github ci fix attempt, speedup docker build on CI

2026-03-17 23:03:49 +01:00 · 2024-09-25 10:46:45 +08:00
parent 33fb60a32d
commit 4ee5383f7d
2 changed files with 42 additions and 15 deletions
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -11,6 +11,13 @@ jobs:
    build:
        name: Build multi-platform Docker image
        runs-on: ubuntu-latest
+
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            attestations: write
+
        strategy:
            fail-fast: false
            matrix:
@@ -40,7 +47,7 @@ jobs:
            - name: Login to registry
              uses: docker/login-action@v3
              with:
-                  registry: ghcr.io
+                  registry: ${{ env.REGISTRY }}
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

@@ -54,6 +61,13 @@ jobs:
                  cache-from: type=gha
                  cache-to: type=gha,mode=max

+            - name: Generate artifact attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+                  subject-digest: ${{ steps.build.outputs.digest }}
+                  push-to-registry: true
+
            - name: Export digest
              run: |
                  mkdir -p /tmp/digests
@@ -71,6 +85,10 @@ jobs:
        runs-on: ubuntu-latest
        needs:
            - build
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
        steps:
            - name: Download digests
              uses: actions/download-artifact@v4
@@ -91,6 +109,7 @@ jobs:
            - name: Login to registry
              uses: docker/login-action@v3
              with:
+                  registry: ${{ env.REGISTRY }}
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

@@ -101,13 +120,6 @@ jobs:
                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)

-            - name: Generate artifact attestation
-              uses: actions/attest-build-provenance@v1
-              with:
-                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-                  subject-digest: ${{ steps.push.outputs.digest }}
-                  push-to-registry: true
-
            - name: Inspect image
              run: |
                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}