Merge pull request #439 from JerrettDavis/feat/iss-438-unified-update #347
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Images | |
| on: | |
| push: | |
| branches: [main] | |
| tags: | |
| - "v*" | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - component: gateway | |
| dockerfile: deploy/docker/Dockerfile.gateway | |
| - component: daemon | |
| dockerfile: deploy/docker/Dockerfile.daemon | |
| - component: tui | |
| dockerfile: deploy/docker/Dockerfile.tui | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| shell: bash | |
| run: | | |
| docker buildx version | |
| docker buildx create --name jdai-builder --use || docker buildx use jdai-builder | |
| docker buildx inspect --bootstrap | |
| - name: Normalize image name | |
| id: image | |
| shell: bash | |
| run: | | |
| owner="${GITHUB_REPOSITORY_OWNER,,}" | |
| echo "name=${{ env.REGISTRY }}/${owner}/jd.ai-${{ matrix.component }}" >> "$GITHUB_OUTPUT" | |
| - name: Login to GHCR | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ steps.image.outputs.name }} | |
| tags: | | |
| type=sha | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=tag | |
| - name: Build and push | |
| id: build | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ steps.image.outputs.name }}@${{ steps.build.outputs.digest }} | |
| format: spdx-json | |
| output-file: sbom-${{ matrix.component }}.spdx.json | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: sbom-${{ matrix.component }} | |
| path: sbom-${{ matrix.component }}.spdx.json | |
| - name: Attest SBOM to image | |
| uses: actions/attest-sbom@v4 | |
| with: | |
| subject-name: ${{ steps.image.outputs.name }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| sbom-path: sbom-${{ matrix.component }}.spdx.json | |
| helm-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install Helm | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| HELM_VERSION="v3.19.0" | |
| ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz" | |
| URL="https://get.helm.sh/${ARCHIVE}" | |
| for attempt in 1 2 3; do | |
| if curl -fsSL --retry 3 --retry-delay 2 "$URL" -o "$ARCHIVE"; then | |
| break | |
| fi | |
| if [ "$attempt" -eq 3 ]; then | |
| echo "Failed to download Helm from $URL after retries." | |
| exit 1 | |
| fi | |
| sleep $((attempt * 5)) | |
| done | |
| tar -xzf "$ARCHIVE" | |
| sudo mv linux-amd64/helm /usr/local/bin/helm | |
| helm version --short | |
| - name: Helm lint | |
| run: helm lint deploy/helm/jdai | |
| - name: Helm template (dry-run) | |
| run: helm template jdai deploy/helm/jdai --debug > /dev/null | |