ci: Gitea Actions 自动构建 + 推送镜像到 Container Registry

按用户选定方案:
  - Registry: Gitea 内置 Container Registry
  - 触发: 仅 push master/main
  - 标签: latest + git short SHA
  - 架构: linux/amd64 单架构

新增文件:
  .gitea/workflows/build-image.yml   CI workflow 定义
  .gitea/README.md                  Gitea Actions 运维手册

workflow 步骤:
  1. actions/checkout@v4           检出源码
  2. dtolnay/rust-toolchain@stable  安装 Rust(仅用于 cache key 计算)
  3. Swatinem/rust-cache@v2        缓存 Cargo registry / target
  4. cargo metadata sanity check    防止 manifest 漂移
  5. docker/setup-buildx-action@v3  Buildx
  6. docker/login-action@v3        登录 Gitea Registry(用 ${{ gitea.token }})
  7. docker/metadata-action@v5     生成 latest + sha 标签 + OCI labels
  8. docker/build-push-action@v5   构建 + 推送(含 BuildKit registry cache)
  9. aquasecurity/trivy-action      CVE 扫描(不阻塞)

特性:
  - concurrency 控制:避免重复构建(同一 ref 只跑最新)
  - 自动镜像标签:latest + commit short SHA
  - BuildKit cache 推到 :buildcache 镜像(下次构建复用)
  - Gitea 内置 token 自动认证(无需手动 secrets)
  - OCI 标准 labels(title/source/license/vendor)

gitea/README.md 包含:
  - 前置要求(Registry 开启、Runner 注册、网络)
  - 镜像使用示例
  - 常见扩展(tag 触发 / 多架构 / 自动部署)
  - 故障排查(login 失败 / build 失败 / pull 失败)
This commit is contained in:
Matrix Music Bot Dev
2026-07-03 00:02:51 +08:00
parent 2518169927
commit fab14e3196
2 changed files with 315 additions and 0 deletions
+132
View File
@@ -0,0 +1,132 @@
# Gitea Actions workflow:构建并推送 Docker 镜像到 Gitea Container Registry
#
# 触发条件:push 到 master/main
# 镜像标签:latest + git short SHA
# 目标架构:linux/amd64v1 简化)
# Registryhttp://192.168.6.200:3080 的 Gitea 内置 Container Registry
#
# 前置要求:
# 1. Gitea 实例已开启 Container Registrypackages 功能)
# 2. 仓库已注册一个 Gitea Actions runner(带 docker 能力)
# 3. 仓库设置 → Actions → Secrets 无需手动配置
# (本 workflow 使用 Gitea 内置的 ${{ gitea.token }} 自动认证)
name: build-and-push-image
on:
push:
branches:
- master
- main
# 排除 tag 推送触发的版本构建(后续可加 on: push: tags 单独 workflow
tags-ignore: 'v*'
# 避免重复构建:同时 push 到 master 多 commit 时只跑最新一次
concurrency:
group: build-image-${{ gitea.ref }}
cancel-in-progress: true
env:
# Gitea Container Registry 地址
# 默认推断规则:${{ gitea.server_url }}/${{ gitea.repository }}/packages/container/<image>
# 例如:http://192.168.6.200:3080/1076code/matrix/packages/container/matrix-music-bot
REGISTRY: ${{ gitea.server_url }}
IMAGE_NAMESPACE: ${{ gitea.repository_owner }}
IMAGE_NAME: matrix-music-bot
# 单架构构建(v1 简化;如需 arm64 改为 linux/amd64,linux/arm64
PLATFORM: linux/amd64
jobs:
build:
name: build-push
runs-on: ubuntu-latest # Gitea runner 标签,按实际配置调整
timeout-minutes: 30
steps:
# 1. 检出源码
- name: Checkout
uses: actions/checkout@v4
# 2. 安装 Rust 工具链(用于 cache key 计算 + 编译期校验)
# 注:实际编译在 Docker 内进行,此处仅用于 cache 命中率
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
# 3. 缓存 Cargo registry / target 目录(加速依赖解析,可选)
# 如未安装 Swatinem/rust-cache action,可改用 actions/cache@v4
- name: Cache cargo registry
uses: Swatinem/rust-cache@v2
with:
cache-on-failure: true
# 4. 验证 Cargo.lock 一致性(防止 manifest 漂移)
# 注意:此步骤在宿主 runner 上跑,需与 Dockerfile 内编译一致;
# 如果 Gitea runner 是 linux/amd64 而 Dockerfile 也是 debian-bookworm 则一致
- name: Verify Cargo.lock is up to date
run: |
cargo metadata --format-version 1 --no-deps > /dev/null
# 简易 sanity check:能解析 manifest 即可
# 5. 设置 Docker Buildx(启用 BuildKit 缓存)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# 6. 登录 Gitea Container Registry
# 用 Gitea 内置 token(每个 workflow run 自动生成)
- name: Login to Gitea Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ gitea.actor }}
password: ${{ gitea.token }}
# 7. 提取元数据(自动生成标签)
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# tags: latest + sha 短哈希
tags: |
type=raw,value=latest
type=sha,format=short
# 镜像标签 labels(用 OCI 标准)
labels: |
org.opencontainers.image.title=matrix-music-bot
org.opencontainers.image.description=Element Call 加密房间中的点歌机器人
org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}
org.opencontainers.image.licenses=MIT
org.opencontainers.image.vendor=1076code
# 8. 构建并推送镜像
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORM }}
# BuildKit 缓存(推到 registry 作为缓存层,下次构建复用)
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# 推送(生产);注释掉此行可改为本地构建(PR 场景)
push: true
# 镜像安全扫描(可选:用 Trivy 检查已知 CVE)
scan:
name: vulnerability-scan
needs: build
runs-on: ubuntu-latest
timeout-minutes: 10
continue-on-error: true # 扫描失败不阻塞流程
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest
format: 'table'
exit-code: '0' # 仅报告不阻塞
ignore-unfixed: true
severity: 'CRITICAL,HIGH'