name: docker-images on: push: branches: - main - master paths: - backend/** - frontend/** - admin/** - deploy/docker/** - .gitea/workflows/backend-docker.yml workflow_dispatch: permissions: contents: read packages: write jobs: resolve-build-targets: runs-on: ubuntu-latest outputs: matrix: ${{ steps.targets.outputs.matrix }} count: ${{ steps.targets.outputs.count }} frontend_changed: ${{ steps.targets.outputs.frontend_changed }} steps: - name: Checkout uses: actions/checkout@v4 - name: Resolve build targets id: targets shell: bash env: EVENT_NAME: ${{ github.event_name }} BEFORE_SHA: ${{ github.event.before }} CURRENT_SHA: ${{ github.sha }} run: | set -euo pipefail declare -A SELECTED=() BUILD_ALL=0 if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then BUILD_ALL=1 fi BEFORE="${BEFORE_SHA:-}" if [ "${BUILD_ALL}" -ne 1 ] && { [ -z "${BEFORE}" ] || printf '%s' "${BEFORE}" | grep -Eq '^0+$'; }; then if git rev-parse --verify HEAD^ >/dev/null 2>&1; then BEFORE="$(git rev-parse HEAD^)" else BUILD_ALL=1 fi fi CHANGED_FILES="" if [ "${BUILD_ALL}" -ne 1 ]; then CHANGED_FILES="$(git diff --name-only "${BEFORE}" "${CURRENT_SHA}" || true)" fi while IFS= read -r path; do [ -n "${path}" ] || continue case "${path}" in backend/*) SELECTED[backend]=1 ;; frontend/*) SELECTED[frontend]=1 ;; admin/*) SELECTED[admin]=1 ;; deploy/docker/*|.gitea/workflows/backend-docker.yml) BUILD_ALL=1 ;; esac done <<< "${CHANGED_FILES}" if [ "${BUILD_ALL}" -eq 1 ] || [ "${#SELECTED[@]}" -eq 0 ]; then SELECTED[backend]=1 SELECTED[frontend]=1 SELECTED[admin]=1 fi COMPONENTS=() [ -n "${SELECTED[backend]:-}" ] && COMPONENTS+=(backend) [ -n "${SELECTED[frontend]:-}" ] && COMPONENTS+=(frontend) [ -n "${SELECTED[admin]:-}" ] && COMPONENTS+=(admin) COMPONENTS_CSV="$(IFS=,; echo "${COMPONENTS[*]}")" export COMPONENTS_CSV python <<'PY' >> "$GITHUB_OUTPUT" import json import os mapping = { "backend": { "component": "backend", "dockerfile": "backend/Dockerfile", "context": "backend", "default_image_name": "termi-astro-backend", }, "frontend": { "component": "frontend", "dockerfile": "frontend/Dockerfile", "context": "frontend", "default_image_name": "termi-astro-frontend", }, "admin": { "component": "admin", "dockerfile": "admin/Dockerfile", "context": "admin", "default_image_name": "termi-astro-admin", }, } components = [item for item in os.environ.get("COMPONENTS_CSV", "").split(",") if item] matrix = {"include": [mapping[item] for item in components]} print(f"matrix={json.dumps(matrix, separators=(',', ':'))}") print(f"count={len(components)}") print(f"frontend_changed={'true' if 'frontend' in components else 'false'}") PY echo "Selected components: ${COMPONENTS_CSV}" if [ -n "${CHANGED_FILES}" ]; then echo "Changed files:" printf '%s\n' "${CHANGED_FILES}" else echo "Changed files: " fi build-and-push: