name: Build docker image permissions: contents: read on: release: types: - published push: branches: - master # Allow maintainers to build/validate the multi-arch image on demand # (e.g. from a feature branch) without pushing anything to the registry. workflow_dispatch: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build-and-push-image: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Checkout repository uses: actions/checkout@v5 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # generate Docker tags based on the following events/attributes tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - name: Log in to the Container registry # Only authenticate when we will actually push (release). The master # push and workflow_dispatch runs build for validation only and must # never touch the registry, so they skip the login entirely. if: github.event_name == 'release' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64 # Push only on a published release. Every other trigger (push to # master, workflow_dispatch) builds both architectures for # validation but never pushes. push: ${{ github.event_name == 'release' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}