89ee450d6e
Gitea 管理 UI 显示 runner 信息: 名称: hermes-runner 版本: v0.6.1 类型: 全局 标签: ubuntu-22.04 状态: 空闲(在线) 之前两次猜测都错了: ubuntu-latest → 不是 GitHub 约定,匹配失败 self-hosted → 这个 runner 没注册该标签 最终实际标签:ubuntu-22.04(建议未来 .gitea/README.md 添加 runner 标签说明)
132 lines
5.1 KiB
YAML
132 lines
5.1 KiB
YAML
# Gitea Actions workflow:构建并推送 Docker 镜像到 Gitea Container Registry
|
||
#
|
||
# 触发条件:push 到 master/main
|
||
# 镜像标签:latest + git short SHA
|
||
# 目标架构:linux/amd64(v1 简化)
|
||
# Registry:http://192.168.6.200:3080 的 Gitea 内置 Container Registry
|
||
#
|
||
# 前置要求:
|
||
# 1. Gitea 实例已开启 Container Registry(packages 功能)
|
||
# 2. 仓库已注册一个 Gitea Actions runner(带 docker 能力)
|
||
# 3. 仓库设置 → Actions → Secrets 无需手动配置
|
||
# (本 workflow 使用 Gitea 内置的 ${{ gitea.token }} 自动认证)
|
||
|
||
name: build-and-push-image
|
||
|
||
on:
|
||
push:
|
||
branches:
|
||
- master
|
||
- main
|
||
# 排除 tag 推送触发的版本构建(后续可加 on: push: tags 单独 workflow)
|
||
tags-ignore: 'v*'
|
||
|
||
# 避免重复构建:同时 push 到 master 多 commit 时只跑最新一次
|
||
concurrency:
|
||
group: build-image-${{ gitea.ref }}
|
||
cancel-in-progress: true
|
||
|
||
env:
|
||
# Gitea Container Registry 地址
|
||
# 默认推断规则:${{ gitea.server_url }}/${{ gitea.repository }}/packages/container/<image>
|
||
# 例如:http://192.168.6.200:3080/1076code/matrix/packages/container/matrix-music-bot
|
||
REGISTRY: ${{ gitea.server_url }}
|
||
IMAGE_NAMESPACE: ${{ gitea.repository_owner }}
|
||
IMAGE_NAME: matrix-music-bot
|
||
# 单架构构建(v1 简化;如需 arm64 改为 linux/amd64,linux/arm64)
|
||
PLATFORM: linux/amd64
|
||
|
||
jobs:
|
||
build:
|
||
name: build-push
|
||
runs-on: ubuntu-22.04 # Gitea runner 实际标签(hermes-runner)
|
||
timeout-minutes: 30
|
||
|
||
steps:
|
||
# 1. 检出源码
|
||
- name: Checkout
|
||
uses: actions/checkout@v4
|
||
|
||
# 2. 安装 Rust 工具链(用于 cache key 计算 + 编译期校验)
|
||
# 注:实际编译在 Docker 内进行,此处仅用于 cache 命中率
|
||
- name: Install Rust toolchain
|
||
uses: dtolnay/rust-toolchain@stable
|
||
|
||
# 3. 缓存 Cargo registry / target 目录(加速依赖解析,可选)
|
||
# 如未安装 Swatinem/rust-cache action,可改用 actions/cache@v4
|
||
- name: Cache cargo registry
|
||
uses: Swatinem/rust-cache@v2
|
||
with:
|
||
cache-on-failure: true
|
||
|
||
# 4. 验证 Cargo.lock 一致性(防止 manifest 漂移)
|
||
# 注意:此步骤在宿主 runner 上跑,需与 Dockerfile 内编译一致;
|
||
# 如果 Gitea runner 是 linux/amd64 而 Dockerfile 也是 debian-bookworm 则一致
|
||
- name: Verify Cargo.lock is up to date
|
||
run: |
|
||
cargo metadata --format-version 1 --no-deps > /dev/null
|
||
# 简易 sanity check:能解析 manifest 即可
|
||
|
||
# 5. 设置 Docker Buildx(启用 BuildKit 缓存)
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
# 6. 登录 Gitea Container Registry
|
||
# 用 Gitea 内置 token(每个 workflow run 自动生成)
|
||
- name: Login to Gitea Container Registry
|
||
uses: docker/login-action@v3
|
||
with:
|
||
registry: ${{ env.REGISTRY }}
|
||
username: ${{ gitea.actor }}
|
||
password: ${{ gitea.token }}
|
||
|
||
# 7. 提取元数据(自动生成标签)
|
||
- name: Extract Docker metadata
|
||
id: meta
|
||
uses: docker/metadata-action@v5
|
||
with:
|
||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
|
||
# tags: latest + sha 短哈希
|
||
tags: |
|
||
type=raw,value=latest
|
||
type=sha,format=short
|
||
# 镜像标签 labels(用 OCI 标准)
|
||
labels: |
|
||
org.opencontainers.image.title=matrix-music-bot
|
||
org.opencontainers.image.description=Element Call 加密房间中的点歌机器人
|
||
org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}
|
||
org.opencontainers.image.licenses=MIT
|
||
org.opencontainers.image.vendor=1076code
|
||
|
||
# 8. 构建并推送镜像
|
||
- name: Build and push
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
file: ./Dockerfile
|
||
platforms: ${{ env.PLATFORM }}
|
||
# BuildKit 缓存(推到 registry 作为缓存层,下次构建复用)
|
||
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
|
||
tags: ${{ steps.meta.outputs.tags }}
|
||
labels: ${{ steps.meta.outputs.labels }}
|
||
# 推送(生产);注释掉此行可改为本地构建(PR 场景)
|
||
push: true
|
||
|
||
# 镜像安全扫描(可选:用 Trivy 检查已知 CVE)
|
||
scan:
|
||
name: vulnerability-scan
|
||
needs: build
|
||
runs-on: ubuntu-22.04
|
||
timeout-minutes: 10
|
||
continue-on-error: true # 扫描失败不阻塞流程
|
||
|
||
steps:
|
||
- name: Run Trivy vulnerability scanner
|
||
uses: aquasecurity/trivy-action@master
|
||
with:
|
||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest
|
||
format: 'table'
|
||
exit-code: '0' # 仅报告不阻塞
|
||
ignore-unfixed: true
|
||
severity: 'CRITICAL,HIGH' |