evolu-plan-b/.github/workflows/docker.yaml at main · SQLoot/evolu-plan-b · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: DockerHub

on:
  workflow_dispatch:
  # push:
  #   branches:
  #     - main
  #   paths:
  #     - apps/relay/package.json
  #     - .github/workflows/docker.yaml

env:
  REGISTRY: docker.io
  IMAGE_NAME: evoluhq/relay

jobs:
  push_to_registry:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      attestations: write
      id-token: write
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4

      - name: Check if version already published
        id: version
        shell: bash
        run: |
          set -euo pipefail
          version=$(jq -r .version apps/relay/package.json)

          # Check if this version already exists in Docker Hub
          if docker manifest inspect docker.io/evoluhq/relay:$version >/dev/null 2>&1; then
            echo "Version $version already published"
            changed="false"
          else
            echo "Version $version not yet published"
            changed="true"
          fi

          echo "new=$version" >> "$GITHUB_OUTPUT"
          echo "changed=$changed" >> "$GITHUB_OUTPUT"

      - name: Set up QEMU
        if: ${{ steps.version.outputs.changed == 'true' }}
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        if: ${{ steps.version.outputs.changed == 'true' }}
        uses: docker/setup-buildx-action@988b5a0280414f521da3d829df8432753fbd92d2 # v3.6.1

      - name: Log in to Docker Hub
        if: ${{ github.repository == 'evoluhq/evolu' && steps.version.outputs.changed == 'true' }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Extract metadata (tags, labels) for Docker
        if: ${{ steps.version.outputs.changed == 'true' }}
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          flavor: |
            latest=true
          tags: |
            # Always push the full (possibly prerelease) version tag
            type=semver,pattern={{version}},value=${{ steps.version.outputs.new }}
            # Only push major.minor for stable (no hyphen)
            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.new }},enable=${{ !contains(steps.version.outputs.new, '-') }}

      - name: Build and push Docker image
        if: ${{ github.repository == 'evoluhq/evolu' && steps.version.outputs.changed == 'true' }}
        id: push
        uses: docker/build-push-action@32945a339266b759abcbdc89316bb68de327d74b # v6.7.0
        with:
          platforms: linux/amd64,linux/arm64
          context: .
          file: ./apps/relay/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: |
            type=gha,scope=relay/${{ github.ref_name }}
          cache-to: |
            type=gha,scope=relay/${{ github.ref_name }},mode=min
          provenance: true
          sbom: true

      - name: Generate artifact attestation
        if: ${{ github.repository == 'evoluhq/evolu' && steps.version.outputs.changed == 'true' }}
        uses: actions/attest-build-provenance@897ed5eab10ec6095258600c7e5e2195f007b46d # v1.4.1
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true

      - name: Publish summary (tags and digest)
        if: ${{ github.repository == 'evoluhq/evolu' && steps.version.outputs.changed == 'true' }}
        shell: bash
        run: |
          {
            echo '### Docker Image'
            echo ''
            echo '**Tags:**'
            echo '${{ steps.meta.outputs.tags }}' | sed 's/^/- /'
            echo ''
            echo '**Digest:**'
            echo '\`${{ steps.push.outputs.digest }}\`'
            echo ''
            echo '#### Deploy by digest'
            echo ''
            echo '```bash'
            echo 'docker pull docker.io/evoluhq/relay@${{ steps.push.outputs.digest }}'
            echo 'docker run --rm -p 4000:4000 docker.io/evoluhq/relay@${{ steps.push.outputs.digest }}'
            echo '```'
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Skip build (fork repository)
        if: ${{ steps.version.outputs.changed == 'true' && github.repository != 'evoluhq/evolu' }}
        run: echo "Version changed but repository is a fork; skipping Docker login/push/attestation"

      - name: Skip build (version unchanged)
        if: ${{ steps.version.outputs.changed != 'true' }}
        run: echo "apps/relay/package.json version unchanged; skipping Docker build"