continuwuity/.forgejo/workflows/release-image.yml

name: Release Docker Image
concurrency:
  group: "release-image-${{ github.ref }}"

on:
  push:
    branches:
      - main
    paths-ignore:
      - "*.md"
      - "**/*.md"
      - "*.mdx"
      - "**/*.mdx"
      - "changelog.d/**"
      - ".gitlab-ci.yml"
      - ".gitignore"
      - "renovate.json"
      - "pkg/**"
      - "docs/**"
    tags:
      - "v*.*.*"
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

env:
  BUILTIN_REGISTRY: forgejo.ellis.link
  BUILTIN_REGISTRY_ENABLED: "${{ ((vars.BUILTIN_REGISTRY_USER && secrets.BUILTIN_REGISTRY_PASSWORD) || (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)) && 'true' || 'false' }}"
  IMAGE_PATH: forgejo.ellis.link/continuwuation/continuwuity

jobs:
  build-release:
    name: "Build ${{ matrix.slug }} (release)"
    runs-on: dind
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write
    strategy:
      matrix:
        include:
          - platform: "linux/amd64"
            slug: "linux-amd64"
          - platform: "linux/arm64"
            slug: "linux-arm64"

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Prepare Docker build environment
        id: prepare
        uses: ./.forgejo/actions/prepare-docker-build
        with:
          platform: ${{ matrix.platform }}
          slug: ${{ matrix.slug }}
          target_cpu: ""
          profile: "release"
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image by digest
        id: build
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
          build-args: |
            GIT_COMMIT_HASH=${{ github.sha }}
            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
            GIT_REMOTE_URL=${{github.event.repository.html_url }}
            GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
            CARGO_INCREMENTAL=${{ env.BUILDKIT_ENDPOINT != '' && '1' || '0' }}
            TARGET_CPU=
            RUST_PROFILE=release
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.prepare.outputs.metadata_labels }}
          annotations: ${{ steps.prepare.outputs.metadata_annotations }}
          cache-from: type=gha
          # cache-to: type=gha,mode=max
          sbom: true
          outputs: |
            ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && format('type=image,"name={0}",push-by-digest=true,name-canonical=true,push=true', env.IMAGE_PATH) || format('type=image,"name={0}",push=false', env.IMAGE_PATH) }}
            type=local,dest=/tmp/binaries
        env:
          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
      - name: Upload Docker artifacts
        uses: ./.forgejo/actions/upload-docker-artifacts
        with:
          slug: ${{ matrix.slug }}
          cpu_suffix: ${{ steps.prepare.outputs.cpu_suffix }}
          artifact_suffix: ""
          digest_suffix: ""
          digest: ${{ steps.build.outputs.digest }}

  merge-release:
    name: "Create Multi-arch Release Manifest"
    runs-on: dind
    needs: build-release
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Create multi-platform manifest
        uses: ./.forgejo/actions/create-docker-manifest
        with:
          digest_pattern: "digests-linux-{amd64,arm64}"
          tag_suffix: ""
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

  build-maxperf:
    name: "Build ${{ matrix.slug }} (max-perf)"
    runs-on: dind
    needs: build-release
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write
    strategy:
      matrix:
        include:
          - platform: "linux/amd64"
            slug: "linux-amd64"
            target_cpu: "haswell"
          - platform: "linux/arm64"
            slug: "linux-arm64"
            target_cpu: ""

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Prepare max-perf Docker build environment
        id: prepare
        uses: ./.forgejo/actions/prepare-docker-build
        with:
          platform: ${{ matrix.platform }}
          slug: ${{ matrix.slug }}
          target_cpu: ${{ matrix.target_cpu }}
          profile: "release-max-perf"
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push max-perf Docker image by digest
        id: build
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
          build-args: |
            GIT_COMMIT_HASH=${{ github.sha }}
            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
            GIT_REMOTE_URL=${{github.event.repository.html_url }}
            GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
            CARGO_INCREMENTAL=${{ env.BUILDKIT_ENDPOINT != '' && '1' || '0' }}
            TARGET_CPU=${{ matrix.target_cpu }}
            RUST_PROFILE=release-max-perf
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.prepare.outputs.metadata_labels }}
          annotations: ${{ steps.prepare.outputs.metadata_annotations }}
          cache-from: type=gha
          # cache-to: type=gha,mode=max
          sbom: true
          outputs: |
            ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && format('type=image,"name={0}",push-by-digest=true,name-canonical=true,push=true', env.IMAGE_PATH) || format('type=image,"name={0}",push=false', env.IMAGE_PATH) }}
            type=local,dest=/tmp/binaries
        env:
          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
      - name: Upload max-perf Docker artifacts
        uses: ./.forgejo/actions/upload-docker-artifacts
        with:
          slug: ${{ matrix.slug }}
          cpu_suffix: ${{ steps.prepare.outputs.cpu_suffix }}
          artifact_suffix: "-maxperf"
          digest_suffix: "-maxperf"
          digest: ${{ steps.build.outputs.digest }}

  merge-maxperf:
    name: "Create Max-Perf Manifest"
    runs-on: dind
    needs: build-maxperf
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Create max-perf manifest
        uses: ./.forgejo/actions/create-docker-manifest
        with:
          digest_pattern: "digests-maxperf-linux-{amd64-haswell,arm64}"
          tag_suffix: "-maxperf"
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
    needs:
      - merge-maxperf
      - merge-release
    env:
      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
      N7574_GIT_USERNAME: ${{ vars.N7574_GIT_USERNAME }}
      N7574_GIT_TOKEN: ${{ secrets.N7574_GIT_TOKEN }}
      GH_PACKAGES_USER: ${{ vars.GH_PACKAGES_USER }}
      GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
      DOCKER_MIRROR_USER: ${{ vars.DOCKER_MIRROR_USER }}
      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
    uses: ./.forgejo/workflows/mirror-images.yml