pi-farm/test2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4b5b07a93b78b0aecc6f99be4783791b7409cc0e
test2/.gitea/workflows/docker-builder.yml
pi-farm 4b5b07a93b
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 23s
Details
fix
2026-02-10 00:23:17 +01:00

286 lines
9.6 KiB
YAML
Raw Blame History

name: Docker Build Smart Logic
on:
push:
branches:
- main
tags:
- 'v*'
workflow_dispatch:
env:
REGISTRY_HOST: git.pi-farm.de
IMAGE_BASE: ${{ gitea.repository }}
jobs:
build:
name: Build amd64 & arm64
runs-on: buildx-multiarch
steps:
- name: Checkout repository
uses: http://git.pi-farm.de/pi-farm/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- name: Dump context
run: env | sort
- name: Show ref info
run: |
echo "REF=$GITHUB_REF"
echo "REF_TYPE=$GITHUB_REF_TYPE"
echo "REF_NAME=$GITHUB_REF_NAME"
- name: Dynamic Template Fix
id: template_fix
run: |
if grep -q "{{.RepoName}}" README.md 2>/dev/null; then
echo "Ersetze Platzhalter in README, docker-compose und LICENSE..."
REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2)
OWNER_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f1)
BRANCH_NAME="${{ gitea.ref_name }}"
sed -i "s|{{.RepoName}}|${REPO_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true
sed -i "s|{{.OwnerName}}|${OWNER_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true
sed -i "s|{{.BranchName}}|${BRANCH_NAME}|g" README.md docker-compose.yml LICENSE 2>/dev/null || true
git config user.name "Gitea Bot"
git config user.email "bot@gitea.local"
git add README.md docker-compose.yml LICENSE
if git diff --staged --quiet; then
echo "Keine Änderungen zum Committen."
else
git commit -m "docs: fix template placeholders [skip ci]"
git push origin HEAD:${{ gitea.ref_name }}
fi
else
echo "Platzhalter bereits ersetzt."
fi
- name: Detect version
id: detect_version
run: |
echo "== Detect version =="
# Prüfen, ob wir auf einem Tag oder main-Branch sind
if [ "$GITHUB_REF_TYPE" = "tag" ]; then
VERSION="$GITHUB_REF_NAME"
CLEAN_VERSION="${VERSION#v}" # entfernt führendes 'v'
IS_TAG=true
else
VERSION="main"
CLEAN_VERSION="main"
IS_TAG=false
fi
echo "VERSION=$VERSION"
echo "CLEAN_VERSION=$CLEAN_VERSION"
echo "IS_TAG=$IS_TAG"
# Env für alle weiteren Steps exportieren
echo "VERSION=$VERSION" >> $GITHUB_ENV
echo "CLEAN_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV
echo "IS_TAG=$IS_TAG" >> $GITHUB_ENV
- name: Set dynamic variables and check Dockerfiles
id: check_files
run: |
if [ -s "Dockerfile" ]; then
echo "Dockerfile gefunden und nicht leer. Build wird vorbereitet."
echo "should_build=true" >> $GITEA_OUTPUT
else
echo "Dockerfile ist leer oder fehlt. Build wird übersprungen."
echo "should_build=false" >> $GITEA_OUTPUT
exit 0
fi
AMD64_FILE="Dockerfile"
if [ -s "Dockerfile.aarch64" ]; then
echo "Spezielles Dockerfile.aarch64 erkannt."
