ci: Publish multi-arch manifest. (fixes #74)

ci: Toggle package install checks via vars. docker: Disable provenance attestations which auto-generate manifests. Signed-off-by: Jason Volk <jason@zemos.net>
2025-06-20 10:52:35 +00:00
parent aa1609d611
commit 31a3676cd8
5 changed files with 201 additions and 26 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -75,11 +75,10 @@ jobs:
    name: Containers
    runs-on: ${{matrix.machine}}
    permissions: write-all
-    continue-on-error: false
    strategy:
      fail-fast: true
      matrix:
-        bake_target: ${{fromJSON('["github", "dockerhub"]')}}
+        bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
        cargo_profile: ${{fromJSON(inputs.cargo_profiles)}}
        rust_toolchain: ${{fromJSON(inputs.rust_toolchains)}}
        feat_set: ${{fromJSON(inputs.feat_sets)}}
@@ -92,6 +91,10 @@ jobs:
        include: ${{fromJSON(inputs.includes)}}

    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
      - name: GitHub Login
        uses: docker/login-action@v3
        with:
@@ -120,8 +123,157 @@ jobs:
          acct: ${{github.actor}}
          repo: ${{github.repository}}
          docker_repo: ${{inputs.docker_repo}}
-          docker_tag_preview: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') }}
-          docker_tag_latest: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') && !contains(github.ref, '-rc') }}

        run: |
          docker/bake.sh "${{matrix.bake_target}}"
+
+  bundles:
+    if: >
+      !failure() && !cancelled()
+      && inputs.machines
+      && inputs.docker_repo != ''
+      && contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
+      && contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
+      && contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
+      && contains(github.ref, 'refs/tags/v')
+      && !contains(github.ref, '-draft')
+
+    name: Bundles
+    needs: [containers]
+    runs-on: 'het'
+    permissions: write-all
+    strategy:
+      fail-fast: true
+      matrix:
+        bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
+        cargo_profile: ${{fromJSON('["release"]')}}
+        feat_set: ${{fromJSON('["all"]')}}
+        rust_toolchain: ${{fromJSON('["stable"]')}}
+        sys_name: ${{fromJSON(inputs.sys_names)}}
+        sys_version: ${{fromJSON(inputs.sys_versions)}}
+        rust_target: ${{fromJSON(inputs.rust_targets)}}
+        sys_target: ${{fromJSON(inputs.sys_targets)}}
+        machine: ${{fromJSON(inputs.machines)}}
+        exclude: ${{fromJSON(inputs.excludes)}}
+        include: ${{fromJSON(inputs.includes)}}
+
+    steps:
+      - name: GitHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.ghcr_token }}
+
+      - name: DockerHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.dockerhub_token }}
+
+      - name: Release Preview
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+
+        env:
+          acct: ${{github.actor}}
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+          registry: ${{matrix.bake_target}}
+          cargo_profile: ${{matrix.cargo_profile}}
+          feat_set: ${{matrix.feat_set}}
+          sys_target: ${{matrix.sys_target}}
+          ref_name: ${{github.ref_name}}
+
+        run: |
+          registry="$(echo -n $registry | sed s/_/./)"
+          if test "$registry" = "ghcr.io"; then
+            repo="$ghcr_repo"
+          else
+            repo="$docker_repo"
+          fi
+
+          docker manifest create "${registry}/${repo}:preview" \
+            --amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
+
+      - name: Release Latest
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+          && !contains(github.ref, '-rc')
+
+        env:
+          acct: ${{github.actor}}
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+          registry: ${{matrix.bake_target}}
+          cargo_profile: ${{matrix.cargo_profile}}
+          feat_set: ${{matrix.feat_set}}
+          sys_target: ${{matrix.sys_target}}
+          ref_name: ${{github.ref_name}}
+
+        run: |
+          registry="$(echo -n $registry | sed s/_/./)"
+          if test "$registry" = "ghcr.io"; then
+            repo="$ghcr_repo"
+          else
+            repo="$docker_repo"
+          fi
+
+          docker manifest create "${registry}/${repo}:latest" \
+            --amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
+
+  delivery:
+    if: >
+      !failure() && !cancelled()
+      && inputs.machines
+      && inputs.docker_repo != ''
+      && contains(github.ref, 'refs/tags/v')
+
+    name: Delivery
+    needs: [bundles, documents]
+    runs-on: 'het'
+    permissions: write-all
+    steps:
+      - name: GitHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.ghcr_token }}
+
+      - name: DockerHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.dockerhub_token }}
+
+      - name: Push Preview
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+
+        env:
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+
+        run: |
+          docker manifest push -p "ghcr.io/${ghcr_repo}:preview"
+          docker manifest push -p "docker.io/${docker_repo}:preview"
+
+      - name: Push Latest
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+          && !contains(github.ref, '-rc')
+
+        env:
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+
+        run: |
+          docker manifest push -p "ghcr.io/${ghcr_repo}:latest"
+          docker manifest push -p "docker.io/${docker_repo}:latest"