Skip to content

feat: Add Docker Bake configuration and update GitHub Actions workflo… #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pigri merged 4 commits into from
Aug 28, 2025
Merged

feat: Add Docker Bake configuration and update GitHub Actions workflo… #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9878b5b
feat: Add Docker Bake configuration and update GitHub Actions workflo…
pigri Aug 27, 2025
422f104
refactor: Rename Docker meta step ID in GitHub Actions workflow for c…
pigri Aug 27, 2025
3582c64
chore: Enhance GitHub Actions workflow for Docker image preparation, …
pigri Aug 27, 2025
e95fd69
chore: Update ARXIGNIS version to 1.2-1 and set working directory in …
pigri Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 126 additions & 42 deletions .github/workflows/pull.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,147 @@
name: nginx pull
name: nginx preview deployment

on:
pull_request:
branches:
- main
branches:
- main
env:
REGISTRY_IMAGE: ghcr.io/arxignis/nginx
jobs:
pull:
name: nginx pull
runs-on: ubicloud-standard-8-ubuntu-2404
prepare:
runs-on: ubicloud-standard-16-ubuntu-2404
outputs:
matrix: ${{ steps.platforms.outputs.matrix }}
steps:
- name: Login to Github Packages
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all

- name: 🏗 Setup repo
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
submodules: recursive

- name: Set up Docker Context for Buildx
run: docker context create builders
- name: Create matrix
id: platforms
run: |
echo "matrix=$(docker buildx bake image-all --print | jq -cr '.target."image-all".platforms')" >>${GITHUB_OUTPUT}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: latest
endpoint: builders
- name: Show matrix
run: |
echo ${{ steps.platforms.outputs.matrix }}

- name: Docker meta
id: nginx
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/arxignis/nginx
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=sha,format=short
type=match,pattern=v(\d+\.\d+\.\d+),group=1
type=match,pattern=v(\d+\.\d+),group=1
type=match,pattern=v(\d+),group=1
type=raw,value=latest

- name: Rename meta bake definition file
run: |
mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json"

- name: Upload meta bake definition
uses: actions/upload-artifact@v4
with:
name: bake-meta
path: ${{ runner.temp }}/bake-meta.json
if-no-files-found: error
retention-days: 1

build:
runs-on: ${{ matrix.platform == 'linux/arm64' && 'ubicloud-standard-16-arm-ubuntu-2404' || 'ubicloud-standard-16-ubuntu-2404' }}
needs:
- prepare
strategy:
fail-fast: false
matrix:
platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

- name: Download meta bake definition
uses: actions/download-artifact@v4
with:
name: bake-meta
path: ${{ runner.temp }}

- name: Login to Github Packages
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build
uses: docker/build-push-action@v6
id: build-image
id: bake
uses: docker/bake-action@v6
with:
context: .
platforms: linux/arm64,linux/amd64
push: false
tags: ${{ steps.nginx.outputs.tags }}
labels: ${{ steps.nginx.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
files: |
./docker-bake.hcl
cwd://${{ runner.temp }}/bake-meta.json
targets: image
set: |
*.tags=${{ env.REGISTRY_IMAGE }}
*.platform=${{ matrix.platform }}
*.output=type=image,push-by-digest=true,name-canonical=true,push=true

- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"

# - name: Upload digest
# uses: actions/upload-artifact@v4
# with:
# name: digests-${{ env.PLATFORM_PAIR }}
# path: ${{ runner.temp }}/digests/*
# if-no-files-found: error
# retention-days: 1

# merge:
# runs-on: ubicloud-standard-16-ubuntu-2404
# needs:
# - build
# steps:
# - name: Download meta bake definition
# uses: actions/download-artifact@v4
# with:
# name: bake-meta
# path: ${{ runner.temp }}

# - name: Download digests
# uses: actions/download-artifact@v4
# with:
# path: ${{ runner.temp }}/digests
# pattern: digests-*
# merge-multiple: true

# - name: Login to Github Packages
# uses: docker/login-action@v3
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}

# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3

# - name: Create manifest list and push
# working-directory: ${{ runner.temp }}/digests
# run: |
# docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \
# $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

# - name: Inspect image
# run: |
# docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json)
156 changes: 120 additions & 36 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,70 @@ on:
push:
tags:
- "v*.*.*"
env:
REGISTRY_IMAGE: ghcr.io/arxignis/nginx
jobs:
deploy:
name: nginx release
prepare:
runs-on: ubicloud-standard-16-ubuntu-2404
outputs:
matrix: ${{ steps.platforms.outputs.matrix }}
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Create matrix
id: platforms
run: |
echo "matrix=$(docker buildx bake image-all --print | jq -cr '.target."image-all".platforms')" >>${GITHUB_OUTPUT}

