AIStudioToAPI/.github/workflows/docker.yml at main · iBUHub/AIStudioToAPI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Publish Docker Image

on:
  push:
    tags: ["v*.*.*"]
  workflow_dispatch:
    inputs:
      custom_tag:
        description: "Custom tag (leave empty for preview-YYYYMMDD-HHMMSS)"
        required: false
        type: string

env:
  REGISTRY: ghcr.io
  IMAGE_NAME_PRIMARY: ibuhub/aistudio-to-api
  IMAGE_NAME_LEGACY: ibenzene/aistudio-to-api
  DOCKERHUB_REPO: ibuhub/aistudio-to-api
  DOCKERHUB_REPO_LEGACY: ibenzene/aistudio-to-api
  VERSION: ${{ github.ref_name }}

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
        with:
          cosign-release: "v2.2.4"

      - name: Generate tag for manual build
        if: github.event_name == 'workflow_dispatch'
        id: generate_tag
        run: |
          if [ -n "${{ github.event.inputs.custom_tag }}" ]; then
              echo "tag=${{ github.event.inputs.custom_tag }}" >> $GITHUB_OUTPUT
          else
              TAG="preview-$(date -u +'%Y%m%d-%H%M%S')"
              echo "tag=$TAG" >> $GITHUB_OUTPUT
          fi
        shell: bash

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Log into registry (primary)
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log into registry (legacy - ibenzene)
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ibenzene
          password: ${{ secrets.LEGACY_REGISTRY_TOKEN }}

      - name: Log into Docker Hub (ibuhub)
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ibuhub
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_PRIMARY }}
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LEGACY }}
            ${{ env.DOCKERHUB_REPO }}
          tags: |
            type=ref,event=tag
            type=raw,value=${{ steps.generate_tag.outputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }}

      - name: Build and push Primary (GHCR & ibuhub)
        id: build-and-push
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64
          build-args: VERSION=${{ steps.generate_tag.outputs.tag || env.VERSION }}
          provenance: false

      - name: Sign Primary Images
        if: ${{ github.event_name != 'pull_request' }}
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: echo "$TAGS" | xargs -r -n 1 -I {} cosign sign --yes {}@${DIGEST}

      - name: Log into Docker Hub (ibenzene)
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ibenzene
          password: ${{ secrets.DOCKERHUB_TOKEN_LEGACY }}

      - name: Extract Docker metadata (Legacy Hub)
        id: meta-legacy
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: |
            ${{ env.DOCKERHUB_REPO_LEGACY }}
          tags: |
            type=ref,event=tag
            type=raw,value=${{ steps.generate_tag.outputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }}

      - name: Push Legacy to Docker Hub
        if: github.event_name != 'pull_request'
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta-legacy.outputs.tags }}
          labels: ${{ steps.meta-legacy.outputs.labels }}
          cache-from: type=gha
          platforms: linux/amd64,linux/arm64
          build-args: VERSION=${{ steps.generate_tag.outputs.tag || env.VERSION }}
          provenance: false

      - name: Sign Legacy Images
        if: ${{ github.event_name != 'pull_request' }}
        env:
          TAGS: ${{ steps.meta-legacy.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: echo "$TAGS" | xargs -r -n 1 -I {} cosign sign --yes {}@${DIGEST}