ARM64_FILE="Dockerfile.aarch64"
else
ARM64_FILE="Dockerfile"
fi
echo "IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}" >> $GITEA_ENV
echo "CACHE_IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}-cache" >> $GITEA_ENV
echo "AMD64_DOCKERFILE=$AMD64_FILE" >> $GITEA_ENV
echo "ARM64_DOCKERFILE=$ARM64_FILE" >> $GITEA_ENV
echo "BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITEA_ENV
- name: Login to registry
if: steps.check_files.outputs.should_build == 'true'
run: |
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login \
${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin
- name: Setup buildx
if: steps.check_files.outputs.should_build == 'true'
run: |
docker buildx rm multiarch || true
docker buildx create --name multiarch --driver docker-container --use
docker buildx inspect --bootstrap
- name: Compute Docker tags
run: |
if [[ "$IS_TAG" == "true" ]]; then
DOCKER_TAGS="${IMAGE_NAME}:${VERSION},${IMAGE_NAME}:latest"
else
DOCKER_TAGS="${IMAGE_NAME}:main"
fi
echo "DOCKER_TAGS=$DOCKER_TAGS" >> $GITEA_ENV
- name: Load versions.env safely
shell: bash
run: |
echo "== Load versions.env =="
# Funktion zum sauberen Parsen
parse_env() {
grep -v '^#' versions.env | grep -v '^$' | while IFS='=' read -r key value; do
# Entferne mögliche Whitespaces
key=$(echo $key | xargs)
value=$(echo $value | xargs)
export $key="$value"
done
}
parse_env
# Fixen von Workflow-Variablen
CLEAN_VERSION="${VERSION#v}"
BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
# Write to Gitea env
echo "BASE_IMAGE=$BASE_IMAGE" >> $GITEA_ENV
echo "APP_VERSION=$APP_VERSION" >> $GITEA_ENV
echo "TARGET_PLATFORMS=$TARGET_PLATFORMS" >> $GITEA_ENV
echo "IMAGE_NAME=${REGISTRY_HOST}/$IMAGE_BASE" >> $GITEA_ENV
echo "CACHE_IMAGE_NAME=${REGISTRY_HOST}/$IMAGE_BASE-cache" >> $GITEA_ENV
echo "VERSION=$VERSION" >> $GITEA_ENV
echo "CLEAN_VERSION=$CLEAN_VERSION" >> $GITEA_ENV
echo "BUILD_DATE=$BUILD_DATE" >> $GITEA_ENV
- name: Build & push multiarch
if: steps.check_files.outputs.should_build == 'true'
shell: bash
run: |
echo "== Multiarch Build Start =="
# versions.env direkt hier laden
BASE_IMAGE=$(grep ^BASE_IMAGE= versions.env | cut -d '=' -f2-)
APP_VERSION=$(grep ^APP_VERSION= versions.env | cut -d '=' -f2-)
echo "BASE_IMAGE=$BASE_IMAGE"
echo "APP_VERSION=$APP_VERSION"
if [ -z "$BASE_IMAGE" ]; then
echo "BASE_IMAGE is empty → abort"
exit 1
fi
# amd64 build
docker buildx build \
--platform linux/amd64 \
-f ${AMD64_DOCKERFILE} \
--build-arg BASE_IMAGE="$BASE_IMAGE" \
--build-arg APP_VERSION="$APP_VERSION" \
--label org.opencontainers.image.version="$APP_VERSION" \
--label org.opencontainers.image.created="$BUILD_DATE" \
-t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
--push .
# arm64 build
docker buildx build \
--platform linux/arm64 \
-f ${ARM64_DOCKERFILE} \
--build-arg BASE_IMAGE="$BASE_IMAGE" \
--build-arg APP_VERSION="$APP_VERSION" \
--label org.opencontainers.image.version="$APP_VERSION" \
--label org.opencontainers.image.created="$BUILD_DATE" \
-t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 \
--push .
for TAG in $(echo $DOCKER_TAGS | tr ',' ' '); do
docker buildx imagetools create -t $TAG \
${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
${CACHE_IMAGE_NAME}:${VERSION}-arm64
done
echo "== Multiarch Build Complete =="
- name: Install syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \
| sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: |
# Benutze die Build-Variable DOCKER_TAGS oder IMAGE_NAME + VERSION
if [[ "$IS_TAG" == "true" ]]; then
TARGET_IMAGE="${IMAGE_NAME}:${VERSION}"
else
TARGET_IMAGE="${IMAGE_NAME}:main"
fi
echo "Generating SBOM for $TARGET_IMAGE"
syft $TARGET_IMAGE -o spdx-json > sbom.spdx.json || true
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.spdx.json
- name: Install cosign
shell: bash
run: |
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-o cosign
chmod +x cosign
mv cosign /usr/local/bin/
cosign version
- name: Sign image
if: steps.check_files.outputs.should_build == 'true'
shell: bash
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_EXPERIMENTAL: "1"
run: |
set -euo pipefail
# 1. Image Name
if [[ "$IS_TAG" == "true" ]]; then
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
else
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:main"
fi
echo "Signing image: $IMAGE_TO_SIGN"
echo "$COSIGN_PRIVATE_KEY" > cosign.key
# 2. Konfiguration von Cosign selbst generieren lassen
# Das erstellt eine gültige YAML/JSON ohne Rekor-Endpunkt
cosign signing-config create --rekor-url "" > signing-config.yaml
# 3. Signieren
# WICHTIG: --tlog-upload=false MUSS weg, da es mit --signing-config kollidiert
cosign sign --yes --recursive --key cosign.key \
--signing-config signing-config.yaml \
--registry-referrers-mode oci-1-1 \
"${IMAGE_TO_SIGN}"
# 4. Aufräumen
rm -f cosign.key signing-config.yaml
Reference in New Issue View Git Blame Copy Permalink