From 952202139bc24be9b96579d7c4fd061990dcb913 Mon Sep 17 00:00:00 2001 From: hotwa Date: Tue, 30 Sep 2025 18:10:46 +0800 Subject: [PATCH] use buildx host mode --- .gitea/workflows/build-and-push.yml | 106 +++++++++------------------- 1 file changed, 32 insertions(+), 74 deletions(-) diff --git a/.gitea/workflows/build-and-push.yml b/.gitea/workflows/build-and-push.yml index 2b6ea20..7edef9b 100644 --- a/.gitea/workflows/build-and-push.yml +++ b/.gitea/workflows/build-and-push.yml @@ -11,39 +11,27 @@ on: description: "Tag to push (leave empty to use 'latest')" required: false default: "" - also_latest: - description: "Also tag & push :latest when a custom tag is provided" - required: false - default: "false" jobs: docker: - runs-on: [buildx] - + runs-on: [buildx] # 你的 runner 标签;如不需要可改成 ubuntu-latest 等 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v3 + # 只两级:手动输入 > latest - name: Resolve TAG id: meta env: - INPUT_TAG: ${{ github.event.inputs.image_tag || '' }} - ALSO_LATEST: ${{ github.event.inputs.also_latest || 'false' }} + INPUT_TAG: ${{ github.event.inputs.image_tag || '' }} run: | set -euo pipefail - - TAG="${INPUT_TAG:-}" - if [ -z "$TAG" ]; then TAG="latest"; fi - - # 规范化 - TAG="$(printf '%s' "$TAG" \ - | tr '[:upper:]' '[:lower:]' \ - | sed -E 's#[^a-z0-9._-]#-#g; s#/+#-#g; s#^[.-]+##; s#[.-]+$##')" + TAG="${INPUT_TAG:-latest}" + # 规范化,避免无效字符 + TAG="$(printf '%s' "$TAG" | tr '[:upper:]' '[:lower:]' | sed -E 's#[^a-z0-9._-]#-#g; s#/+#-#g; s#^[.-]+##; s#[.-]+$##')" TAG="${TAG:0:128}" - echo "tag=$TAG" >> "$GITHUB_OUTPUT" - echo "also_latest=${ALSO_LATEST}" >> "$GITHUB_OUTPUT" - echo "Resolved TAG: $TAG, also_latest: ${ALSO_LATEST}" + echo "Resolved TAG: $TAG" - name: Login to Aliyun ACR env: @@ -53,80 +41,50 @@ jobs: run: | set -euo pipefail docker logout "$ACR_REGISTRY" || true - echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" \ - --username "$ACR_USERNAME" --password-stdin + echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" --username "$ACR_USERNAME" --password-stdin - # 可选:清理历史 builder,避免同名冲突 - - name: Cleanup old builder (optional) - run: docker buildx rm bk-proxy 2>/dev/null || true - - # 起用于构建的代理(compose 里带 profiles: ["build"]) - - name: Start proxy (compose profile build) - run: | - docker compose -f docker/compose.proxy.yml --profile build up -d --wait proxy - # 双保险再探测一次,避免刚好切换配置/订阅时返回 200 但还没就绪 - for i in $(seq 1 30); do - if curl -sf http://127.0.0.1:9090/version >/dev/null; then - break - fi - sleep 1 - done - - # 创建 buildx(buildkitd 挂到 buildnet,自身也走 proxy) - - name: Create & use buildx in buildnet (with proxy) - run: | - docker buildx create \ - --name bk-proxy \ - --driver docker-container \ - --driver-opt network=buildnet \ - --driver-opt env.http_proxy=http://build_proxy:7890 \ - --driver-opt env.https_proxy=http://build_proxy:7890 \ - --use - docker buildx inspect --bootstrap - - # 构建镜像(通过容器代理) - - name: Build Docker Image (via container proxy) + - name: Build Docker Image (host network; no Dockerfile change) env: IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }} TAG: ${{ steps.meta.outputs.tag }} - ALSO_LATEST: ${{ steps.meta.outputs.also_latest }} run: | set -euo pipefail - # 构建时如需要“同时打 latest”,这里顺带加一个 tag(仅当 TAG 不是 latest 且 also_latest=true) - EXTRA_TAGS=() - if [ "$TAG" != "latest" ] && [ "${ALSO_LATEST}" = "true" ]; then - EXTRA_TAGS+=( -t "${IMAGE}:latest" ) - fi + # 1) 重新创建并启用 buildx builder:共享宿主机网络 + 注入代理环境 + docker buildx rm ci-builder >/dev/null 2>&1 || true + docker buildx create \ + --name ci-builder --use \ + --driver docker-container \ + --driver-opt network=host \ + --driver-opt env.http_proxy=http://127.0.0.1:7890,env.https_proxy=http://127.0.0.1:7890 \ + --buildkitd-flags '--allow-insecure-entitlement network.host' \ + >/dev/null + + # 2) 构建:允许 host 网络,让 RUN 阶段可直接访问 127.0.0.1:7890 + # 用 --load 让镜像回到本地 daemon,便于下一步 docker push + echo "Building ${IMAGE}:${TAG}" docker buildx build \ + --builder ci-builder \ + --network=host \ --progress=plain \ - --build-arg http_proxy=http://build_proxy:7890 \ - --build-arg https_proxy=http://build_proxy:7890 \ - --build-arg HTTP_PROXY=http://build_proxy:7890 \ - --build-arg HTTPS_PROXY=http://build_proxy:7890 \ - --build-arg NO_PROXY=localhost,127.0.0.1 \ --load \ - -t "${IMAGE}:${TAG}" \ - "${EXTRA_TAGS[@]}" \ - -f docker/Dockerfile . + -t "${IMAGE}:${TAG}" -f docker/Dockerfile . - # (可选)停掉代理 - - name: Stop proxy - if: always() - run: docker compose -f docker/compose.proxy.yml --profile build down -v + # 可选:main 分支或 release 时也打 latest + if [ "${{ github.event_name }}" = "release" ] || [ "${{ github.ref_name }}" = "main" ]; then + docker tag "${IMAGE}:${TAG}" "${IMAGE}:latest" + fi - name: Push Docker Image env: IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }} TAG: ${{ steps.meta.outputs.tag }} - ALSO_LATEST: ${{ steps.meta.outputs.also_latest }} run: | set -euo pipefail echo "Pushing ${IMAGE}:${TAG}" docker push "${IMAGE}:${TAG}" - # 若选择 also_latest=true 且本次 TAG 不是 latest,则一起推 latest - if [ "$TAG" != "latest" ] && [ "${ALSO_LATEST}" = "true" ]; then - echo "Also pushing ${IMAGE}:latest" + if docker image inspect "${IMAGE}:latest" > /dev/null 2>&1; then + echo "Pushing ${IMAGE}:latest" docker push "${IMAGE}:latest" fi