rustfs-s3-toolkit/.gitea/workflows/build-and-push.yml

name: Build and Push to ACR

on:
  push:
    branches: [ main ]
  release:
    types: [ published ]
  workflow_dispatch:
    inputs:
      image_tag:
        description: "Tag to push (leave empty to use 'latest')"
        required: false
        default: ""

jobs:
  docker:
    runs-on: [buildx]   # 你的 runner 标签；如不需要可改成 ubuntu-latest 等
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      # 只两级：手动输入 > latest
      - name: Resolve TAG
        id: meta
        env:
          INPUT_TAG: ${{ github.event.inputs.image_tag || '' }}
        run: |
          set -euo pipefail
          TAG="${INPUT_TAG:-latest}"
          # 规范化，避免无效字符
          TAG="$(printf '%s' "$TAG" | tr '[:upper:]' '[:lower:]' | sed -E 's#[^a-z0-9._-]#-#g; s#/+#-#g; s#^[.-]+##; s#[.-]+$##')"
          TAG="${TAG:0:128}"
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
          echo "Resolved TAG: $TAG"

      - name: Login to Aliyun ACR
        env:
          ACR_REGISTRY:  ${{ secrets.ACR_REGISTRY }}
          ACR_USERNAME:  ${{ secrets.ACR_USERNAME }}
          ACR_PASSWORD:  ${{ secrets.ACR_PASSWORD }}
        run: |
          set -euo pipefail
          docker logout "$ACR_REGISTRY" || true
          echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" --username "$ACR_USERNAME" --password-stdin

      - name: Start v2ray-client (write + assert + verify + run + logs)
        env:
          V2RAY_JSON: ${{ secrets.V2RAY_JSON }}
          SOCKS_PORT: "11080"
          HTTP_PORT:  "18080"
        run: |
          set -euo pipefail

          # 0) 强校验 Secret 是否非空
          if [ -z "${V2RAY_JSON:-}" ]; then
            echo "ERROR: V2RAY_JSON is empty or not set." >&2
            exit 1
          fi

          # 1) 写配置
          mkdir -p "${GITHUB_WORKSPACE}/v2ray"
          printf '%s' "$V2RAY_JSON" > "${GITHUB_WORKSPACE}/v2ray/config.json"
          command -v jq >/dev/null 2>&1 && jq . "${GITHUB_WORKSPACE}/v2ray/config.json" >/dev/null

          # 2) 强制端口为 11080/18080（与 BuildKit http_proxy 保持一致）
          if command -v jq >/dev/null 2>&1; then
            jq --argjson sp "$SOCKS_PORT" --argjson hp "$HTTP_PORT" \
              '.inbounds |= map(
                if .protocol=="socks" and .port then .port=$sp
                else if .protocol=="http" and .port then .port=$hp
                else . end end
              )' "${GITHUB_WORKSPACE}/v2ray/config.json" \
              > "${GITHUB_WORKSPACE}/v2ray/config.tmp" && mv "${GITHUB_WORKSPACE}/v2ray/config.tmp" "${GITHUB_WORKSPACE}/v2ray/config.json"
          fi

          # 3) 容器内可见性检查（注意：去掉了 ,z）
          docker run --rm \
            --network host \
            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,readonly \
            --entrypoint sh \
            v2fly/v2fly-core:latest \
            -lc 'echo "== inside container =="; ls -l /etc/v2ray; echo "---"; head -n2 /etc/v2ray/config.json || true'

          # 4) 启动（注意：去掉了 ,z）
          docker rm -f v2ray-client >/dev/null 2>&1 || true
          docker run -d --name v2ray-client \
            --network host \
            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,readonly \
            v2fly/v2fly-core:latest \
            run -c /etc/v2ray/config.json

          # 5) 健康检查 + 日志
          sleep 1
          if [ "$(docker inspect -f '{{.State.Running}}' v2ray-client 2>/dev/null)" != "true" ]; then
            echo "== v2ray-client exited; logs =="
            docker logs v2ray-client || true
            exit 1
          fi

          docker inspect -f '{{range .Mounts}}{{println .Type " " .Source "->" .Destination}}{{end}}' v2ray-client


      - name: Build Docker Image (host network; no Dockerfile change)
        env:
          IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }}
          TAG:   ${{ steps.meta.outputs.tag }}
        run: |
          set -euo pipefail

          docker buildx rm ci-builder >/dev/null 2>&1 || true
          docker buildx create \
            --name ci-builder --use \
            --driver docker-container \
            --driver-opt network=host \
            --driver-opt env.http_proxy=http://127.0.0.1:18080,env.https_proxy=http://127.0.0.1:18080 \
            --buildkitd-flags '--allow-insecure-entitlement network.host' \
            >/dev/null

          echo "Building ${IMAGE}:${TAG}"
          docker buildx build \
            --builder ci-builder \
            --network=host \
            --progress=plain \
            --load \
            -t "${IMAGE}:${TAG}" -f docker/Dockerfile .

      - name: Stop v2ray-client
        if: always()   # 确保出错也能清理
        run: |
          set -euo pipefail
          docker rm -f v2ray-client || true
          rm -rf "${GITHUB_WORKSPACE}/v2ray-client.json"

      - name: Push Docker Image
        env:
          IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }}
          TAG:   ${{ steps.meta.outputs.tag }}
        run: |
          set -euo pipefail
          echo "Pushing ${IMAGE}:${TAG}"
          docker push "${IMAGE}:${TAG}"

          if docker image inspect "${IMAGE}:latest" > /dev/null 2>&1; then
            echo "Pushing ${IMAGE}:latest"
            docker push "${IMAGE}:latest"
          fi