needs: resolve-build-targets if: needs.resolve-build-targets.outputs.count != '0' runs-on: ubuntu-latest strategy: fail-fast: false max-parallel: 1 matrix: ${{ fromJson(needs.resolve-build-targets.outputs.matrix) }} steps: - name: Checkout uses: actions/checkout@v4 - name: Resolve image metadata id: meta shell: bash env: COMPONENT: ${{ matrix.component }} DEFAULT_IMAGE_NAME: ${{ matrix.default_image_name }} VAR_REGISTRY_HOST: ${{ vars.REGISTRY_HOST }} VAR_IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} VAR_IMAGE_NAME: ${{ vars.IMAGE_NAME }} VAR_BACKEND_IMAGE_NAME: ${{ vars.BACKEND_IMAGE_NAME }} VAR_FRONTEND_IMAGE_NAME: ${{ vars.FRONTEND_IMAGE_NAME }} VAR_ADMIN_IMAGE_NAME: ${{ vars.ADMIN_IMAGE_NAME }} VAR_FRONTEND_PUBLIC_API_BASE_URL: ${{ vars.FRONTEND_PUBLIC_API_BASE_URL }} VAR_ADMIN_VITE_API_BASE: ${{ vars.ADMIN_VITE_API_BASE }} VAR_ADMIN_VITE_FRONTEND_BASE_URL: ${{ vars.ADMIN_VITE_FRONTEND_BASE_URL }} VAR_ADMIN_VITE_BASENAME: ${{ vars.ADMIN_VITE_BASENAME }} run: | set -euo pipefail REGISTRY_HOST="${VAR_REGISTRY_HOST:-${GITEA_SERVER_URL#https://}}" if [ -z "${REGISTRY_HOST}" ]; then REGISTRY_HOST="git.init.cool" fi REPO_OWNER="${GITHUB_REPOSITORY_OWNER:-${GITEA_REPOSITORY_OWNER:-cool}}" IMAGE_NAMESPACE="${VAR_IMAGE_NAMESPACE:-${REPO_OWNER}}" case "${COMPONENT}" in backend) IMAGE_NAME="${VAR_BACKEND_IMAGE_NAME:-${VAR_IMAGE_NAME:-${DEFAULT_IMAGE_NAME}}}" ;; frontend) IMAGE_NAME="${VAR_FRONTEND_IMAGE_NAME:-${DEFAULT_IMAGE_NAME}}" ;; admin) IMAGE_NAME="${VAR_ADMIN_IMAGE_NAME:-${DEFAULT_IMAGE_NAME}}" ;; *) IMAGE_NAME="${DEFAULT_IMAGE_NAME}" ;; esac REF_NAME="${GITHUB_REF_NAME:-${GITEA_REF_NAME:-main}}" SAFE_REF="$(echo "${REF_NAME}" | tr '[:upper:]' '[:lower:]' | sed 's#[^a-z0-9._-]#-#g')" COMMIT_SHA="${GITHUB_SHA:-${GITEA_SHA:-dev}}" SHORT_SHA="$(echo "${COMMIT_SHA}" | cut -c1-12)" IMAGE_BASE="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}" FRONTEND_PUBLIC_API_BASE_URL="${VAR_FRONTEND_PUBLIC_API_BASE_URL:-http://localhost:5150/api}" ADMIN_VITE_API_BASE="${VAR_ADMIN_VITE_API_BASE:-http://localhost:5150}" ADMIN_VITE_FRONTEND_BASE_URL="${VAR_ADMIN_VITE_FRONTEND_BASE_URL:-http://localhost:4321}" ADMIN_VITE_BASENAME="${VAR_ADMIN_VITE_BASENAME:-}" { echo "registry_host=${REGISTRY_HOST}" echo "image_base=${IMAGE_BASE}" echo "tag_latest=latest" echo "tag_branch=${SAFE_REF}" echo "tag_sha=${SHORT_SHA}" echo "cache_ref_branch=${IMAGE_BASE}:buildcache-${SAFE_REF}" echo "cache_ref_shared=${IMAGE_BASE}:buildcache" echo "frontend_public_api_base_url=${FRONTEND_PUBLIC_API_BASE_URL}" echo "admin_vite_api_base=${ADMIN_VITE_API_BASE}" echo "admin_vite_frontend_base_url=${ADMIN_VITE_FRONTEND_BASE_URL}" echo "admin_vite_basename=${ADMIN_VITE_BASENAME}" } >> "$GITHUB_OUTPUT" - name: Login registry shell: bash env: REGISTRY_HOST: ${{ steps.meta.outputs.registry_host }} REGISTRY_USER: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} BUILTIN_GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} GITHUB_ACTOR_NAME: ${{ github.actor }} GITHUB_REPOSITORY_OWNER_NAME: ${{ github.repository_owner }} run: | set -euo pipefail CUSTOM_REGISTRY_USER="${REGISTRY_USER:-}" CUSTOM_REGISTRY_TOKEN="${REGISTRY_TOKEN:-}" BUILTIN_REGISTRY_TOKEN="${BUILTIN_GITEA_TOKEN:-}" ACTOR_USER="${GITHUB_ACTOR_NAME:-}" OWNER_USER="${GITHUB_REPOSITORY_OWNER_NAME:-}" if [ -n "${CUSTOM_REGISTRY_TOKEN}" ]; then REGISTRY_TOKEN="${CUSTOM_REGISTRY_TOKEN}" else REGISTRY_TOKEN="${BUILTIN_REGISTRY_TOKEN}" fi if [ -z "${REGISTRY_TOKEN}" ]; then echo "Missing registry credentials: set REGISTRY_USERNAME/REGISTRY_TOKEN, or rely on the built-in GITEA_TOKEN with packages:write permission." exit 1 fi CANDIDATE_USERS=() for candidate in "${CUSTOM_REGISTRY_USER}" "${ACTOR_USER}" "${OWNER_USER}"; do if [ -n "${candidate}" ] && [[ ! " ${CANDIDATE_USERS[*]} " =~ [[:space:]]${candidate}[[:space:]] ]]; then CANDIDATE_USERS+=("${candidate}") fi done if [ ${#CANDIDATE_USERS[@]} -eq 0 ]; then echo "Missing registry username: set REGISTRY_USERNAME or ensure github.actor/repository_owner are available." exit 1 fi LOGIN_OK=0 for candidate in "${CANDIDATE_USERS[@]}"; do if echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" --username "${candidate}" --password-stdin; then LOGIN_OK=1 break fi done if [ "${LOGIN_OK}" -ne 1 ]; then echo "Registry login failed for all candidate usernames." exit 1 fi - name: Setup docker buildx shell: bash run: | set -euo pipefail if docker buildx inspect gitea-builder >/dev/null 2>&1; then docker buildx use gitea-builder else docker buildx create --name gitea-builder --driver docker-container --use fi docker buildx inspect --bootstrap - name: Login Docker Hub (optional) shell: bash env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: | set -euo pipefail if [ -n "${DOCKERHUB_USERNAME:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then echo "${DOCKERHUB_TOKEN}" | docker login docker.io --username "${DOCKERHUB_USERNAME}" --password-stdin else echo "Docker Hub credentials not configured, continuing with anonymous pulls." fi - name: Build and push image shell: bash env: COMPONENT: ${{ matrix.component }} DOCKERFILE: ${{ matrix.dockerfile }} CONTEXT_DIR: ${{ matrix.context }} IMAGE_BASE: ${{ steps.meta.outputs.image_base }} TAG_LATEST: ${{ steps.meta.outputs.tag_latest }} TAG_BRANCH: ${{ steps.meta.outputs.tag_branch }} TAG_SHA: ${{ steps.meta.outputs.tag_sha }} CACHE_REF_BRANCH: ${{ steps.meta.outputs.cache_ref_branch }} CACHE_REF_SHARED: ${{ steps.meta.outputs.cache_ref_shared }} FRONTEND_PUBLIC_API_BASE_URL: ${{ steps.meta.outputs.frontend_public_api_base_url }} ADMIN_VITE_API_BASE: ${{ steps.meta.outputs.admin_vite_api_base }} ADMIN_VITE_FRONTEND_BASE_URL: ${{ steps.meta.outputs.admin_vite_frontend_base_url }} ADMIN_VITE_BASENAME: ${{ steps.meta.outputs.admin_vite_basename }} run: | set -euo pipefail BUILD_ARGS=() if [ "${COMPONENT}" = "frontend" ]; then BUILD_ARGS+=(--build-arg "PUBLIC_API_BASE_URL=${FRONTEND_PUBLIC_API_BASE_URL}") fi if [ "${COMPONENT}" = "admin" ]; then BUILD_ARGS+=(--build-arg "VITE_API_BASE=${ADMIN_VITE_API_BASE}") BUILD_ARGS+=(--build-arg "VITE_FRONTEND_BASE_URL=${ADMIN_VITE_FRONTEND_BASE_URL}") BUILD_ARGS+=(--build-arg "VITE_ADMIN_BASENAME=${ADMIN_VITE_BASENAME}") fi docker buildx build \ --file "${DOCKERFILE}" \ "${BUILD_ARGS[@]}" \ --build-arg BUILDKIT_INLINE_CACHE=1 \ --cache-from "type=registry,ref=${CACHE_REF_BRANCH}" \ --cache-from "type=registry,ref=${CACHE_REF_SHARED}" \ --cache-from "type=registry,ref=${IMAGE_BASE}:${TAG_BRANCH}" \ --cache-from "type=registry,ref=${IMAGE_BASE}:${TAG_LATEST}" \ --cache-to "type=registry,ref=${CACHE_REF_BRANCH},mode=max" \ --cache-to "type=registry,ref=${CACHE_REF_SHARED},mode=max" \ --cache-to "type=inline" \ --tag "${IMAGE_BASE}:${TAG_LATEST}" \ --tag "${IMAGE_BASE}:${TAG_BRANCH}" \ --tag "${IMAGE_BASE}:${TAG_SHA}" \ --push \ "${CONTEXT_DIR}" - name: Output image tags shell: bash env: COMPONENT: ${{ matrix.component }} IMAGE_BASE: ${{ steps.meta.outputs.image_base }} TAG_LATEST: ${{ steps.meta.outputs.tag_latest }} TAG_BRANCH: ${{ steps.meta.outputs.tag_branch }} TAG_SHA: ${{ steps.meta.outputs.tag_sha }} run: | echo "[${COMPONENT}] pushed tags:" echo "- ${IMAGE_BASE}:${TAG_LATEST}" echo "- ${IMAGE_BASE}:${TAG_BRANCH}" echo "- ${IMAGE_BASE}:${TAG_SHA}" submit-indexnow: needs: - resolve-build-targets - build-and-push if: needs.resolve-build-targets.outputs.frontend_changed == 'true' runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm uses: pnpm/action-setup@v4 with: version: 10 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 22 - name: Submit IndexNow (optional) shell: bash env: INDEXNOW_KEY: ${{ secrets.INDEXNOW_KEY }} SITE_URL: ${{ vars.INDEXNOW_SITE_URL }} PUBLIC_API_BASE_URL: ${{ vars.INDEXNOW_PUBLIC_API_BASE_URL }} GITHUB_REF_NAME_VALUE: ${{ github.ref_name }} run: | set -euo pipefail REF_NAME="${GITHUB_REF_NAME_VALUE:-${GITHUB_REF_NAME:-${GITEA_REF_NAME:-}}}" if [ "${GITHUB_EVENT_NAME:-${GITEA_EVENT_NAME:-}}" != "push" ]; then echo "Current event is not push, skip IndexNow submission." exit 0 fi if [ "${REF_NAME}" != "main" ] && [ "${REF_NAME}" != "master" ]; then echo "Current ref '${REF_NAME}' is not main/master, skip IndexNow submission." exit 0 fi if [ -z "${INDEXNOW_KEY:-}" ]; then echo "Missing INDEXNOW_KEY secret, skip IndexNow submission." exit 0 fi if [ -z "${SITE_URL:-}" ]; then echo "Missing INDEXNOW_SITE_URL variable, skip IndexNow submission." exit 0 fi pnpm --dir frontend run indexnow:submit