ci(build): move image build steps out of build action into main pipeline

2025-12-04 11:59:36 +08:00 · 2025-12-04 11:59:36 +08:00 · 364857c691
commit 364857c691
parent 2eadd6d310
2 changed files with 17 additions and 55 deletions
--- a/.github/actions/build/action.yml
+++ b/.github/actions/build/action.yml
@ -88,58 +88,3 @@ runs:
      with:
        name: dashboard-${{ inputs.platform }}-${{ inputs.environment }}
        path: dashboard/.next
-
-    - name: Docker login (GHCR)
-      if: inputs.environment == 'prod'
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Generate Auto Tags
-      if: inputs.environment == 'prod'
-      id: meta
-      uses: ../auto-tag
-      with:
-        image: ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}
-
-    - name: Build and (optionally) push images
-      if: inputs.environment == 'prod'
-      id: build-image
-      uses: docker/build-push-action@v6
-      with:
-        context: ${{ inputs.service == 'dashboard' && 'dashboard' || inputs.service }}
-        file: ${{ inputs.service == 'dashboard' && 'dashboard/Dockerfile' || format('{0}/Dockerfile', inputs.service) }}
-        platforms: ${{ steps.matrix.outputs.target_platforms }}
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-
-    - name: Generate SBOM
-      if: inputs.environment == 'prod'
-      uses: anchore/sbom-action@v0
-      with:
-        image: ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}@${{ steps.build-image.outputs.digest }}
-        output-file: sbom-${{ inputs.service }}.spdx.json
-
-    - name: Upload SBOM artifact
-      if: inputs.environment == 'prod'
-      uses: actions/upload-artifact@v4
-      with:
-        name: sbom-${{ inputs.service }}
-        path: sbom-${{ inputs.service }}.spdx.json
-
-    - name: Install Cosign
-      if: inputs.environment == 'prod'
-      uses: sigstore/cosign-installer@v3
-      with:
-        cosign-release: 'v2.4.1'
-
-    - name: Cosign image
-      if: inputs.environment == 'prod'
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-      run: |
-        IMG=ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}@${{ steps.build-image.outputs.digest }}
-        cosign sign --yes "$IMG"
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@ -55,6 +55,23 @@ jobs:
          service: ${{ matrix.service }}
          platform: ${{ matrix.platform }}

+      - name: Build Base Images
+        id: base
+        uses: ./.github/actions/build-base-images/
+        secrets: inherit
+        with:
+          push_images: false     # CI 阶段不 push，只 build 并生成 digest
+
+      - name: Build Service Images
+        uses: ./.github/actions/build-service-images/
+        secrets: inherit
+        with:
+          push_images: false
+          node_builder_digest: ${{ steps.base.outputs.node_builder_digest }}
+          node_runtime_digest: ${{ steps.base.outputs.node_runtime_digest }}
+          postgres_runtime_digest: ${{ steps.base.outputs.postgres_runtime_digest }}
+          openresty_geoip_digest: ${{ steps.base.outputs.openresty_geoip_digest }}
+
  # -------------------------------------------------------------
  # CI STAGE 3 — Test
  # -------------------------------------------------------------