diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index ae5ca84..c2e055c 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -59,7 +59,9 @@ permissions: env: REGISTRY: ghcr.io - ORG: cloud-neutral-toolkit + # ✅ 不硬编码:默认推到 ghcr.io/<当前仓库 owner>/... + ORG: ${{ github.repository_owner }} + SKIP_SECURITY: ${{ inputs.skip_security || github.event.inputs.skip_security || 'false' }} NODE_BUILDER_IMAGE: ${{ inputs.node_builder_image || github.event.inputs.node_builder_image || 'node:22-bookworm' }} @@ -102,7 +104,6 @@ jobs: - name: Clone knowledge content run: git clone https://github.com/Cloud-Neutral-Workshop/knowledge.git knowledge - # ✅ 关键修正:每个矩阵 job 只 build 自己的平台,push 到“临时 tag” - name: Build Service Image (per-arch) id: build uses: docker/build-push-action@v6 @@ -111,7 +112,6 @@ jobs: file: ${{ matrix.service.dockerfile }} platforms: ${{ matrix.arch.platform }} push: ${{ env.PUSH_IMAGES }} - # 临时 tag:避免并行 job 抢同一个 tag/manifest tags: | ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.service.name }}:build-${{ github.sha }}-${{ matrix.arch.artifact }} labels: ${{ steps.meta.outputs.labels }} @@ -156,7 +156,6 @@ jobs: set -euo pipefail echo "IMAGE_DIGEST=$(cat digest-${{ matrix.service.name }}-${{ matrix.arch.artifact }}.txt)" >> "$GITHUB_ENV" - # ✅ 扫描/签名的对象:临时 tag + digest(确保指向该 arch 的镜像) - name: Set image ref run: | set -euo pipefail @@ -208,7 +207,6 @@ jobs: - uses: docker/setup-buildx-action@v3 - # 两个 arch digest 都要 - uses: actions/download-artifact@v4 with: name: digest-dashboard-linux-amd64 @@ -232,11 +230,10 @@ jobs: - uses: docker/login-action@v3 if: matrix.registry == 'ghcr.io' with: - registry: ${{ env.REGISTRY }} + registry: ${{ matrix.registry }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # ✅ 关键修正:合并 manifest list,生成最终 tags(multi-arch) - name: Create & Push Multi-Arch Manifests (GHCR) if: matrix.registry == 'ghcr.io' run: | @@ -252,8 +249,6 @@ jobs: docker buildx imagetools create -t "$TAG" "$SRC_AMD" "$SRC_ARM" done - # 取一个最终 tag 的 manifest digest,供后续验证/复制 - # 选 tags 列表里的第一个 TAG1="$(echo "${{ steps.meta.outputs.tags }}" | tr ',' '\n' | head -n 1)" DIGEST="$(docker buildx imagetools inspect "$TAG1" --format '{{.Digest}}')" echo "MANIFEST_DIGEST=$DIGEST" >> "$GITHUB_ENV" @@ -282,7 +277,6 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # ✅ 关键修正:用 skopeo 把 GHCR 的 multi-arch 镜像“原样复制”到 Docker Hub(不重建) - name: Copy Multi-Arch Image to Docker Hub (skopeo) if: matrix.registry == 'docker.io' env: @@ -296,7 +290,6 @@ jobs: SRC="docker://ghcr.io/${{ env.ORG }}/dashboard@${{ env.MANIFEST_DIGEST }}" DST="docker://docker.io/${TARGET_NS}/dashboard:latest" - # skopeo 使用独立登录(更稳定) skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" skopeo login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}"