gogs/.github/workflows/docker.yml

name: Docker
on:
  push:
    branches:
      - main
  pull_request:
    paths:
      - '.trivy.yaml'
      - 'Dockerfile'
      - 'Dockerfile.next'
      - 'docker/**'
      - 'docker-next/**'
      - '.github/workflows/docker.yml'
  release:
    types: [ published ]

jobs:
  buildx:
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: |
            gogs/gogs:latest
            ghcr.io/gogs/gogs:latest
      - name: Scan for container vulnerabilities
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: gogs/gogs:latest
          exit-code: '1'
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() }}
        with:
          smtp_username: ${{ secrets.SMTP_USERNAME }}
          smtp_password: ${{ secrets.SMTP_PASSWORD }}

  buildx-next:
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
    concurrency:
      group: ${{ github.workflow }}-next-${{ github.ref }}
      cancel-in-progress: true
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DigitalOcean Container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: registry.digitalocean.com
          username: ${{ secrets.DIGITALOCEAN_USERNAME }}
          password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Build and push next-gen images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: Dockerfile.next
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: |
            gogs/gogs:next-latest
            ghcr.io/gogs/gogs:next-latest
            registry.digitalocean.com/gogs/gogs:next-latest
      - name: Scan for container vulnerabilities
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: gogs/gogs:next-latest
          exit-code: '1'
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() }}
        with:
          smtp_username: ${{ secrets.SMTP_USERNAME }}
          smtp_password: ${{ secrets.SMTP_PASSWORD }}

  deploy-demo:
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
    needs: buildx-next
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Configure kubectl
        run: |
          mkdir -p ~/.kube
          echo "${KUBECONFIG}" | base64 -d > ~/.kube/config
        env:
          KUBECONFIG: ${{ secrets.DIGITALOCEAN_K8S_CLUSTER_KUBECONFIG }}
      - name: Restart gogs-demo deployment
        timeout-minutes: 5
        run: |
          set -ex
          kubectl rollout restart deployment gogs-demo -n gogs
          kubectl rollout status deployment gogs-demo -n gogs
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() }}
        with:
          smtp_username: ${{ secrets.SMTP_USERNAME }}
          smtp_password: ${{ secrets.SMTP_PASSWORD }}

  buildx-pull-request:
    if: ${{ github.event_name == 'pull_request'}}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
        with:
          config-inline: |
            [worker.oci]
              max-parallelism = 2
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Compute short commit SHA
        id: short-sha
        uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
      - name: Build and push images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64
          push: true
          tags: |
            ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:7d
      - name: Scan for container vulnerabilities
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:7d
          exit-code: '1'

  buildx-next-pull-request:
    if: ${{ github.event_name == 'pull_request'}}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
        with:
          config-inline: |
            [worker.oci]
              max-parallelism = 2
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Compute short commit SHA
        id: short-sha
        uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
      - name: Build and push next-gen images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: Dockerfile.next
          platforms: linux/amd64
          push: true
          tags: |
            ttl.sh/gogs/gogs-next-${{ steps.short-sha.outputs.sha }}:7d
      - name: Scan for container vulnerabilities
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ttl.sh/gogs/gogs-next-${{ steps.short-sha.outputs.sha }}:7d
          exit-code: '1'

  # Updates to the following section needs to be synced to all release branches within their lifecycles.
  buildx-release:
    if: ${{ github.event_name == 'release' }}
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: read
      packages: write
    steps:
      - name: Compute image tags
        run: |
          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

          TAGS="gogs/gogs:$IMAGE_TAG
          ghcr.io/gogs/gogs:$IMAGE_TAG"

          # Add minor version tag for stable releases (no prerelease suffix per semver).
          if [[ ! "$IMAGE_TAG" =~ - ]]; then
            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
            TAGS="$TAGS
          gogs/gogs:$MINOR_TAG
          ghcr.io/gogs/gogs:$MINOR_TAG"
          fi

          echo "TAGS<<EOF" >> $GITHUB_ENV
          echo "$TAGS" >> $GITHUB_ENV
          echo "EOF" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: ${{ env.TAGS }}
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() }}
        with:
          smtp_username: ${{ secrets.SMTP_USERNAME }}
          smtp_password: ${{ secrets.SMTP_PASSWORD }}

  # Updates to the following section needs to be synced to all release branches within their lifecycles.
  buildx-next-release:
    if: ${{ github.event_name == 'release' }}
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: read
      packages: write
    steps:
      - name: Compute image tags
        run: |
          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

          TAGS="gogs/gogs:next-$IMAGE_TAG
          ghcr.io/gogs/gogs:next-$IMAGE_TAG"

          # Add minor version tag for stable releases (no prerelease suffix per semver).
          if [[ ! "$IMAGE_TAG" =~ - ]]; then
            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
            TAGS="$TAGS
          gogs/gogs:next-$MINOR_TAG
          ghcr.io/gogs/gogs:next-$MINOR_TAG"
          fi

          echo "TAGS<<EOF" >> $GITHUB_ENV
          echo "$TAGS" >> $GITHUB_ENV
          echo "EOF" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
          echo "Status:    ${{ steps.buildx.outputs.status }}"
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push next-gen images
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: Dockerfile.next
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: ${{ env.TAGS }}
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() }}
        with:
          smtp_username: ${{ secrets.SMTP_USERNAME }}
          smtp_password: ${{ secrets.SMTP_PASSWORD }}

  digitalocean-gc:
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
    needs: buildx-next
    permissions:
      contents: read
    uses: ./.github/workflows/digitalocean_gc.yml
    secrets: inherit

  digitalocean-gc-pull-request:
    if: ${{ github.event_name == 'pull_request' && github.repository == 'gogs/gogs' }}
    needs: buildx-next-pull-request
    permissions:
      contents: read
    uses: ./.github/workflows/digitalocean_gc.yml
    secrets: inherit