Lock down proxy and docs #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| name: Build and Publish Container Image | |
| concurrency: | |
| group: website-build-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| branches: [master] | |
| tags: ["v*"] | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: "www-website" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Compute image name (lowercase owner/repo) | |
| id: img | |
| run: | | |
| OWNER="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" | |
| REPO_NAME="${GITHUB_REPOSITORY##*/}" | |
| IMAGE_NAME="${IMAGE_NAME:-$REPO_NAME}" | |
| IMAGE_NAME="$(echo "${IMAGE_NAME}" | tr '[:upper:]' '[:lower:]')" | |
| echo "IMAGE=${REGISTRY}/${OWNER}/${IMAGE_NAME}" >> "$GITHUB_ENV" | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.IMAGE }} | |
| tags: | | |
| type=sha | |
| type=ref,event=tag | |
| type=ref,event=branch,enable=${{ github.ref == 'refs/heads/master' }} | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build image for tests | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| load: true | |
| tags: ${{ env.IMAGE }}:ci | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run smoke test (curl /) | |
| env: | |
| IMAGE_UNDER_TEST: ${{ env.IMAGE }}:ci | |
| run: | | |
| set -euo pipefail | |
| cid=$(docker run -d -p 0:3000 "$IMAGE_UNDER_TEST") | |
| trap "docker rm -f $cid >/dev/null 2>&1" EXIT | |
| port=$(docker inspect -f '{{ (index (index .NetworkSettings.Ports "3000/tcp") 0).HostPort }}' "$cid") | |
| if [ -z "$port" ]; then | |
| echo "Failed to resolve mapped port for container $cid" >&2 | |
| docker logs "$cid" || true | |
| exit 1 | |
| fi | |
| for i in {1..20}; do | |
| if curl -fsS "http://127.0.0.1:${port}/" > /dev/null; then | |
| exit 0 | |
| fi | |
| sleep 1 | |
| done | |
| echo "Service did not respond on / after 20s" >&2 | |
| docker logs "$cid" || true | |
| exit 1 | |
| - name: Log in to GHCR | |
| if: github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/master') || startsWith(github.ref, 'refs/tags/')) | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| # Prefer CR_PAT if provided (for cross-repo scopes); fallback to GITHUB_TOKEN | |
| password: ${{ secrets.CR_PAT != '' && secrets.CR_PAT || secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| if: github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/master') || startsWith(github.ref, 'refs/tags/')) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |