name: Build and Push to ACR on: push: branches: [ main ] release: types: [ published ] workflow_dispatch: # 手动触发 inputs: image_tag: # 手动运行时可指定 TAG(留空则自动判断) description: "Tag to push (default: branch/release name, else latest)" required: false default: "" jobs: docker: runs-on: [buildx] steps: - name: Checkout uses: actions/checkout@v3 - name: Login to Aliyun ACR (non-interactive) env: ACR_REGISTRY: ${{ secrets.ACR_REGISTRY }} # 例:registry.cn-hangzhou.aliyuncs.com 或 <实例>.registry.cn-hangzhou.aliyuncs.com ACR_USERNAME: ${{ secrets.ACR_USERNAME }} # 例:ze***@qq.com(主账号/子账号)或 命名空间Token名 ACR_PASSWORD: ${{ secrets.ACR_PASSWORD }} # 例:固定密码 / 命名空间Token值 run: | set -euo pipefail # 1) 注册表只能是“纯域名”,不能带 https:// 或路径 case "$ACR_REGISTRY" in http://*|https://*) echo "ACR_REGISTRY 不能带协议(http/https),只填域名"; exit 1;; */*) echo "ACR_REGISTRY 不能带路径"; exit 1;; esac # 2) 联通性探测(返回 401 属于正常,说明 /v2/ 可达) curl -sSIL "https://${ACR_REGISTRY}/v2/" || true # 3) 非交互式登录 echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" \ --username "$ACR_USERNAME" --password-stdin - name: Build Docker Image run: | IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp # 优先用手动输入的 image_tag;否则用分支/发布名;再否则用 latest TAG="${{ github.event.inputs.image_tag }}" if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi echo "Building $IMAGE:$TAG" docker build -t "$IMAGE:$TAG" -f docker/Dockerfile . - name: Push Docker Image run: | IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp TAG="${{ github.event.inputs.image_tag }}" if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi echo "Pushing $IMAGE:$TAG" docker push "$IMAGE:$TAG"