name: 🐳 Build and Push Docker Image (AMD64) on: # ζ‰‹εŠ¨θ§¦ε‘ workflow_dispatch: inputs: version: description: 'η‰ˆζœ¬ε· (例如: v1.0.5)' required: true default: 'v1.0.5' type: string push_to_hub: description: 'ζŽ¨ι€εˆ° Docker Hub' required: true default: true type: boolean # ζŽ¨ι€ζ ‡η­Ύζ—Άθ§¦ε‘ push: tags: - 'v*.*.*' # PR ζ—Άζž„ε»Ίζ΅‹θ―•οΌˆδΈζŽ¨ι€οΌ‰ pull_request: branches: [ main ] env: REGISTRY: docker.io IMAGE_NAME: matrixseven/file-transfer-go jobs: build: name: πŸ—οΈ Build & Push Docker Image runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: πŸ“₯ Checkout code uses: actions/checkout@v4 - name: 🏷️ Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=raw,value=latest,enable={{is_default_branch}} type=raw,value=${{ inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }} - name: πŸ”§ Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver-opts: | network=host buildkitd-flags: | --allow-insecure-entitlement=network.host - name: πŸ”‘ Login to Docker Hub if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: πŸ—οΈ Set build platform id: platforms run: | echo "platforms=linux/amd64" >> $GITHUB_OUTPUT - name: 🐳 Build and push Docker image uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: ${{ steps.platforms.outputs.platforms }} push: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.push_to_hub == true) }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILDKIT_INLINE_CACHE=1 provenance: false sbom: false - name: πŸ“Š Image digest if: github.event_name != 'pull_request' run: echo ${{ steps.build.outputs.digest }} - name: πŸŽ‰ Build Summary if: always() run: | echo "## 🐳 Docker Build Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### πŸ“¦ Image Details" >> $GITHUB_STEP_SUMMARY echo "- **Registry**: ${{ env.REGISTRY }}" >> $GITHUB_STEP_SUMMARY echo "- **Image**: ${{ env.IMAGE_NAME }}" >> $GITHUB_STEP_SUMMARY echo "- **Tags**: ${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY echo "- **Platforms**: ${{ steps.platforms.outputs.platforms }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### πŸš€ Usage" >> $GITHUB_STEP_SUMMARY echo '```bash' >> $GITHUB_STEP_SUMMARY echo "docker run -d -p 8080:8080 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.version || 'latest' }}" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY security-scan: name: πŸ” Security Scan runs-on: ubuntu-latest needs: build if: github.event_name != 'pull_request' steps: - name: πŸ“₯ Checkout code uses: actions/checkout@v4 - name: πŸ” Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest' format: 'sarif' output: 'trivy-results.sarif' - name: πŸ“€ Upload Trivy scan results uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif'