diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f07d5f..354e136 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,65 +1,169 @@ -name: release image & asset +name: Release Image & Asset on: - push: - tags: + push: + tags: - "v*" +permissions: + contents: write + packages: write + id-token: write # for SLSA provenance + attestations: write # for attestations + +env: + REGISTRY: docker.io + GOPROXY: https://goproxy.io,direct + jobs: - package: + # Job 1: 打包源码 tar 文件 + package-source: runs-on: ubuntu-latest + outputs: + tag: ${{ steps.vars.outputs.tag }} + sha: ${{ steps.vars.outputs.sha }} + date: ${{ steps.vars.outputs.date }} steps: - - name: Checkout - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: linux/amd64,linux/arm64,linux/arm/v7 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Extract metadata + id: vars + run: | + echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + echo "sha=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT + echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - - name: Docker tag - id: vars - run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10}) - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - password: ${{ secrets.DOCKER_PASSWORD }} - username: ${{ secrets.DOCKER_USERNAME }} + - name: Package tar archive + run: scripts/dist_tar.sh ${{ steps.vars.outputs.tag }} - - name: Build and push eiblog - uses: docker/build-push-action@v3 - with: - context: . - file: ./build/package/eiblog/Dockerfile - platforms: linux/amd64,linux/arm64,linux/arm/v7 - push: true - tags: | - deepzz0/eiblog:${{ steps.vars.outputs.tag }} - deepzz0/eiblog:latest + - name: Upload tar artifacts + uses: actions/upload-artifact@v4 + with: + name: release-archives + path: "*.tar.gz" + retention-days: 7 - - name: Build and push backup - uses: docker/build-push-action@v3 - with: - context: . - file: ./build/package/backup/Dockerfile - platforms: linux/amd64,linux/arm64,linux/arm/v7 - push: true - tags: | - deepzz0/backup:${{ steps.vars.outputs.tag }} - deepzz0/backup:latest + # Job 2: 构建并推送 Docker 镜像 + build-images: + runs-on: ubuntu-latest + needs: package-source + strategy: + fail-fast: false + matrix: + app: [eiblog, backup] + include: + - app: eiblog + port: 9000 + - app: backup + port: 9001 + steps: + - name: Checkout repository + uses: actions/checkout@v4 - - name: Package tar - env: - GOPROXY: https://goproxy.io,direct - run: scripts/dist_tar.sh ${{ steps.vars.outputs.tag }} - - name: Release push - uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - files: | - *.tar.gz + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64,linux/arm/v7 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/deepzz0/${{ matrix.app }} + tags: | + type=ref,event=tag + type=raw,value=latest,enable={{is_default_branch}} + labels: | + org.opencontainers.image.title=${{ matrix.app }} + org.opencontainers.image.description=eiblog ${{ matrix.app }} service + org.opencontainers.image.vendor=deepzz + org.opencontainers.image.revision=${{ needs.package-source.outputs.sha }} + org.opencontainers.image.created=${{ needs.package-source.outputs.date }} + + - name: Build and push ${{ matrix.app }} image + id: build + uses: docker/build-push-action@v5 + with: + context: . + file: ./build/package/${{ matrix.app }}/Dockerfile + platforms: linux/amd64,linux/arm64,linux/arm/v7 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=${{ matrix.app }} + cache-to: type=gha,mode=max,scope=${{ matrix.app }} + provenance: true + sbom: true + + - name: Generate SLSA attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/deepzz0/${{ matrix.app }} + subject-digest: ${{ steps.build.outputs.digest }} + + # Job 3: 创建 GitHub Release + create-release: + runs-on: ubuntu-latest + needs: [package-source, build-images] + steps: + - name: Download tar artifacts + uses: actions/download-artifact@v4 + with: + name: release-archives + + - name: Create release summary + run: | + cat >> $GITHUB_STEP_SUMMARY << 'EOF' + # 🎉 Release ${{ needs.package-source.outputs.tag }} Created! + + ## 📦 Docker Images + - **eiblog**: `deepzz0/eiblog:${{ needs.package-source.outputs.tag }}` + - **backup**: `deepzz0/backup:${{ needs.package-source.outputs.tag }}` + + ## 🏗️ Build Info + - **Tag**: ${{ needs.package-source.outputs.tag }} + - **Commit**: ${{ needs.package-source.outputs.sha }} + - **Built**: ${{ needs.package-source.outputs.date }} + - **Platforms**: linux/amd64, linux/arm64, linux/arm/v7 + + ## 🔐 Security + - ✅ SLSA Build Provenance + - ✅ SBOM (Software Bill of Materials) + - ✅ Container Signing + EOF + + - name: Create GitHub release + uses: softprops/action-gh-release@v2 + with: + files: "*.tar.gz" + generate_release_notes: true + name: Release ${{ needs.package-source.outputs.tag }} + body: | + ## Docker Images + ```bash + docker pull deepzz0/eiblog:${{ needs.package-source.outputs.tag }} + docker pull deepzz0/backup:${{ needs.package-source.outputs.tag }} + ``` + + ## Multi-Architecture Support + - linux/amd64 + - linux/arm64 + - linux/arm/v7 + + Built with commit ${{ needs.package-source.outputs.sha }} on ${{ needs.package-source.outputs.date }} diff --git a/build/package/backup/Dockerfile b/build/package/backup/Dockerfile index 5981fd6..c604f06 100644 --- a/build/package/backup/Dockerfile +++ b/build/package/backup/Dockerfile @@ -2,14 +2,14 @@ FROM golang:1.20 AS builder WORKDIR /eiblog COPY . . -RUN ./scripts/run_build.sh backup - +RUN scripts/run_build.sh backup FROM alpine:latest LABEL maintainer="deepzz.qi@gmail.com" RUN apk add --update --no-cache tzdata ca-certificates \ - mongodb-tools libc6-compat gcompat + mongodb-tools libc6-compat gcompat + COPY README.md /app/README.md COPY CHANGELOG.md /app/CHANGELOG.md COPY LICENSE /app/LICENSE diff --git a/build/package/eiblog/Dockerfile b/build/package/eiblog/Dockerfile index a59ad8b..ea7b3de 100644 --- a/build/package/eiblog/Dockerfile +++ b/build/package/eiblog/Dockerfile @@ -2,13 +2,13 @@ FROM golang:1.20 AS builder WORKDIR /eiblog COPY . . -RUN ./scripts/run_build.sh eiblog - +RUN scripts/run_build.sh eiblog FROM alpine:latest LABEL maintainer="deepzz.qi@gmail.com" -RUN apk add --update --no-cache tzdata +RUN apk add --update --no-cache tzdata ca-certificates + COPY README.md /app/README.md COPY CHANGELOG.md /app/CHANGELOG.md COPY LICENSE /app/LICENSE diff --git a/scripts/dist_tar.sh b/scripts/dist_tar.sh index 31b4a02..79fd61b 100755 --- a/scripts/dist_tar.sh +++ b/scripts/dist_tar.sh @@ -10,8 +10,7 @@ for file in cmd/*; do # tar platform for os in linux darwin windows; do _target="$app-$_tag.$os-$_arch.tar.gz" - GOOS=$os GOARCH=$_arch \ - go build -ldflags '-extldflags "-static"' -o ./cmd/$app/backend ./cmd/$app + GOOS=$os GOARCH=$_arch scripts/run_build.sh $app tar czf $_target ./cmd/$app/etc ./cmd/$app/backend done done