diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a28dbfb..d198575 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,88 +1,105 @@ name: Docker on: - push: - branches: [main] - tags: ["v*"] - pull_request: - branches: [main] - paths: - - "Dockerfile" - - "docker-compose.yml" - - "dev/docker-compose.yml" - - "dev/sandbox/**" - - ".github/workflows/docker.yml" + push: + branches: [main] + tags: ["v*"] + pull_request: + branches: [main] + paths: + - "Dockerfile" + - "docker-compose.yml" + - "dev/docker-compose.yml" + - "dev/sandbox/**" + - ".github/workflows/docker.yml" + workflow_dispatch: concurrency: - group: docker-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + group: docker-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: - build-and-push: - name: Build and Push Docker Image - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - contents: read - packages: write + pr-smoke: + name: PR Docker Smoke + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 - steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=pr - - name: Log in to Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + - name: Build smoke image + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: zeroclaw-pr-smoke:latest + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + platforms: linux/amd64 - - name: Extract metadata (tags, labels) - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=raw,value=latest,enable={{is_default_branch}} + - name: Verify image + run: docker run --rm zeroclaw-pr-smoke:latest --version - - name: Build and push Docker image (push/tag) - if: github.event_name != 'pull_request' - uses: docker/build-push-action@v5 - with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: ${{ startsWith(github.ref, 'refs/tags/') && 'linux/amd64,linux/arm64' || 'linux/amd64' }} + publish: + name: Build and Push Docker Image + if: github.event_name != 'pull_request' + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + contents: read + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 - - name: Build smoke image (PR only) - if: github.event_name == 'pull_request' - uses: docker/build-push-action@v5 - with: - context: . - push: false - load: true - tags: zeroclaw-pr-smoke:latest - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - platforms: linux/amd64 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Verify image (PR only) - if: github.event_name == 'pull_request' - run: | - docker run --rm zeroclaw-pr-smoke:latest --version + - name: Log in to Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + platforms: ${{ startsWith(github.ref, 'refs/tags/') && 'linux/amd64,linux/arm64' || 'linux/amd64' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4a2b071..ee82e36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: - uses: Swatinem/rust-cache@v2 - name: Build release - run: cargo build --release --target ${{ matrix.target }} + run: cargo build --release --locked --target ${{ matrix.target }} - name: Check binary size (Unix) if: runner.os != 'Windows' diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 822d96a..6d75ef0 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ jobs: - uses: dtolnay/rust-toolchain@stable - name: Install cargo-audit - run: cargo install cargo-audit + run: cargo install --locked cargo-audit --version 0.22.1 - name: Run cargo-audit run: cargo audit