From 0fc3ba26c134a56b1ac2626ae38bef66f22efe97 Mon Sep 17 00:00:00 2001 From: Wei Weng Date: Mon, 1 Dec 2025 21:28:45 +0000 Subject: [PATCH 1/5] publish image with tag Signed-off-by: Wei Weng --- .github/workflows/release.yml | 90 +++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..bcc633c62 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,90 @@ +name: Release Images + +on: + push: + tags: + - 'v*.*.*' + workflow_dispatch: + inputs: + tag: + description: 'Release tag (e.g., v1.0.0)' + required: true + type: string + +permissions: + contents: read + packages: write + +env: + REGISTRY: ghcr.io + HUB_AGENT_IMAGE_NAME: hub-agent + MEMBER_AGENT_IMAGE_NAME: member-agent + REFRESH_TOKEN_IMAGE_NAME: refresh-token + GO_VERSION: '1.24.9' + +jobs: + export-registry: + runs-on: ubuntu-latest + outputs: + registry: ${{ steps.export.outputs.registry }} + tag: ${{ steps.export.outputs.tag }} + steps: + - name: Checkout code + uses: actions/checkout@v6.0.0 + + - id: export + run: | + # registry must be in lowercase + echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT + + # Extract tag from github ref or workflow input + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + TAG="${{ inputs.tag }}" + elif [[ "${{ github.ref }}" == refs/tags/* ]]; then + TAG=${GITHUB_REF#refs/tags/} + else + echo "Error: Workflow triggered by unsupported event or ref" + echo "Event: ${{ github.event_name }}" + echo "Ref: ${{ github.ref }}" + exit 1 + fi + echo "tag=${TAG}" >> $GITHUB_OUTPUT + echo "Release tag: ${TAG}" + + build-and-publish: + needs: export-registry + env: + REGISTRY: ${{ needs.export-registry.outputs.registry }} + TAG: ${{ needs.export-registry.outputs.tag }} + runs-on: ubuntu-latest + steps: + - name: Set up Go ${{ env.GO_VERSION }} + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Checkout code + uses: actions/checkout@v6.0.0 + + - name: Login to ${{ env.REGISTRY }} + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push images with tag ${{ env.TAG }} + run: | + make push + env: + REGISTRY: ${{ env.REGISTRY }} + TAG: ${{ env.TAG }} + + - name: Verify images + run: | + echo "✅ Published images:" + echo " - ${{ env.REGISTRY }}/${{ env.HUB_AGENT_IMAGE_NAME }}:${{ env.TAG }}" + echo " - ${{ env.REGISTRY }}/${{ env.MEMBER_AGENT_IMAGE_NAME }}:${{ env.TAG }}" + echo " - ${{ env.REGISTRY }}/${{ env.REFRESH_TOKEN_IMAGE_NAME }}:${{ env.TAG }}" + echo "" + echo "📦 Images are now public!" From 47f968db69a3949960fe3d6b386f3145a1bf9185 Mon Sep 17 00:00:00 2001 From: Wei Weng Date: Mon, 1 Dec 2025 21:28:45 +0000 Subject: [PATCH 2/5] fix unknown/unknown Signed-off-by: Wei Weng --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index 269ac22c6..1d19606e2 100644 --- a/Makefile +++ b/Makefile @@ -255,6 +255,7 @@ docker-build-hub-agent: docker-buildx-builder --file docker/$(HUB_AGENT_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ + --provenance=false \ --pull \ --tag $(REGISTRY)/$(HUB_AGENT_IMAGE_NAME):$(HUB_AGENT_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \ @@ -267,6 +268,7 @@ docker-build-member-agent: docker-buildx-builder --file docker/$(MEMBER_AGENT_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ + --provenance=false \ --pull \ --tag $(REGISTRY)/$(MEMBER_AGENT_IMAGE_NAME):$(MEMBER_AGENT_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \ @@ -279,6 +281,7 @@ docker-build-refresh-token: docker-buildx-builder --file docker/$(REFRESH_TOKEN_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ + --provenance=false \ --pull \ --tag $(REGISTRY)/$(REFRESH_TOKEN_IMAGE_NAME):$(REFRESH_TOKEN_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \ From 54a5e98f31d0e81b4bd3fd89444ac5ea1f5ef1b4 Mon Sep 17 00:00:00 2001 From: Wei Weng Date: Mon, 1 Dec 2025 21:28:45 +0000 Subject: [PATCH 3/5] comment Signed-off-by: Wei Weng --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index 1d19606e2..d275c48ee 100644 --- a/Makefile +++ b/Makefile @@ -250,6 +250,7 @@ docker-buildx-builder: fi .PHONY: docker-build-hub-agent +# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-hub-agent: docker-buildx-builder docker buildx build \ --file docker/$(HUB_AGENT_IMAGE_NAME).Dockerfile \ @@ -263,6 +264,7 @@ docker-build-hub-agent: docker-buildx-builder --build-arg GOOS=$(TARGET_OS) . .PHONY: docker-build-member-agent +# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-member-agent: docker-buildx-builder docker buildx build \ --file docker/$(MEMBER_AGENT_IMAGE_NAME).Dockerfile \ @@ -276,6 +278,7 @@ docker-build-member-agent: docker-buildx-builder --build-arg GOOS=$(TARGET_OS) . .PHONY: docker-build-refresh-token +# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-refresh-token: docker-buildx-builder docker buildx build \ --file docker/$(REFRESH_TOKEN_IMAGE_NAME).Dockerfile \ From 37ef3236eff327022aa5c5d80f727f5d45ddf534 Mon Sep 17 00:00:00 2001 From: Wei Weng Date: Mon, 1 Dec 2025 21:41:24 +0000 Subject: [PATCH 4/5] commit suggestions Signed-off-by: Wei Weng --- .github/workflows/release.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bcc633c62..57227d1a9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,7 @@ jobs: - id: export run: | # registry must be in lowercase - echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT + echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT # Extract tag from github ref or workflow input if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then @@ -66,19 +66,16 @@ jobs: - name: Checkout code uses: actions/checkout@v6.0.0 - - name: Login to ${{ env.REGISTRY }} + - name: Login to ghcr.io uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef with: - registry: ${{ env.REGISTRY }} + registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push images with tag ${{ env.TAG }} run: | make push - env: - REGISTRY: ${{ env.REGISTRY }} - TAG: ${{ env.TAG }} - name: Verify images run: | From 852bc5deccbff96b55ce96d60b3f7a4582412499 Mon Sep 17 00:00:00 2001 From: Wei Weng Date: Mon, 1 Dec 2025 21:45:56 +0000 Subject: [PATCH 5/5] remove provenance=false Signed-off-by: Wei Weng --- Makefile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Makefile b/Makefile index d275c48ee..269ac22c6 100644 --- a/Makefile +++ b/Makefile @@ -250,13 +250,11 @@ docker-buildx-builder: fi .PHONY: docker-build-hub-agent -# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-hub-agent: docker-buildx-builder docker buildx build \ --file docker/$(HUB_AGENT_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ - --provenance=false \ --pull \ --tag $(REGISTRY)/$(HUB_AGENT_IMAGE_NAME):$(HUB_AGENT_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \ @@ -264,13 +262,11 @@ docker-build-hub-agent: docker-buildx-builder --build-arg GOOS=$(TARGET_OS) . .PHONY: docker-build-member-agent -# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-member-agent: docker-buildx-builder docker buildx build \ --file docker/$(MEMBER_AGENT_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ - --provenance=false \ --pull \ --tag $(REGISTRY)/$(MEMBER_AGENT_IMAGE_NAME):$(MEMBER_AGENT_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \ @@ -278,13 +274,11 @@ docker-build-member-agent: docker-buildx-builder --build-arg GOOS=$(TARGET_OS) . .PHONY: docker-build-refresh-token -# Disable provenance attestations to prevent unknown/unknown architecture in GHCR docker-build-refresh-token: docker-buildx-builder docker buildx build \ --file docker/$(REFRESH_TOKEN_IMAGE_NAME).Dockerfile \ --output=$(OUTPUT_TYPE) \ --platform=$(TARGET_OS)/$(TARGET_ARCH) \ - --provenance=false \ --pull \ --tag $(REGISTRY)/$(REFRESH_TOKEN_IMAGE_NAME):$(REFRESH_TOKEN_IMAGE_VERSION) \ --progress=$(BUILDKIT_PROGRESS_TYPE) \