eiblog/.github/workflows/release.yml

name: Release Image & Asset

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write
  packages: write
  id-token: write # for SLSA provenance
  attestations: write # for attestations

env:
  REGISTRY: docker.io
  GOPROXY: https://goproxy.io,direct

jobs:
  # Job 1: 打包源码 tar 文件
  package-source:
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ steps.vars.outputs.tag }}
      sha: ${{ steps.vars.outputs.sha }}
      date: ${{ steps.vars.outputs.date }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Extract metadata
        id: vars
        run: |
          echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
          echo "sha=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
          echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT

      - name: Package tar archive
        run: scripts/dist_tar.sh ${{ steps.vars.outputs.tag }}

      - name: Upload tar artifacts
        uses: actions/upload-artifact@v4
        with:
          name: release-archives
          path: "*.tar.gz"
          retention-days: 7

  # Job 2: 构建并推送 Docker 镜像
  build-images:
    runs-on: ubuntu-latest
    needs: package-source
    strategy:
      fail-fast: false
      matrix:
        app: [eiblog, backup]
        include:
          - app: eiblog
            port: 9000
          - app: backup
            port: 9001
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Extract metadata for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/deepzz0/${{ matrix.app }}
          tags: |
            type=ref,event=tag
            type=raw,value=latest,enable={{is_default_branch}}
          labels: |
            org.opencontainers.image.title=${{ matrix.app }}
            org.opencontainers.image.description=eiblog ${{ matrix.app }} service
            org.opencontainers.image.vendor=deepzz
            org.opencontainers.image.revision=${{ needs.package-source.outputs.sha }}
            org.opencontainers.image.created=${{ needs.package-source.outputs.date }}

      - name: Build and push ${{ matrix.app }} image
        id: build
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./build/package/${{ matrix.app }}/Dockerfile
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.app }}
          cache-to: type=gha,mode=max,scope=${{ matrix.app }}
          provenance: true
          sbom: true

      - name: Generate SLSA attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ env.REGISTRY }}/deepzz0/${{ matrix.app }}
          subject-digest: ${{ steps.build.outputs.digest }}

  # Job 3: 创建 GitHub Release
  create-release:
    runs-on: ubuntu-latest
    needs: [package-source, build-images]
    steps:
      - name: Download tar artifacts
        uses: actions/download-artifact@v4
        with:
          name: release-archives

      - name: Create release summary
        run: |
          cat >> $GITHUB_STEP_SUMMARY << 'EOF'
          # 🎉 Release ${{ needs.package-source.outputs.tag }} Created!
          
          ## 📦 Docker Images
          - **eiblog**: `deepzz0/eiblog:${{ needs.package-source.outputs.tag }}`
          - **backup**: `deepzz0/backup:${{ needs.package-source.outputs.tag }}`
          
          ## 🏗️ Build Info
          - **Tag**: ${{ needs.package-source.outputs.tag }}
          - **Commit**: ${{ needs.package-source.outputs.sha }}
          - **Built**: ${{ needs.package-source.outputs.date }}
          - **Platforms**: linux/amd64, linux/arm64, linux/arm/v7
          
          ## 🔐 Security
          - ✅ SLSA Build Provenance
          - ✅ SBOM (Software Bill of Materials)
          - ✅ Container Signing
          EOF

      - name: Create GitHub release
        uses: softprops/action-gh-release@v2
        with:
          files: "*.tar.gz"
          generate_release_notes: true
          name: Release ${{ needs.package-source.outputs.tag }}
          body: |
            ## Docker Images
            ```bash
            docker pull deepzz0/eiblog:${{ needs.package-source.outputs.tag }}
            docker pull deepzz0/backup:${{ needs.package-source.outputs.tag }}
            ```
            
            ## Multi-Architecture Support
            - linux/amd64
            - linux/arm64  
            - linux/arm/v7
            
            Built with commit ${{ needs.package-source.outputs.sha }} on ${{ needs.package-source.outputs.date }}