From c750e9c935989b1a8a1bc7d43198c14c4d45b885 Mon Sep 17 00:00:00 2001 From: gua Date: Sun, 19 Nov 2023 14:48:10 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=96=B0=E5=A2=9Egit=20action=E7=BC=96?= =?UTF-8?q?=E8=AF=91docker=E9=95=9C=E5=83=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/docker.yml | 104 +++++++++++++++++++++++++--------- .github/workflows/master.yml | 52 ----------------- .github/workflows/scripts.yml | 29 ---------- .gitignore | 4 +- README.md | 2 +- 5 files changed, 81 insertions(+), 110 deletions(-) delete mode 100644 .github/workflows/master.yml delete mode 100644 .github/workflows/scripts.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 1e7a618..1448f56 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,46 +1,96 @@ -name: "Build Docker Image" +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. on: push: - tags: - - app/v*.*.* + branches: [ "master" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + jobs: - docker: + build: + runs-on: ubuntu-latest - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: true + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Get version - id: get_version - run: echo "version=$(git describe --tags --always --match 'app/v*' | sed -n 's|app/\([^/-]*\)\(-.*\)\{0,1\}|\1|p')" >> $GITHUB_OUTPUT + - name: Checkout repository + uses: actions/checkout@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_TOKEN }} + cosign-release: 'v2.1.1' + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - name: Build and push - id: docker_build - uses: docker/build-push-action@v5 + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Get version + id: get_version + run: echo "version=$(git describe --tags --always)" >> $GITHUB_OUTPUT + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: . push: true platforms: linux/amd64,linux/arm64 - tags: cedar2025/hysteria:latest,cedar2025/hysteria:v2b,cedar2025/hysteria:v2b-${{ steps.get_version.outputs.version }} - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} + tags: ${{ env.REGISTRY }}/cedar2025/hysteria:latest,${{ env.REGISTRY }}/cedar2025/hysteria,${{ env.REGISTRY }}/cedar2025/hysteria:${{ steps.get_version.outputs.version }} + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml deleted file mode 100644 index 644d3a3..0000000 --- a/.github/workflows/master.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: "Build master branch" - -on: - push: - branches: - - master - -jobs: - build: - name: Build - runs-on: ubuntu-latest - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: true - - steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version: "1.21" - - - name: Setup Python # This is for the build script - uses: actions/setup-python@v4 - with: - python-version: "3.11" - - - uses: nttld/setup-ndk@v1 - id: setup-ndk - with: - ndk-version: r26b - add-to-path: false - - - name: Run build script - env: - ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }} - run: | - export HY_APP_PLATFORMS=$(sed 's/\r$//' platforms.txt | awk '!/^#/ && !/^$/' | paste -sd ",") - python hyperbole.py build -r - - - name: Generate hashes - run: | - for file in build/*; do - sha256sum $file >> build/hashes.txt - done - - - name: Archive - uses: actions/upload-artifact@v3 - with: - name: hysteria-master-${{ github.sha }} - path: build diff --git a/.github/workflows/scripts.yml b/.github/workflows/scripts.yml deleted file mode 100644 index 6e38848..0000000 --- a/.github/workflows/scripts.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Publish scripts" - -on: - push: - branches: - - master - paths: - - scripts/** - -jobs: - publish: - runs-on: ubuntu-latest - permissions: - contents: read - deployments: write - name: Publish scripts to Cloudflare Pages - steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Publish to Cloudflare Pages - uses: cloudflare/pages-action@v1 - with: - apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} - accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - projectName: hy2scripts - directory: scripts - gitHubToken: ${{ secrets.GITHUB_TOKEN }} - branch: main diff --git a/.gitignore b/.gitignore index 958549b..f672532 100644 --- a/.gitignore +++ b/.gitignore @@ -467,4 +467,6 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk -# End of https://www.toptal.com/developers/gitignore/api/goland+all,intellij+all,go,windows,linux,macos,python,pycharm+all \ No newline at end of file +# End of https://www.toptal.com/developers/gitignore/api/goland+all,intellij+all,go,windows,linux,macos,python,pycharm+all + +build-release \ No newline at end of file diff --git a/README.md b/README.md index 37616b0..99c452a 100644 --- a/README.md +++ b/README.md @@ -36,5 +36,5 @@ acl: ### docker 仓库 ``` -docker pull cedar2026/hysteria2-v2b:1.0.2 +docker pull ghcr.io/cedar2025/xboard:latest ``` \ No newline at end of file