diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f637341..f90dcd4 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,66 +1,88 @@ name: Docker on: - push: - branches: [main] - tags: ["v*"] - pull_request: - branches: [main] + push: + branches: [main] + tags: ["v*"] + pull_request: + branches: [main] + paths: + - "Dockerfile" + - "docker-compose.yml" + - "dev/docker-compose.yml" + - "dev/sandbox/**" + - ".github/workflows/docker.yml" + +concurrency: + group: docker-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: - build-and-push: - name: Build and Push Docker Image - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - continue-on-error: true # Don't block PRs on Docker build failures + build-and-push: + name: Build and Push Docker Image + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + contents: read + packages: write - steps: - - name: Checkout repository - uses: actions/checkout@v4 + steps: + - name: Checkout repository + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Log in to Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=raw,value=latest,enable={{is_default_branch}} + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=raw,value=latest,enable={{is_default_branch}} - - name: Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: linux/amd64,linux/arm64 + - name: Build and push Docker image (push/tag) + if: github.event_name != 'pull_request' + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + platforms: linux/amd64,linux/arm64 - - name: Verify image (PR only) - if: github.event_name == 'pull_request' - run: | - docker build -t zeroclaw-test . - docker run --rm zeroclaw-test --version + - name: Build smoke image (PR only) + if: github.event_name == 'pull_request' + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: zeroclaw-pr-smoke:latest + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + platforms: linux/amd64 + + - name: Verify image (PR only) + if: github.event_name == 'pull_request' + run: | + docker run --rm zeroclaw-pr-smoke:latest --version diff --git a/deny.toml b/deny.toml index e289a26..c716501 100644 --- a/deny.toml +++ b/deny.toml @@ -10,6 +10,7 @@ yanked = "warn" allow = [ "MIT", "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", "BSD-2-Clause", "BSD-3-Clause", "ISC",