name: Docker # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. on: push: branches: - main release: types: [published] pull_request: branches: - main jobs: docker-push-base: if: ${{ github.event_name != 'pull_request' && github.repository == 'Kav-K/GPT3Discord' }} runs-on: ubuntu-20.04 permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 # https://github.com/sigstore/cosign-installer - name: Install cosign uses: sigstore/cosign-installer@v2 with: cosign-release: 'v1.13.1' - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 - name: Login to Docker Hub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: flavor: | latest=auto suffix=-base,onlatest=true tags: | type=semver,pattern={{raw}} type=ref,event=branch images: | kaveenk/gpt3discord ghcr.io/${{ github.repository }} - name: Check if release uses: haya14busa/action-cond@v1 id: isRelease with: cond: ${{ github.event_name == 'release' }} if_true: 'linux/amd64,linux/arm64' if_false: 'linux/amd64' # Build and push Docker image with Buildx - name: Build and push base Docker image id: build-and-push-base uses: docker/build-push-action@v4 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max platforms: ${{ steps.isRelease.outputs.value }} # Sign the resulting Docker image digest # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published base Docker image env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push-base.outputs.digest }} docker-push-full: if: ${{ github.event_name != 'pull_request' && github.repository == 'Kav-K/GPT3Discord' }} runs-on: ubuntu-20.04 permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 # https://github.com/sigstore/cosign-installer - name: Install cosign uses: sigstore/cosign-installer@v2 with: cosign-release: 'v1.13.1' - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 - name: Login to Docker Hub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: flavor: | latest=auto suffix=-full,onlatest=true tags: | type=semver,pattern={{raw}} type=ref,event=branch images: | kaveenk/gpt3discord ghcr.io/${{ github.repository }} - name: Check if release uses: haya14busa/action-cond@v1 id: isRelease with: cond: ${{ github.event_name == 'release' }} if_true: 'linux/amd64,linux/arm64' if_false: 'linux/amd64' # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push full Docker image id: build-and-push-full uses: docker/build-push-action@v4 with: build-args: FULL=true context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max platforms: ${{ steps.isRelease.outputs.value }} # Sign the resulting Docker image digest # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published full Docker image env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push-full.outputs.digest }} docker-pr: # Only builds amd64 due to arm64 being slow if: ${{ github.event_name == 'pull_request' && github.repository == 'Kav-K/GPT3Discord' }} runs-on: ubuntu-20.04 permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: images: | kaveenk/gpt3discord ghcr.io/${{ github.repository }} - name: Build and push base Docker image id: build-and-push-base uses: docker/build-push-action@v4 with: context: . push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max platforms: linux/amd64,linux/arm64 - name: Build and push full Docker image id: build-and-push-full uses: docker/build-push-action@v4 with: build-args: FULL=true context: . push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max platforms: linux/amd64,linux/arm64