- name: Show matrix
run: |
echo ${{ steps.platforms.outputs.matrix }}

- name: Docker meta
id: nginx
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=sha,format=short
type=match,pattern=v(\d+\.\d+\.\d+),group=1
type=match,pattern=v(\d+\.\d+),group=1
type=match,pattern=v(\d+),group=1
type=raw,value=latest

- name: Rename meta bake definition file
run: |
mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json"

- name: Upload meta bake definition
uses: actions/upload-artifact@v4
with:
name: bake-meta
path: ${{ runner.temp }}/bake-meta.json
if-no-files-found: error
retention-days: 1

build:
runs-on: ${{ matrix.platform == 'linux/arm64' && 'ubicloud-standard-16-arm-ubuntu-2404' || 'ubicloud-standard-16-ubuntu-2404' }}
needs:
- prepare
strategy:
fail-fast: false
matrix:
platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

- name: Download meta bake definition
uses: actions/download-artifact@v4
with:
name: bake-meta
path: ${{ runner.temp }}

- name: Login to Github Packages
uses: docker/login-action@v3
with:
Expand All @@ -17,47 +76,72 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build
id: bake
uses: docker/bake-action@v6
with:
image: tonistiigi/binfmt:latest
platforms: all
files: |
./docker-bake.hcl
cwd://${{ runner.temp }}/bake-meta.json
targets: image
set: |
*.tags=${{ env.REGISTRY_IMAGE }}
*.platform=${{ matrix.platform }}
*.output=type=image,push-by-digest=true,name-canonical=true,push=true

- name: 🏗 Setup repo
uses: actions/checkout@v4
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
submodules: recursive
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1

- name: Set up Docker Context for Buildx
run: docker context create builders
merge:
runs-on: ubicloud-standard-16-ubuntu-2404
needs:
- build
steps:
- name: Download meta bake definition
uses: actions/download-artifact@v4
with:
name: bake-meta
path: ${{ runner.temp }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download digests
uses: actions/download-artifact@v4
with:
version: latest
endpoint: builders
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true

- name: Docker meta
id: nginx
uses: docker/metadata-action@v5
- name: Login to Github Packages
uses: docker/login-action@v3
with:
images: ghcr.io/arxignis/nginx
tags: |
type=sha,format=short
type=match,pattern=v(\d+\.\d+\.\d+),group=1
type=match,pattern=v(\d+\.\d+),group=1
type=match,pattern=v(\d+),group=1
type=raw,value=latest
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build
uses: docker/build-push-action@v6
id: build-image
with:
context: .
platforms: linux/arm64,linux/amd64
push: true
tags: ${{ steps.nginx.outputs.tags }}
labels: ${{ steps.nginx.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json)
4 changes: 3 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
ENV NGX_JA4_MODULE_VERSION="1.3.1-beta"
ENV NGX_BROTLI_COMMIT_HASH="6e975bcb015f62e1f303054897783355e2a877dc"
ENV NGX_DYNAMIC_ETAG_VERSION="0.2.1"
ENV NGX_HTTP_AUTH_DIGEST_VERSION="1.0.0"

Check warning on line 20 in Dockerfile

View workflow job for this annotation

GitHub Actions / build (linux/amd64)

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "NGX_HTTP_AUTH_DIGEST_VERSION")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 20 in Dockerfile

View workflow job for this annotation

GitHub Actions / build (linux/arm64)

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "NGX_HTTP_AUTH_DIGEST_VERSION")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV MODSECURITY_NGINX_VERSION="1.0.4"
ENV MODSECURITY_NGINX_SHA256="6bdc7570911be884c1e43aaf85046137f9fde0cfa0dd4a55b853c81c45a13313"
ENV MODSECURITY_VERSION="3.0.14"
Expand Down Expand Up @@ -292,7 +292,9 @@
STOPSIGNAL SIGQUIT

FROM openresty-builder AS runtime
ENV ARXIGNIS_VERSION="1.2-0"
ENV ARXIGNIS_VERSION="1.2-1"

WORKDIR /etc/nginx

RUN apk --no-cache add git \
&& luarocks install lua-resty-arxignis ${ARXIGNIS_VERSION}
Loading