diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 1e7a618097..1448f5621c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,46 +1,96 @@ -name: "Build Docker Image" +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. on: push: - tags: - - app/v*.*.* + branches: [ "master" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + jobs: - docker: + build: + runs-on: ubuntu-latest - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: true + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Get version - id: get_version - run: echo "version=$(git describe --tags --always --match 'app/v*' | sed -n 's|app/\([^/-]*\)\(-.*\)\{0,1\}|\1|p')" >> $GITHUB_OUTPUT + - name: Checkout repository + uses: actions/checkout@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v3 + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_TOKEN }} + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Get version + id: get_version + run: echo "version=$(git describe --tags --always)" >> $GITHUB_OUTPUT - - name: Build and push - id: docker_build - uses: docker/build-push-action@v5 + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: . push: true platforms: linux/amd64,linux/arm64 - tags: cedar2025/hysteria:latest,cedar2025/hysteria:v2b,cedar2025/hysteria:v2b-${{ steps.get_version.outputs.version }} - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} + tags: ${{ env.REGISTRY }}/cedar2025/hysteria:latest,${{ env.REGISTRY }}/cedar2025/hysteria,${{ env.REGISTRY }}/cedar2025/hysteria:${{ steps.get_version.outputs.version }} + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml deleted file mode 100644 index 644d3a3e64..0000000000 --- a/.github/workflows/master.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: "Build master branch" - -on: - push: - branches: - - master - -jobs: - build: - name: Build - runs-on: ubuntu-latest - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: true - - steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version: "1.21" - - - name: Setup Python # This is for the build script - uses: actions/setup-python@v4 - with: - python-version: "3.11" - - - uses: nttld/setup-ndk@v1 - id: setup-ndk - with: - ndk-version: r26b - add-to-path: false - - - name: Run build script - env: - ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }} - run: | - export HY_APP_PLATFORMS=$(sed 's/\r$//' platforms.txt | awk '!/^#/ && !/^$/' | paste -sd ",") - python hyperbole.py build -r - - - name: Generate hashes - run: | - for file in build/*; do - sha256sum $file >> build/hashes.txt - done - - - name: Archive - uses: actions/upload-artifact@v3 - with: - name: hysteria-master-${{ github.sha }} - path: build diff --git a/.github/workflows/scripts.yml b/.github/workflows/scripts.yml deleted file mode 100644 index 6e38848b9a..0000000000 --- a/.github/workflows/scripts.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Publish scripts" - -on: - push: - branches: - - master - paths: - - scripts/** - -jobs: - publish: - runs-on: ubuntu-latest - permissions: - contents: read - deployments: write - name: Publish scripts to Cloudflare Pages - steps: - - name: Check out - uses: actions/checkout@v4 - - - name: Publish to Cloudflare Pages - uses: cloudflare/pages-action@v1 - with: - apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} - accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - projectName: hy2scripts - directory: scripts - gitHubToken: ${{ secrets.GITHUB_TOKEN }} - branch: main diff --git a/.gitignore b/.gitignore index 958549b2ad..f672532639 100644 --- a/.gitignore +++ b/.gitignore @@ -467,4 +467,6 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk -# End of https://www.toptal.com/developers/gitignore/api/goland+all,intellij+all,go,windows,linux,macos,python,pycharm+all \ No newline at end of file +# End of https://www.toptal.com/developers/gitignore/api/goland+all,intellij+all,go,windows,linux,macos,python,pycharm+all + +build-release \ No newline at end of file diff --git a/README.md b/README.md index 37616b03d8..99c452aab9 100644 --- a/README.md +++ b/README.md @@ -36,5 +36,5 @@ acl: ### docker 仓库 ``` -docker pull cedar2026/hysteria2-v2b:1.0.2 +docker pull ghcr.io/cedar2025/xboard:latest ``` \ No newline at end of file