| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 |
- name: Build Latest Docker Image on Release
- on:
- release:
- types: [published]
- workflow_dispatch:
- permissions:
- contents: read
- id-token: write
- packages: write
- jobs:
- build-and-push:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout code
- uses: actions/checkout@v6
- with:
- fetch-depth: 0 # Fetch all history for tags
- - name: Set up Python
- uses: actions/setup-python@v6
- with:
- python-version: "3.x"
- - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v4
- - name: Login to GitHub Container Registry
- uses: docker/login-action@v4
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
- - name: Install cosign
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- - name: Get latest tag
- id: get_tag
- run: |
- if [ "${{ github.event_name }}" = "release" ] && [ -n "${{ github.event.release.tag_name }}" ]; then
- TAG="${{ github.event.release.tag_name }}"
- else
- TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
- fi
- if [ -z "$TAG" ]; then
- echo "No git tag found for docker publish"
- exit 1
- fi
- PACKAGE_VERSION="${TAG#v}"
- echo "Found tag: $TAG"
- echo "tag=$TAG" >> $GITHUB_OUTPUT
- echo "package_version=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
- - name: Check if pre-release
- id: check_prerelease
- run: |
- TAG="${{ steps.get_tag.outputs.tag }}"
- if [[ "$TAG" == *"rc"* ]] || [[ "$TAG" == *"dev"* ]]; then
- echo "is_prerelease=true" >> $GITHUB_OUTPUT
- echo "This is a pre-release version: $TAG"
- else
- echo "is_prerelease=false" >> $GITHUB_OUTPUT
- echo "This is a stable release: $TAG"
- fi
- - name: Update version definitions
- run: |
- python scripts/release/set_version.py --core-version "${{ steps.get_tag.outputs.package_version }}"
- echo "Updated version definitions with ${{ steps.get_tag.outputs.package_version }}"
- grep '__version__ = ' lightrag/_version.py
- - name: Extract metadata for Docker
- id: meta
- uses: docker/metadata-action@v6
- with:
- images: ghcr.io/${{ github.repository }}
- tags: |
- type=raw,value=${{ steps.get_tag.outputs.tag }}
- type=raw,value=latest,enable=${{ steps.check_prerelease.outputs.is_prerelease == 'false' }}
- - name: Build and push Docker image
- id: build-and-push
- uses: docker/build-push-action@v7
- with:
- context: .
- file: ./Dockerfile
- platforms: linux/amd64,linux/arm64
- push: true
- tags: ${{ steps.meta.outputs.tags }}
- labels: ${{ steps.meta.outputs.labels }}
- cache-from: type=gha
- cache-to: type=gha,mode=max
- - name: Sign Docker image
- if: steps.build-and-push.outputs.digest != ''
- env:
- DIGEST: ${{ steps.build-and-push.outputs.digest }}
- TAGS: ${{ steps.meta.outputs.tags }}
- run: |
- set -euo pipefail
- echo "Signing manifest digest: $DIGEST"
- while IFS= read -r tag; do
- if [ -z "$tag" ]; then
- continue
- fi
- echo "Signing ${tag}@${DIGEST}"
- cosign sign --yes "${tag}@${DIGEST}"
- done <<< "$TAGS"
- - name: Output image details
- run: |
- echo "Docker image built and pushed successfully!"
- echo "Image tags:"
- echo " - ghcr.io/${{ github.repository }}:${{ steps.get_tag.outputs.tag }}"
- echo " - ghcr.io/${{ github.repository }}:latest"
- echo "Signed manifest digest: ${{ steps.build-and-push.outputs.digest }}"
- echo "Latest Git tag used: ${{ steps.get_tag.outputs.tag }}"
|
