Update dependency PowerDNS/pdns to v5.0.2 #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds and pushes a multi-arch Docker image to GHCR | |
| # It builds amd64 and arm64 natively in parallel, then merges them. | |
| name: Build and Push Docker Image | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| tags: [ '*.*.*' ] # Matches v1.0.0, v1.2.3, etc. | |
| paths-ignore: | |
| - 'README.md' | |
| - '.github/workflows/**' | |
| - 'renovate.json' | |
| pull_request: | |
| branches: [ "main" ] | |
| paths-ignore: | |
| - 'README.md' | |
| - '.github/workflows/**' | |
| - 'renovate.json' | |
| workflow_dispatch: {} # Allows manual triggering | |
| jobs: | |
| build: | |
| name: Build OCI Image | |
| # This 'if' condition is important: | |
| # The new pattern *requires* pushing (by digest) to work. | |
| # To avoid pushing on PRs, we skip the build and merge jobs entirely. | |
| # This matches your original logic of only pushing on 'main' or tag events. | |
| if: github.event_name != 'pull_request' | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| packages: write # Needed to push by digest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| arch: amd64 | |
| platform: linux/amd64 | |
| qemu_platforms: linux/386 | |
| - os: ubuntu-24.04-arm | |
| arch: arm64 | |
| platform: linux/arm64 | |
| qemu_platforms: linux/arm/v7 | |
| steps: | |
| - name: Set lowercase repository name | |
| run: | | |
| echo "LOWERCASE_REPO=${REPO,,}" >> $GITHUB_ENV | |
| env: | |
| REPO: '${{ github.repository }}' | |
| - name: Prepare | |
| run: | | |
| platform=${{ matrix.platform }} | |
| # Creates an env var like 'linux-amd64' for cache scoping | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| - name: Check out repository | |
| uses: actions/checkout@v5 | |
| - name: Set up QEMU (if needed) | |
| # This 'if' condition makes it run only on jobs | |
| # that have 'qemu_platforms' defined in the matrix. | |
| if: matrix.qemu_platforms != '' | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: ${{ matrix.platform }}${{ matrix.qemu_platforms != '' && format(',{0}', matrix.qemu_platforms) || '' }} | |
| # This pushes the image by its content digest (sha256:...) | |
| # We use .toLower() because registry names must be lowercase | |
| outputs: type=image,"name=ghcr.io/${{ env.LOWERCASE_REPO }}",push-by-digest=true,name-canonical=true,push=true | |
| # Cache is now scoped by platform | |
| cache-from: type=gha,scope=build-${{ env.PLATFORM_PAIR }} | |
| cache-to: type=gha,scope=build-${{ env.PLATFORM_PAIR }},mode=max | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| # Save the digest to a file to pass to the merge job | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: digests-${{ env.PLATFORM_PAIR }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| name: Merge & Push Manifest | |
| # This job only runs after 'build' succeeds and not on PRs | |
| needs: build | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write # Needed to push the final manifest | |
| steps: | |
| - name: Set lowercase repository name | |
| run: | | |
| echo "LOWERCASE_REPO=${REPO,,}" >> $GITHUB_ENV | |
| env: | |
| REPO: '${{ github.repository }}' | |
| - name: Download digests | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true # Combines all artifacts into one directory | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| # This is your original metadata step, moved here | |
| # to tag the *final* manifest. | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| # Use .toLower() here as well | |
| images: ghcr.io/${{ env.LOWERCASE_REPO }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Create and push manifest list | |
| working-directory: /tmp/digests | |
| env: | |
| # Pass the JSON output of the metadata step to jq | |
| DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} | |
| run: | | |
| # 1. 'jq' reads the metadata JSON and creates a '-t' flag for each tag | |
| # 2. 'printf' reads all the downloaded digest files (like 'a1b2c3...') | |
| # and creates the image@sha256:... entry for each platform. | |
| # 3. 'docker buildx imagetools create' combines them into one manifest. | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf 'ghcr.io/${{ env.LOWERCASE_REPO }}@sha256:%s ' *) |