name: Build & Push Docker Images (Standard & Tailscale in One Repo) on: schedule: - cron: '15 19 * * *' # Exécute automatiquement tous les jours à 19h15 UTC push: branches: [ "main" ] # Se déclenche à chaque push sur main tags: [ 'v*.*.*' ] # Publie les tags s'ils suivent un format semver (ex: v1.2.3) pull_request: branches: [ "main" ] # Teste sur PR sans push env: REGISTRY_GHCR: ghcr.io REGISTRY_DOCKERHUB: docker.io IMAGE_NAME: ripleybooya/ssh-tunnel # Nom de l’image Docker jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write # Nécessaire pour la signature avec Cosign steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up QEMU for multi-platform builds uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # 🔑 Connexion à GitHub Container Registry - name: Log in to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY_GHCR }} username: ${{ secrets.GHCR_USERNAME }} password: ${{ secrets.GHCR_TOKEN }} # 🔑 Connexion à Docker Hub - name: Log in to Docker Hub if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} # 🏗 Build et push de l'image standard (latest) - name: "Build and push standard Docker image (tag: latest)" id: build-and-push uses: docker/build-push-action@v5 with: context: . # Utilisation du répertoire courant push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 tags: | ${{ env.REGISTRY_GHCR }}/${{ env.IMAGE_NAME }}:latest ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:latest labels: | org.opencontainers.image.source=https://github.com/${{ github.repository }} cache-from: type=gha cache-to: type=gha,mode=max # 🏗 Build et push de la version Tailscale - name: "Build and push Tailscale variant (tag: tailscale)" id: build-and-push-tailscale uses: docker/build-push-action@v5 with: context: . # Utilisation du répertoire courant file: Dockerfile.tailscale # Utilisation du Dockerfile spécifique push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 tags: | ${{ env.REGISTRY_GHCR }}/${{ env.IMAGE_NAME }}:tailscale ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:tailscale labels: | org.opencontainers.image.source=https://github.com/${{ github.repository }} cache-from: type=gha cache-to: type=gha,mode=max # 🔒 Installer Cosign avant de signer les images - name: Install cosign uses: sigstore/cosign-installer@v3 # 🔒 Signature des images après le push - name: Sign the published Docker images if: ${{ github.event_name != 'pull_request' }} env: TAGS: | ${{ env.REGISTRY_GHCR }}/${{ env.IMAGE_NAME }}:latest ${{ env.REGISTRY_GHCR }}/${{ env.IMAGE_NAME }}:tailscale ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:latest ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:tailscale DIGEST_LATEST: ${{ steps.build-and-push.outputs.digest }} DIGEST_TAILSCALE: ${{ steps.build-and-push-tailscale.outputs.digest }} run: | echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST_LATEST} echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST_TAILSCALE} # 🔹 Mise à jour automatique de la description du repository Docker Hub - name: Update Docker Hub Description uses: peter-evans/dockerhub-description@v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} repository: ripleybooya/ssh-tunnel # Nom du repo Docker Hub readme-filepath: ./README.md # Récupère la description depuis le README GitHub