Files
matrix/.gitea/workflows/build-image.yml
T
Matrix Music Bot Dev 9e62e995a9
build-and-push-image / build-push (push) Has been cancelled
build-and-push-image / vulnerability-scan (push) Has been cancelled
ci: 修复 Gitea Actions runner 标签(ubuntu-latest → self-hosted)
问题:job 一直显示"等待中"
原因:Gitea Actions runner 注册时默认使用自定义标签(self-hosted),
     而非 GitHub Actions 约定的 ubuntu-latest
报错:没有匹配 ubuntu-latest 标签的在线运行器

修复:runs-on 从 ubuntu-latest 改为 self-hosted
  - build-push job
  - vulnerability-scan job

如果 runner 注册时用了其它标签(如 docker / linux / 自定义名字),
仍可调整。修改方法:编辑此 workflow 文件的 runs-on 行。
2026-07-03 00:11:08 +08:00

132 lines
5.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Gitea Actions workflow:构建并推送 Docker 镜像到 Gitea Container Registry
#
# 触发条件:push 到 master/main
# 镜像标签:latest + git short SHA
# 目标架构:linux/amd64v1 简化)
# Registryhttp://192.168.6.200:3080 的 Gitea 内置 Container Registry
#
# 前置要求:
# 1. Gitea 实例已开启 Container Registrypackages 功能)
# 2. 仓库已注册一个 Gitea Actions runner(带 docker 能力)
# 3. 仓库设置 → Actions → Secrets 无需手动配置
# (本 workflow 使用 Gitea 内置的 ${{ gitea.token }} 自动认证)
name: build-and-push-image
on:
push:
branches:
- master
- main
# 排除 tag 推送触发的版本构建(后续可加 on: push: tags 单独 workflow
tags-ignore: 'v*'
# 避免重复构建:同时 push 到 master 多 commit 时只跑最新一次
concurrency:
group: build-image-${{ gitea.ref }}
cancel-in-progress: true
env:
# Gitea Container Registry 地址
# 默认推断规则:${{ gitea.server_url }}/${{ gitea.repository }}/packages/container/<image>
# 例如:http://192.168.6.200:3080/1076code/matrix/packages/container/matrix-music-bot
REGISTRY: ${{ gitea.server_url }}
IMAGE_NAMESPACE: ${{ gitea.repository_owner }}
IMAGE_NAME: matrix-music-bot
# 单架构构建(v1 简化;如需 arm64 改为 linux/amd64,linux/arm64
PLATFORM: linux/amd64
jobs:
build:
name: build-push
runs-on: self-hosted # Gitea runner 默认标签(act_runner 注册时未指定 --labels 时)
timeout-minutes: 30
steps:
# 1. 检出源码
- name: Checkout
uses: actions/checkout@v4
# 2. 安装 Rust 工具链(用于 cache key 计算 + 编译期校验)
# 注:实际编译在 Docker 内进行,此处仅用于 cache 命中率
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
# 3. 缓存 Cargo registry / target 目录(加速依赖解析,可选)
# 如未安装 Swatinem/rust-cache action,可改用 actions/cache@v4
- name: Cache cargo registry
uses: Swatinem/rust-cache@v2
with:
cache-on-failure: true
# 4. 验证 Cargo.lock 一致性(防止 manifest 漂移)
# 注意:此步骤在宿主 runner 上跑,需与 Dockerfile 内编译一致;
# 如果 Gitea runner 是 linux/amd64 而 Dockerfile 也是 debian-bookworm 则一致
- name: Verify Cargo.lock is up to date
run: |
cargo metadata --format-version 1 --no-deps > /dev/null
# 简易 sanity check:能解析 manifest 即可
# 5. 设置 Docker Buildx(启用 BuildKit 缓存)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# 6. 登录 Gitea Container Registry
# 用 Gitea 内置 token(每个 workflow run 自动生成)
- name: Login to Gitea Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ gitea.actor }}
password: ${{ gitea.token }}
# 7. 提取元数据(自动生成标签)
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# tags: latest + sha 短哈希
tags: |
type=raw,value=latest
type=sha,format=short
# 镜像标签 labels(用 OCI 标准)
labels: |
org.opencontainers.image.title=matrix-music-bot
org.opencontainers.image.description=Element Call 加密房间中的点歌机器人
org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}
org.opencontainers.image.licenses=MIT
org.opencontainers.image.vendor=1076code
# 8. 构建并推送镜像
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: ${{ env.PLATFORM }}
# BuildKit 缓存(推到 registry 作为缓存层,下次构建复用)
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# 推送(生产);注释掉此行可改为本地构建(PR 场景)
push: true
# 镜像安全扫描(可选:用 Trivy 检查已知 CVE)
scan:
name: vulnerability-scan
needs: build
runs-on: self-hosted
timeout-minutes: 10
continue-on-error: true # 扫描失败不阻塞流程
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest
format: 'table'
exit-code: '0' # 仅报告不阻塞
ignore-unfixed: true
severity: 'CRITICAL,HIGH'