super-productivity/.github/workflows/supersync-docker.yml
dependabot[bot] 03aee68fba
chore(deps)(deps): bump actions/checkout from 5 to 7 (#8536)
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](https://github.com/actions/checkout/compare/v5...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 12:18:31 +02:00

106 lines
3.3 KiB
YAML

name: Build and Push SuperSync Docker Image
on:
push:
branches:
- master
paths:
- '.dockerignore'
- '.github/workflows/supersync-docker.yml'
- 'package.json'
- 'package-lock.json'
- 'packages/shared-schema/**'
- 'packages/sync-core/**'
- 'packages/super-sync-server/**'
workflow_dispatch:
inputs:
no_cache:
description: 'Build without cache'
required: false
type: boolean
default: true
jobs:
build-and-push:
name: Build and Push to GHCR
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
allowed-endpoints: >
api.github.com:443
github.com:443
ghcr.io:443
registry.npmjs.org:443
objects.githubusercontent.com:443
- name: Check out the repo
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
fetch-depth: 0
persist-credentials: false
- name: Reconfigure git to use HTTP authentication
run: >
git config --global url."https://github.com/".insteadOf
ssh://git@github.com/
- name: Log in to GitHub Container Registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags)
id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
with:
images: ghcr.io/super-productivity/supersync
tags: |
type=raw,value=latest
type=sha,prefix={{branch}}-
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Resolve image source revision
id: source-ref
shell: bash
run: |
revision="$(git log -1 --format=%H -- \
.dockerignore \
.github/workflows/supersync-docker.yml \
package.json \
package-lock.json \
packages/shared-schema \
packages/sync-core \
packages/super-sync-server)"
if [ -z "$revision" ]; then
echo "Could not resolve SuperSync image source revision" >&2
exit 1
fi
echo "revision=$revision" >> "$GITHUB_OUTPUT"
- name: Build and push Docker image
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: ./packages/super-sync-server/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
build-args: |
VCS_REF=${{ steps.source-ref.outputs.revision }}
no-cache: ${{ github.event_name == 'workflow_dispatch' && inputs.no_cache || false }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Image digest
run: echo "Image pushed with digest ${{ steps.meta.outputs.tags }}"