1+
2+ name : Publish to ghcr (staging)
3+
4+ on :
5+ push :
6+ branches : ["v3"]
7+
8+ env :
9+ REGISTRY_IMAGE : ghcr.io/sourcebot-dev/sourcebot
10+
11+ jobs :
12+ build :
13+ runs-on : ${{ matrix.runs-on}}
14+ permissions :
15+ contents : read
16+ packages : write
17+ id-token : write
18+ strategy :
19+ matrix :
20+ platform : [linux/amd64, linux/arm64]
21+ include :
22+ - platform : linux/amd64
23+ runs-on : ubuntu-latest
24+ - platform : linux/arm64
25+ runs-on : ubuntu-24.04-arm
26+
27+ steps :
28+ - name : Prepare
29+ run : |
30+ platform=${{ matrix.platform }}
31+ echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
32+
33+ name : Checkout repository
34+ uses : actions/checkout@v4
35+ with :
36+ submodules : " true"
37+
38+ - name : Extract Docker metadata
39+ id : meta
40+ uses : docker/metadata-action@v5
41+ with :
42+ images : ${{ env.REGISTRY_IMAGE }}
43+ tags : staging
44+
45+ - name : Install cosign
46+ uses : sigstore/cosign-installer@v3.5.0
47+ with :
48+ cosign-release : " v2.2.4"
49+
50+ - name : Set up Docker Buildx
51+ uses : docker/setup-buildx-action@v3
52+
53+ - name : Login to GitHub Packages Docker Registry
54+ uses : docker/login-action@v3
55+ with :
56+ registry : ghcr.io
57+ username : ${{ github.actor }}
58+ password : ${{ secrets.GITHUB_TOKEN }}
59+
60+ - name : Build Docker image
61+ id : build
62+ uses : docker/build-push-action@v6
63+ with :
64+ context : .
65+ labels : ${{ steps.meta.outputs.labels }}
66+ cache-from : type=gha
67+ cache-to : type=gha,mode=max
68+ platforms : ${{ matrix.platform }}
69+ outputs : type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
70+ build-args : |
71+ SOURCEBOT_VERSION=${{ github.ref_name }}
72+ POSTHOG_PAPIK=${{ secrets.POSTHOG_PAPIK }}
73+ SOURCEBOT_ENCRYPTION_KEY=${{ secrets.STAGING_SOURCEBOT_ENCRYPTION_KEY }}
74+
75+ name : Export digest
76+ run : |
77+ mkdir -p /tmp/digests
78+ digest="${{ steps.build.outputs.digest }}"
79+ touch "/tmp/digests/${digest#sha256:}"
80+
81+ name : Upload digest
82+ uses : actions/upload-artifact@v4
83+ with :
84+ name : digests-${{ env.PLATFORM_PAIR }}
85+ path : /tmp/digests/*
86+ if-no-files-found : error
87+ retention-days : 1
88+
89+ - name : Sign the published Docker image
90+ env :
91+ TAGS : ${{ steps.meta.outputs.tags }}
92+ DIGEST : ${{ steps.build.outputs.digest }}
93+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
94+
95+ merge :
96+ runs-on : ubuntu-latest
97+ permissions :
98+ packages : write
99+ needs :
100+ - build
101+ steps :
102+ - name : Download digests
103+ uses : actions/download-artifact@v4
104+ with :
105+ path : /tmp/digests
106+ pattern : digests-*
107+ merge-multiple : true
108+
109+ - name : Set up Docker Buildx
110+ uses : docker/setup-buildx-action@v3
111+
112+ - name : Extract Docker metadata
113+ id : meta
114+ uses : docker/metadata-action@v5
115+ with :
116+ images : ${{ env.REGISTRY_IMAGE }}
117+ tags : staging
118+
119+ - name : Login to GitHub Packages Docker Registry
120+ uses : docker/login-action@v3
121+ with :
122+ registry : ghcr.io
123+ username : ${{ github.actor }}
124+ password : ${{ secrets.GITHUB_TOKEN }}
125+
126+ - name : Create manifest list and push
127+ working-directory : /tmp/digests
128+ run : |
129+ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
130+ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
131+
132+ - name : Inspect image
133+ run : |
134+ docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
0 commit comments