fix: actions #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build and Push | ||
| # 环境变量集中管理 | ||
| env: | ||
| DOCKER_REGISTRY: docker.io | ||
| ALIYUN_REGISTRY: registry.cn-hangzhou.aliyuncs.com | ||
| GITHUB_REGISTRY: ghcr.io | ||
| IMAGE_NAME: telepace/voiceflow | ||
| PLATFORMS: linux/amd64,linux/arm64 | ||
| # 配置构建缓存的位置 | ||
| CACHE_PATH: /tmp/.buildx-cache | ||
| # 配置 Trivy 扫描设置 | ||
| TRIVY_NO_PROGRESS: true | ||
| TRIVY_EXIT_CODE: '0' | ||
| on: | ||
| # 优化定时任务执行时间,避开高峰期 | ||
| schedule: | ||
| - cron: '30 2 * * *' # UTC 时间每天 2:30 运行 | ||
| push: | ||
| branches: | ||
| - main | ||
| - 'release/**' # 使用更严格的分支匹配模式 | ||
| tags: | ||
| - 'v[0-9]+.[0-9]+.[0-9]+' # 严格的版本号匹配 | ||
| - 'v[0-9]+.[0-9]+.[0-9]+-*' # 预发布版本 | ||
| paths-ignore: # 忽略不需要触发构建的文件改动 | ||
| - '**.md' | ||
| - 'docs/**' | ||
| - '.gitignore' | ||
| workflow_dispatch: # 支持手动触发 | ||
| inputs: | ||
| debug_enabled: | ||
| description: '启用调试模式' | ||
| required: false | ||
| default: false | ||
| type: boolean | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| # 添加并发控制,避免重复构建 | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| # 超时设置 | ||
| timeout-minutes: 60 | ||
| steps: | ||
| # 1. 检出代码 | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # 完整克隆以获取所有标签 | ||
| # 2. 设置 QEMU 以支持多架构构建 | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| # 3. 设置 Docker Buildx | ||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
| with: | ||
| platforms: ${{ env.PLATFORMS }} | ||
| # 4. 缓存管理优化 | ||
| - name: Cache Docker layers | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ env.CACHE_PATH }} | ||
| key: ${{ runner.os }}-buildx-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-buildx- | ||
| # 5. 登录到各个容器仓库 | ||
| - name: Login to Container Registries | ||
| if: github.event_name != 'pull_request' | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ matrix.registry.url }} | ||
| username: ${{ matrix.registry.username }} | ||
| password: ${{ matrix.registry.password }} | ||
| strategy: | ||
| matrix: | ||
| registry: | ||
| - url: ${{ env.DOCKER_REGISTRY }} | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - url: ${{ env.ALIYUN_REGISTRY }} | ||
| username: ${{ secrets.ALIREGISTRY_USERNAME }} | ||
| password: ${{ secrets.ALIREGISTRY_TOKEN }} | ||
| - url: ${{ env.GITHUB_REGISTRY }} | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| # 6. 获取版本信息 | ||
| - name: Get Version Info | ||
| id: version | ||
| run: | | ||
| echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | ||
| echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | ||
| echo "GIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | ||
| # 7. 配置 Docker Metadata | ||
| - name: Docker Metadata | ||
| id: metadata | ||
| uses: docker/[email protected] | ||
| with: | ||
| images: | | ||
| ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| ${{ env.ALIYUN_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| type=schedule,pattern={{date 'YYYYMMDD'}} | ||
| type=ref,event=branch | ||
| type=ref,event=tag | ||
| type=semver,pattern={{version}} | ||
| type=semver,pattern={{major}}.{{minor}} | ||
| type=sha,prefix=sha-,format=short | ||
| labels: | | ||
| org.opencontainers.image.title=${{ env.IMAGE_NAME }} | ||
| org.opencontainers.image.description=Voiceflow Docker Image | ||
| org.opencontainers.image.created=${{ steps.version.outputs.BUILD_DATE }} | ||
| org.opencontainers.image.revision=${{ steps.version.outputs.GIT_SHA }} | ||
| org.opencontainers.image.version=${{ steps.version.outputs.VERSION }} | ||
| # 8. 构建和推送 | ||
| - name: Build and Push | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| file: ./build/images/voiceflow/Dockerfile | ||
| platforms: ${{ env.PLATFORMS }} | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| tags: ${{ steps.metadata.outputs.tags }} | ||
| labels: ${{ steps.metadata.outputs.labels }} | ||
| cache-from: type=local,src=${{ env.CACHE_PATH }} | ||
| cache-to: type=local,dest=${{ env.CACHE_PATH }}-new,mode=max | ||
| build-args: | | ||
| VERSION=${{ steps.version.outputs.VERSION }} | ||
| BUILD_DATE=${{ steps.version.outputs.BUILD_DATE }} | ||
| GIT_SHA=${{ steps.version.outputs.GIT_SHA }} | ||
| # 9. 安全扫描 | ||
| - name: Security Scan | ||
| uses: aquasecurity/trivy-action@master | ||
| if: github.event_name != 'pull_request' | ||
| with: | ||
| image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} | ||
| format: 'table' | ||
| exit-code: ${{ env.TRIVY_EXIT_CODE }} | ||
| ignore-unfixed: true | ||
| vuln-type: 'os,library' | ||
| severity: 'CRITICAL,HIGH' | ||
| # 10. 更新缓存 | ||
| - name: Move cache | ||
| run: | | ||
| rm -rf ${{ env.CACHE_PATH }} | ||
| mv ${{ env.CACHE_PATH }}-new ${{ env.CACHE_PATH }} | ||
| # 11. 清理 | ||
| - name: Cleanup | ||
| if: always() | ||
| run: | | ||
| docker system prune -af | ||
| docker builder prune -af | ||
| # 12. 通知 | ||
| - name: Notification | ||
| if: always() | ||
| uses: rtCamp/action-slack-notify@v2 | ||
| env: | ||
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | ||
| SLACK_COLOR: ${{ job.status == 'success' && 'good' || 'danger' }} | ||
| SLACK_MESSAGE: 'Docker build ${{ job.status }} for ${{ steps.version.outputs.VERSION }}' | ||
| SLACK_TITLE: Docker Build Status | ||
