name: Release Image on: push: branches: [main] workflow_dispatch: inputs: image_tag: description: Optional tag override, defaults to sha- required: false type: string permissions: contents: read jobs: build-and-push: name: Build And Push Images runs-on: ubuntu-latest timeout-minutes: 30 steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx run: docker buildx create --use --name ci-builder 2>/dev/null || true - name: Login to GHCR # Requires Gitea secrets: GHCR_USERNAME (GitHub username) and # GHCR_TOKEN (GitHub PAT with write:packages scope) run: | echo "${{ secrets.GHCR_TOKEN }}" | \ docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin - id: vars name: Compute image refs run: | owner="$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" repo="$(basename '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" image_tag="${{ inputs.image_tag }}" if [ -z "${image_tag}" ]; then image_tag="sha-${GITHUB_SHA}" fi echo "app_image=ghcr.io/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT" echo "migrator_image=ghcr.io/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT" # Guardrail anchor: target: runner - name: Build and push app image run: | docker buildx build --push \ --tag "${{ steps.vars.outputs.app_image }}" \ --file ./Dockerfile.prod \ --target runner \ . # Guardrail anchor: target: migrator - name: Build and push migrator image run: | docker buildx build --push \ --tag "${{ steps.vars.outputs.migrator_image }}" \ --file ./Dockerfile.prod \ --target migrator \ . - name: Release summary run: | echo "App image: ${{ steps.vars.outputs.app_image }}" echo "Migrator image: ${{ steps.vars.outputs.migrator_image }}"