Merge pull request #40 from StrandedTurtle/audit-hardening #35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish image | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| # Only one publish run per ref at a time; a newer push cancels an in-flight | |
| # build for the same ref instead of letting it hang/queue behind it. | |
| concurrency: | |
| group: publish-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Gate the image publish on the same tests CI runs, so a red test never | |
| # ships an image. | |
| verify: | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: "22" | |
| - name: Server tests | |
| working-directory: server | |
| run: npm ci && npm test | |
| - name: Client build | |
| working-directory: client | |
| run: npm ci && npm run build | |
| publish: | |
| name: Build and push to GHCR | |
| needs: verify | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v7 | |
| # GHCR image names must be lowercase; the owner may not be. | |
| - name: Compute lowercase image name | |
| id: img | |
| run: echo "name=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_OUTPUT" | |
| - name: Docker metadata (tags/labels) | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ steps.img.outputs.name }} | |
| flavor: latest=false | |
| # Use explicit ref checks rather than {{is_default_branch}} — the | |
| # repo's default branch isn't necessarily `main`, which would leave | |
| # a push to main with zero tags (and buildx refuses to push then). | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | |
| # Pin a recent QEMU build. The default binfmt image lagged the toolchain | |
| # in node:22-alpine (gcc 15 / musl 1.2.6), and emulating those newer | |
| # arm64 binaries crashed with "uncaught target signal 4 (Illegal | |
| # instruction)", which core-dumped and left the build hung. A current | |
| # QEMU emulates the new userspace correctly. | |
| - uses: docker/setup-qemu-action@v4 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v10.2.3 | |
| - uses: docker/setup-buildx-action@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: server/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # On a version tag, create a GitHub Release with auto-generated notes. These | |
| # also feed DockPull's own "What's changed" changelog panel. | |
| release: | |
| name: Create GitHub Release | |
| needs: publish | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Create release | |
| uses: softprops/action-gh-release@v3 | |
| with: | |
| generate_release_notes: true |