Build & Push #438
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-update (check upstream) + multi-arch build & push | |
| on: | |
| schedule: | |
| - cron: "0 * * * *" | |
| workflow_dispatch: | |
| inputs: | |
| force: | |
| description: "Force build even if tag already exists on Docker Hub" | |
| type: boolean | |
| default: false | |
| version: | |
| description: "Upstream version tag to build (e.g. v3.24.1). Empty = latest" | |
| type: string | |
| required: false | |
| concurrency: | |
| group: auto-build-ooniprobe | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| IMAGE_NAME: whn0thacked/ooniprobe | |
| UPSTREAM_REPO: ooni/probe-cli | |
| jobs: | |
| check: | |
| name: Check upstream version | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.get_version.outputs.version }} | |
| should_build: ${{ steps.decide.outputs.should_build }} | |
| steps: | |
| - name: Install jq | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| - name: Get upstream latest release tag (or input version) | |
| id: get_version | |
| env: | |
| INPUT_VERSION: ${{ inputs.version }} | |
| run: | | |
| set -euo pipefail | |
| if [ -n "${INPUT_VERSION:-}" ]; then | |
| ver="${INPUT_VERSION}" | |
| else | |
| ver="$( | |
| curl -fsSL \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/${UPSTREAM_REPO}/releases/latest" \ | |
| | jq -r '.tag_name' | |
| )" | |
| fi | |
| if [ -z "$ver" ] || [ "$ver" = "null" ]; then | |
| echo "Failed to determine upstream version" >&2 | |
| exit 1 | |
| fi | |
| echo "version=$ver" >> "$GITHUB_OUTPUT" | |
| echo "Upstream version: $ver" | |
| - name: Check if Docker Hub tag already exists | |
| id: hub_tag | |
| env: | |
| VERSION: ${{ steps.get_version.outputs.version }} | |
| run: | | |
| set -euo pipefail | |
| # публичный endpoint Docker Hub для проверки тега | |
| url="https://hub.docker.com/v2/repositories/${IMAGE_NAME}/tags/${VERSION}/" | |
| code="$(curl -fsSL -o /dev/null -w "%{http_code}" "$url" || true)" | |
| if [ "$code" = "200" ]; then | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| echo "Docker Hub tag exists: ${IMAGE_NAME}:${VERSION}" | |
| else | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| echo "Docker Hub tag does NOT exist (HTTP $code): ${IMAGE_NAME}:${VERSION}" | |
| fi | |
| - name: Decide whether to build | |
| id: decide | |
| env: | |
| FORCE: ${{ inputs.force }} | |
| EXISTS: ${{ steps.hub_tag.outputs.exists }} | |
| run: | | |
| set -euo pipefail | |
| if [ "${FORCE:-false}" = "true" ]; then | |
| echo "should_build=true" >> "$GITHUB_OUTPUT" | |
| echo "Force enabled -> will build" | |
| exit 0 | |
| fi | |
| if [ "${EXISTS}" = "true" ]; then | |
| echo "should_build=false" >> "$GITHUB_OUTPUT" | |
| echo "Already built -> skip" | |
| else | |
| echo "should_build=true" >> "$GITHUB_OUTPUT" | |
| echo "New upstream version -> build" | |
| fi | |
| build: | |
| name: Build & Push multi-arch image | |
| runs-on: ubuntu-latest | |
| needs: check | |
| if: needs.check.outputs.should_build == 'true' | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU (for cross-arch emulation) | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver: docker-container | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Docker metadata (tags/labels) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=latest | |
| type=raw,value=${{ needs.check.outputs.version }} | |
| labels: | | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.version=${{ needs.check.outputs.version }} | |
| - name: Build & push (multi-arch) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/386 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| sbom: true | |
| provenance: true | |
| - name: Inspect pushed manifest | |
| run: | | |
| set -euo pipefail | |
| docker buildx imagetools inspect "${IMAGE_NAME}:${{ needs.check.outputs.version }}" |