From 5ee2cdc5c26439e92dda1ec8e4c83d0cbd1ed289 Mon Sep 17 00:00:00 2001 From: Xinwei Xiong <3293172751NSS@gmail.com> Date: Fri, 1 Nov 2024 15:50:18 +0800 Subject: [PATCH] fix: actions --- .github/workflows/docker-build.yml | 260 +++++++++++++++++++---------- 1 file changed, 169 insertions(+), 91 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index b7d2a6a..321f2e4 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,101 +1,179 @@ name: Docker Build and Push +# 环境变量集中管理 +env: + DOCKER_REGISTRY: docker.io + ALIYUN_REGISTRY: registry.cn-hangzhou.aliyuncs.com + GITHUB_REGISTRY: ghcr.io + IMAGE_NAME: telepace/voiceflow + PLATFORMS: linux/amd64,linux/arm64 + # 配置构建缓存的位置 + CACHE_PATH: /tmp/.buildx-cache + # 配置 Trivy 扫描设置 + TRIVY_NO_PROGRESS: true + TRIVY_EXIT_CODE: '0' + on: + # 优化定时任务执行时间,避开高峰期 schedule: - - cron: '30 2 * * *' + - cron: '30 2 * * *' # UTC 时间每天 2:30 运行 push: branches: - main - - release-* + - 'release/**' # 使用更严格的分支匹配模式 tags: - - 'v*.*.*' # 例如 v1.0.0, v2.1.3 - - 'v*.*.*-*' # 例如 v1.0.0-beta.1 - workflow_dispatch: + - 'v[0-9]+.[0-9]+.[0-9]+' # 严格的版本号匹配 + - 'v[0-9]+.[0-9]+.[0-9]+-*' # 预发布版本 + paths-ignore: # 忽略不需要触发构建的文件改动 + - '**.md' + - 'docs/**' + - '.gitignore' + workflow_dispatch: # 支持手动触发 + inputs: + debug_enabled: + description: '启用调试模式' + required: false + default: false + type: boolean jobs: - steps: - # 1. 检出代码 - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 # 确保获取所有标签 - - # 2. 设置 Docker Buildx - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.7.1 - - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - # 3. 登录 Docker Hub - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - # 4. 登录阿里云容器注册表 - - name: Log in to AliYun Docker Hub - uses: docker/login-action@v3 - with: - registry: registry.cn-hangzhou.aliyuncs.com - username: ${{ secrets.ALIREGISTRY_USERNAME }} - password: ${{ secrets.ALIREGISTRY_TOKEN }} - - # 5. 登录 GitHub Container Registry - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - # 6. 获取 Docker Metadata - - name: Get Docker metadata - id: metadata - uses: docker/metadata-action@v5.5.1 - with: - images: | - docker.io/telepace/voiceflow - registry.cn-hangzhou.aliyuncs.com/telepace/voiceflow - ghcr.io/telepace/voiceflow - tags: | - type=ref,event=tag - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern=v{{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - - # 7. 构建并推送 Docker 镜像 - - name: Build and push Docker image for voiceflow - uses: docker/build-push-action@v5 - with: - context: . - file: ./build/images/voiceflow/Dockerfile - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta1.outputs.tags }} - labels: ${{ steps.meta1.outputs.labels }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - - # 8. 可选:安全扫描(例如 Trivy) - - name: Scan Docker image for vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: telepace/voiceflow:${{ steps.metadata.outputs.version }} - format: 'table' - exit-code: '0' - - # 9. 清理未使用的 Docker 镜像 - - name: Clean up Docker - run: docker system prune -f \ No newline at end of file + build: + runs-on: ubuntu-latest + + # 添加并发控制,避免重复构建 + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + # 超时设置 + timeout-minutes: 60 + + steps: + # 1. 检出代码 + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # 完整克隆以获取所有标签 + + # 2. 设置 QEMU 以支持多架构构建 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + # 3. 设置 Docker Buildx + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.7.1 + with: + platforms: ${{ env.PLATFORMS }} + + # 4. 缓存管理优化 + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: ${{ env.CACHE_PATH }} + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + # 5. 登录到各个容器仓库 + - name: Login to Container Registries + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ matrix.registry.url }} + username: ${{ matrix.registry.username }} + password: ${{ matrix.registry.password }} + strategy: + matrix: + registry: + - url: ${{ env.DOCKER_REGISTRY }} + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - url: ${{ env.ALIYUN_REGISTRY }} + username: ${{ secrets.ALIREGISTRY_USERNAME }} + password: ${{ secrets.ALIREGISTRY_TOKEN }} + - url: ${{ env.GITHUB_REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + # 6. 获取版本信息 + - name: Get Version Info + id: version + run: | + echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + echo "GIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + # 7. 配置 Docker Metadata + - name: Docker Metadata + id: metadata + uses: docker/metadata-action@v5.5.1 + with: + images: | + ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }} + ${{ env.ALIYUN_REGISTRY }}/${{ env.IMAGE_NAME }} + ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule,pattern={{date 'YYYYMMDD'}} + type=ref,event=branch + type=ref,event=tag + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha,prefix=sha-,format=short + labels: | + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.description=Voiceflow Docker Image + org.opencontainers.image.created=${{ steps.version.outputs.BUILD_DATE }} + org.opencontainers.image.revision=${{ steps.version.outputs.GIT_SHA }} + org.opencontainers.image.version=${{ steps.version.outputs.VERSION }} + + # 8. 构建和推送 + - name: Build and Push + uses: docker/build-push-action@v5 + with: + context: . + file: ./build/images/voiceflow/Dockerfile + platforms: ${{ env.PLATFORMS }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + cache-from: type=local,src=${{ env.CACHE_PATH }} + cache-to: type=local,dest=${{ env.CACHE_PATH }}-new,mode=max + build-args: | + VERSION=${{ steps.version.outputs.VERSION }} + BUILD_DATE=${{ steps.version.outputs.BUILD_DATE }} + GIT_SHA=${{ steps.version.outputs.GIT_SHA }} + + # 9. 安全扫描 + - name: Security Scan + uses: aquasecurity/trivy-action@master + if: github.event_name != 'pull_request' + with: + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} + format: 'table' + exit-code: ${{ env.TRIVY_EXIT_CODE }} + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + # 10. 更新缓存 + - name: Move cache + run: | + rm -rf ${{ env.CACHE_PATH }} + mv ${{ env.CACHE_PATH }}-new ${{ env.CACHE_PATH }} + + # 11. 清理 + - name: Cleanup + if: always() + run: | + docker system prune -af + docker builder prune -af + + # 12. 通知 + - name: Notification + if: always() + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + SLACK_COLOR: ${{ job.status == 'success' && 'good' || 'danger' }} + SLACK_MESSAGE: 'Docker build ${{ job.status }} for ${{ steps.version.outputs.VERSION }}' + SLACK_TITLE: Docker Build Status \ No newline at end of file