feat: 新增git action编译docker镜像

2025-07-05 02:39:51 +00:00 · 2023-11-19 14:48:10 +08:00 · 2023-11-19 14:48:10 +08:00 · c750e9c935
commit c750e9c935
parent 06d255deb8
5 changed files with 81 additions and 110 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -1,46 +1,96 @@
-name: "Build Docker Image"
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.

 on:
  push:
-    tags:
-      - app/v*.*.*
+    branches: [ "master" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+

 jobs:
-  docker:
+  build:
+
    runs-on: ubuntu-latest
-    env:
-      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write

    steps:
-      - name: Check out
-        uses: actions/checkout@v4
-
-      - name: Get version
-        id: get_version
-        run: echo "version=$(git describe --tags --always --match 'app/v*' | sed -n 's|app/\([^/-]*\)\(-.*\)\{0,1\}|\1|p')" >> $GITHUB_OUTPUT
+      - name: Checkout repository
+        uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          cosign-release: 'v2.1.1'
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v5
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      
+      - name: Get version
+        id: get_version
+        run: echo "version=$(git describe --tags --always)" >> $GITHUB_OUTPUT
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          push: true
          platforms: linux/amd64,linux/arm64
-          tags: cedar2025/hysteria:latest,cedar2025/hysteria:v2b,cedar2025/hysteria:v2b-${{ steps.get_version.outputs.version }}
-
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
+          tags: ${{ env.REGISTRY }}/cedar2025/hysteria:latest,${{ env.REGISTRY }}/cedar2025/hysteria,${{ env.REGISTRY }}/cedar2025/hysteria:${{ steps.get_version.outputs.version }}

+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@ -1,52 +0,0 @@
-name: "Build master branch"
-
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    env:
-      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-
-    steps:
-      - name: Check out
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: "1.21"
-
-      - name: Setup Python # This is for the build script
-        uses: actions/setup-python@v4
-        with:
-          python-version: "3.11"
-
-      - uses: nttld/setup-ndk@v1
-        id: setup-ndk
-        with:
-          ndk-version: r26b
-          add-to-path: false
-
-      - name: Run build script
-        env:
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-        run: |
-          export HY_APP_PLATFORMS=$(sed 's/\r$//' platforms.txt | awk '!/^#/ && !/^$/' | paste -sd ",")
-          python hyperbole.py build -r
-
-      - name: Generate hashes
-        run: |
-          for file in build/*; do
-            sha256sum $file >> build/hashes.txt
-          done
-
-      - name: Archive
-        uses: actions/upload-artifact@v3
-        with:
-          name: hysteria-master-${{ github.sha }}
-          path: build
--- a/.github/workflows/scripts.yml
+++ b/.github/workflows/scripts.yml
@ -1,29 +0,0 @@
-name: "Publish scripts"
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - scripts/**
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      deployments: write
-    name: Publish scripts to Cloudflare Pages
-    steps:
-      - name: Check out
-        uses: actions/checkout@v4
-
-      - name: Publish to Cloudflare Pages
-        uses: cloudflare/pages-action@v1
-        with:
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          projectName: hy2scripts
-          directory: scripts
-          gitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          branch: main
--- a/.gitignore
+++ b/.gitignore
@ -468,3 +468,5 @@ $RECYCLE.BIN/
 *.lnk

 # End of https://www.toptal.com/developers/gitignore/api/goland+all,intellij+all,go,windows,linux,macos,python,pycharm+all
+
+build-release
--- a/README.md
+++ b/README.md
@ -36,5 +36,5 @@ acl:

 ### docker 仓库
 ```
-docker pull cedar2026/hysteria2-v2b:1.0.2
+docker pull ghcr.io/cedar2025/xboard:latest
 ```