# Gitea Actions workflow:构建并推送 Docker 镜像到 Gitea Container Registry # # 触发条件:push 到 master/main # 镜像标签:latest + git short SHA # 目标架构:linux/amd64(v1 简化) # Registry:http://192.168.6.200:3080 的 Gitea 内置 Container Registry # # 前置要求: # 1. Gitea 实例已开启 Container Registry(packages 功能) # 2. 仓库已注册一个 Gitea Actions runner(带 docker 能力) # 3. 仓库设置 → Actions → Secrets 无需手动配置 # (本 workflow 使用 Gitea 内置的 ${{ gitea.token }} 自动认证) name: build-and-push-image on: push: branches: - master - main # 排除 tag 推送触发的版本构建(后续可加 on: push: tags 单独 workflow) tags-ignore: 'v*' # 避免重复构建:同时 push 到 master 多 commit 时只跑最新一次 concurrency: group: build-image-${{ gitea.ref }} cancel-in-progress: true env: # Gitea Container Registry 地址 # 默认推断规则:${{ gitea.server_url }}/${{ gitea.repository }}/packages/container/ # 例如:http://192.168.6.200:3080/1076code/matrix/packages/container/matrix-music-bot REGISTRY: ${{ gitea.server_url }} IMAGE_NAMESPACE: ${{ gitea.repository_owner }} IMAGE_NAME: matrix-music-bot # 单架构构建(v1 简化;如需 arm64 改为 linux/amd64,linux/arm64) PLATFORM: linux/amd64 jobs: build: name: build-push runs-on: self-hosted # Gitea runner 默认标签(act_runner 注册时未指定 --labels 时) timeout-minutes: 30 steps: # 1. 检出源码 - name: Checkout uses: actions/checkout@v4 # 2. 安装 Rust 工具链(用于 cache key 计算 + 编译期校验) # 注:实际编译在 Docker 内进行,此处仅用于 cache 命中率 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable # 3. 缓存 Cargo registry / target 目录(加速依赖解析,可选) # 如未安装 Swatinem/rust-cache action,可改用 actions/cache@v4 - name: Cache cargo registry uses: Swatinem/rust-cache@v2 with: cache-on-failure: true # 4. 验证 Cargo.lock 一致性(防止 manifest 漂移) # 注意:此步骤在宿主 runner 上跑,需与 Dockerfile 内编译一致; # 如果 Gitea runner 是 linux/amd64 而 Dockerfile 也是 debian-bookworm 则一致 - name: Verify Cargo.lock is up to date run: | cargo metadata --format-version 1 --no-deps > /dev/null # 简易 sanity check:能解析 manifest 即可 # 5. 设置 Docker Buildx(启用 BuildKit 缓存) - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # 6. 登录 Gitea Container Registry # 用 Gitea 内置 token(每个 workflow run 自动生成) - name: Login to Gitea Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ gitea.actor }} password: ${{ gitea.token }} # 7. 提取元数据(自动生成标签) - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} # tags: latest + sha 短哈希 tags: | type=raw,value=latest type=sha,format=short # 镜像标签 labels(用 OCI 标准) labels: | org.opencontainers.image.title=matrix-music-bot org.opencontainers.image.description=Element Call 加密房间中的点歌机器人 org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }} org.opencontainers.image.licenses=MIT org.opencontainers.image.vendor=1076code # 8. 构建并推送镜像 - name: Build and push uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: ${{ env.PLATFORM }} # BuildKit 缓存(推到 registry 作为缓存层,下次构建复用) cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # 推送(生产);注释掉此行可改为本地构建(PR 场景) push: true # 镜像安全扫描(可选:用 Trivy 检查已知 CVE) scan: name: vulnerability-scan needs: build runs-on: self-hosted timeout-minutes: 10 continue-on-error: true # 扫描失败不阻塞流程 steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest format: 'table' exit-code: '0' # 仅报告不阻塞 ignore-unfixed: true severity: 'CRITICAL,HIGH'