= versions.env | cut -d '=' -f2-) echo "BASE_IMAGE=$BASE_IMAGE" echo "APP_VERSION=$APP_VERSION" if [ -z "$BASE_IMAGE" ]; then echo "BASE_IMAGE is empty → abort" exit 1 fi # amd64 build docker buildx build \ --platform linux/amd64 \ -f ${AMD64_DOCKERFILE} \ --build-arg BASE_IMAGE="$BASE_IMAGE" \ --build-arg APP_VERSION="$APP_VERSION" \ --label org.opencontainers.image.version="$APP_VERSION" \ --label org.opencontainers.image.created="$BUILD_DATE" \ -t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \ --push . # arm64 build docker buildx build \ --platform linux/arm64 \ -f ${ARM64_DOCKERFILE} \ --build-arg BASE_IMAGE="$BASE_IMAGE" \ --build-arg APP_VERSION="$APP_VERSION" \ --label org.opencontainers.image.version="$APP_VERSION" \ --label org.opencontainers.image.created="$BUILD_DATE" \ -t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 \ --push . for TAG in $(echo $DOCKER_TAGS | tr ',' ' '); do docker buildx imagetools create -t $TAG \ ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \ ${CACHE_IMAGE_NAME}:${VERSION}-arm64 done echo "== Multiarch Build Complete ==" - name: Install syft run: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \ | sh -s -- -b /usr/local/bin - name: Generate SBOM run: | # Benutze die Build-Variable DOCKER_TAGS oder IMAGE_NAME + VERSION if [[ "$IS_TAG" == "true" ]]; then TARGET_IMAGE="${IMAGE_NAME}:${VERSION}" else TARGET_IMAGE="${IMAGE_NAME}:main" fi echo "Generating SBOM for $TARGET_IMAGE" syft $TARGET_IMAGE -o spdx-json > sbom.spdx.json || true - name: Upload SBOM uses: actions/upload-artifact@v3 with: name: sbom path: sbom.spdx.json - name: Install cosign shell: bash run: | curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \ -o cosign chmod +x cosign mv cosign /usr/local/bin/ cosign version - name: Sign image # Wir führen das aus, wenn gebaut wurde (egal ob Tag oder Main) if: steps.check_files.outputs.should_build == 'true' shell: bash env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | set -euo pipefail # Welches Image signieren wir? (Tag oder Main) if [[ "$IS_TAG" == "true" ]]; then IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}" else IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:main" fi echo "Signing image: $IMAGE_TO_SIGN" # Key aus Secret wiederherstellen echo "$COSIGN_PRIVATE_KEY" > cosign.key # Signieren! # --recursive: Signiert den Multi-Arch Index UND die darunterliegenden Images (amd64/arm64) # --yes: Keine Rückfragen # Wir übergeben hier direkt das Image mit Tag. Cosign holt sich den Digest selbst. cosign sign --yes --recursive --key cosign.key "${IMAGE_TO_SIGN}" # Aufräumen rm cosign.key