From 1e86f0e2970281cca346fc6dd0ad997c79844ebf Mon Sep 17 00:00:00 2001 From: hotwa Date: Tue, 30 Sep 2025 16:07:48 +0800 Subject: [PATCH] change tag --- .gitea/workflows/build-and-push.yml | 82 +++++++++++++++++------------ 1 file changed, 49 insertions(+), 33 deletions(-) diff --git a/.gitea/workflows/build-and-push.yml b/.gitea/workflows/build-and-push.yml index 3cbdf62..09048c9 100644 --- a/.gitea/workflows/build-and-push.yml +++ b/.gitea/workflows/build-and-push.yml @@ -5,10 +5,10 @@ on: branches: [ main ] release: types: [ published ] - workflow_dispatch: # 手动触发 + workflow_dispatch: inputs: - image_tag: # 手动运行时可指定 TAG(留空则自动判断) - description: "Tag to push (default: branch/release name, else latest)" + image_tag: + description: "Tag to push (leave empty to use 'latest')" required: false default: "" @@ -19,49 +19,65 @@ jobs: - name: Checkout uses: actions/checkout@v3 - - name: Login to Aliyun ACR (non-interactive) + - name: Resolve TAG + id: meta env: - ACR_REGISTRY: ${{ secrets.ACR_REGISTRY }} # 例:registry.cn-hangzhou.aliyuncs.com 或 .registry.cn-hangzhou.aliyuncs.com - ACR_USERNAME: ${{ secrets.ACR_USERNAME }} # 例:主账号/ramuser@.onaliyun.com 或 命名空间Token名 - ACR_PASSWORD: ${{ secrets.ACR_PASSWORD }} # 例:固定密码 或 命名空间Token值 + INPUT_TAG: ${{ github.event.inputs.image_tag || '' }} run: | set -euo pipefail - # 检查 registry 形态 - case "$ACR_REGISTRY" in - http://*|https://*) echo "ACR_REGISTRY 不能带协议(http/https),只填域名"; exit 1;; - */*) echo "ACR_REGISTRY 不能带路径/斜杠"; exit 1;; - esac - # 打印可见但不过多泄露 - echo "REGISTRY=$ACR_REGISTRY USER_LEN=${#ACR_USERNAME} PASS_LEN=${#ACR_PASSWORD}" + # 仅两级:手动输入 > latest + TAG="${INPUT_TAG:-}" + if [ -z "$TAG" ]; then TAG="latest"; fi - # 清理旧凭据,避免缓存干扰 + # 规范化(可留可去,但推荐保留,防止手滑输非法字符) + TAG="$(printf '%s' "$TAG" \ + | tr '[:upper:]' '[:lower:]' \ + | sed -E 's#[^a-z0-9._-]#-#g; s#/+#-#g; s#^[.-]+##; s#[.-]+$##')" + TAG="${TAG:0:128}" + + echo "tag=$TAG" >> "$GITHUB_OUTPUT" + echo "Resolved TAG: $TAG" + + + - name: Login to Aliyun ACR + env: + ACR_REGISTRY: ${{ secrets.ACR_REGISTRY }} + ACR_USERNAME: ${{ secrets.ACR_USERNAME }} + ACR_PASSWORD: ${{ secrets.ACR_PASSWORD }} + run: | + set -euo pipefail docker logout "$ACR_REGISTRY" || true - - # 探测连通性(401 正常) - curl -sSIL "https://${ACR_REGISTRY}/v2/" || true - - # 非交互式登录 echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" \ --username "$ACR_USERNAME" --password-stdin - - name: Build Docker Image + env: + REGISTRY: ${{ secrets.ACR_REGISTRY }} + NAMESPACE: ${{ secrets.ACR_NAMESPACE }} + IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }} + TAG: ${{ steps.meta.outputs.tag }} run: | - IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp + set -euo pipefail + echo "Building ${IMAGE}:${TAG}" + docker build -t "${IMAGE}:${TAG}" -f docker/Dockerfile . - # 优先用手动输入的 image_tag;否则用分支/发布名;再否则用 latest - TAG="${{ github.event.inputs.image_tag }}" - if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi - - echo "Building $IMAGE:$TAG" - docker build -t "$IMAGE:$TAG" -f docker/Dockerfile . + # 可选:在 main 或 release 时同时打 latest + if [ "${{ github.event_name }}" = "release" ] || [ "${{ github.ref_name }}" = "main" ]; then + docker tag "${IMAGE}:${TAG}" "${IMAGE}:latest" + fi - name: Push Docker Image + env: + IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }} + TAG: ${{ steps.meta.outputs.tag }} run: | - IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp - TAG="${{ github.event.inputs.image_tag }}" - if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi + set -euo pipefail + echo "Pushing ${IMAGE}:${TAG}" + docker push "${IMAGE}:${TAG}" - echo "Pushing $IMAGE:$TAG" - docker push "$IMAGE:$TAG" + # 如果上一步给了 latest,这里一并推 + if docker image inspect "${IMAGE}:latest" > /dev/null 2>&1; then + echo "Pushing ${IMAGE}:latest" + docker push "${IMAGE}:latest" + fi