From ccd563f2ba1cb6ad4ecce87a394359f3a5541504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Wed, 1 Apr 2026 18:42:30 +0200 Subject: [PATCH] Improve docker images tags based on PR #740 (#754) * Modify docker image deployment behavior * Use build-push-action to create image provenance & sbom attestations * Upgrade github actions * Fix inconsistent capitialization in dockerfiles --------- Co-authored-by: scribblemaniac --- .github/workflows/add-issue-to-project.yml | 2 +- .github/workflows/mypy.yml | 7 ++-- .github/workflows/publish-release-docker.yml | 40 ++++++++++++++------ .github/workflows/ruff.yml | 5 +-- .github/workflows/tests.yml | 4 +- .github/workflows/update-ios-data.yml | 4 +- Dockerfile | 16 ++++---- Dockerfile.android | 2 +- Dockerfile.ios | 16 ++++---- 9 files changed, 56 insertions(+), 40 deletions(-) diff --git a/.github/workflows/add-issue-to-project.yml b/.github/workflows/add-issue-to-project.yml index c4e6d84..5eab4ab 100644 --- a/.github/workflows/add-issue-to-project.yml +++ b/.github/workflows/add-issue-to-project.yml @@ -11,7 +11,7 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v0.5.0 + - uses: actions/add-to-project@v1 with: # You can target a project in a different organization # to the issue diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 321ffc9..67d5b90 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -7,14 +7,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v6 - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v6 with: python-version: 3.9 cache: 'pip' - - name: Checkout - uses: actions/checkout@master - name: Install Dependencies run: | pip install mypy diff --git a/.github/workflows/publish-release-docker.yml b/.github/workflows/publish-release-docker.yml index 067611c..dde12b7 100644 --- a/.github/workflows/publish-release-docker.yml +++ b/.github/workflows/publish-release-docker.yml @@ -4,6 +4,8 @@ name: Create and publish a Docker image # Configures this workflow to run every time a release is published. on: workflow_dispatch: + push: + branches: [main] release: types: [published] @@ -23,9 +25,18 @@ jobs: attestations: write id-token: write # + strategy: + matrix: + platform: + - dockerfile: "Dockerfile" + tag-suffix: "" + - dockerfile: "Dockerfile.ios" + tag-suffix: "-ios" + - dockerfile: "Dockerfile.android" + tag-suffix: "-android" steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. - name: Log in to the Container registry uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 @@ -36,26 +47,33 @@ jobs: # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + flavor: | + latest=false + tags: | + type=raw,value=latest,enable={{ is_default_branch }},suffix=${{ matrix.platform.tag-suffix }} + type=raw,enable=${{ github.event_name == 'release' || github.ref_type == 'tag' }},value=stable,suffix=${{ matrix.platform.tag-suffix }} + type=raw,enable=${{ github.event_name == 'release' }},value=${{ github.event.release.tag_name }},suffix=${{ matrix.platform.tag-suffix }} + type=raw,enable=${{ github.ref_type == 'tag' }},value=${{ github.ref_name }},suffix=${{ matrix.platform.tag-suffix }} + type=sha,suffix=${{ matrix.platform.tag-suffix }} + type=sha,format=long,suffix=${{ matrix.platform.tag-suffix }} + # This step sets up some additional capabilities to generate the provenance and sbom attestations + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. - name: Build and push Docker image id: push - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + uses: docker/build-push-action@v6 with: + file: ${{ matrix.platform.dockerfile }} context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true + provenance: mode=max + sbom: true diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 55ce442..a05e0ef 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -11,14 +11,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v4 with: python-version: 3.9 cache: 'pip' - - name: Checkout - uses: actions/checkout@master - name: Install Dependencies run: | pip install ruff diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 786518a..0243d5e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -15,9 +15,9 @@ jobs: python-version: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - name: Install Python dependencies diff --git a/.github/workflows/update-ios-data.yml b/.github/workflows/update-ios-data.yml index f44615a..5df9cfa 100644 --- a/.github/workflows/update-ios-data.yml +++ b/.github/workflows/update-ios-data.yml @@ -16,7 +16,7 @@ jobs: - name: Run script to fetch latest iOS releases from Apple RSS feed. run: python3 .github/workflows/scripts/update-ios-releases.py - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v8 with: title: '[auto] Update iOS releases and versions' commit-message: Add new iOS versions and build numbers @@ -27,4 +27,4 @@ jobs: add-paths: | *.json labels: | - automated pr \ No newline at end of file + automated pr diff --git a/Dockerfile b/Dockerfile index 7880cc1..0db3853 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Base image for building libraries # --------------------------------- -FROM ubuntu:22.04 as build-base +FROM ubuntu:22.04 AS build-base ARG DEBIAN_FRONTEND=noninteractive @@ -22,7 +22,7 @@ RUN apt-get update \ # libplist # -------- -FROM build-base as build-libplist +FROM build-base AS build-libplist # Build RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \ @@ -32,7 +32,7 @@ RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \ # libimobiledevice-glue # --------------------- -FROM build-base as build-libimobiledevice-glue +FROM build-base AS build-libimobiledevice-glue # Install dependencies COPY --from=build-libplist /build / @@ -45,7 +45,7 @@ RUN git clone https://github.com/libimobiledevice/libimobiledevice-glue && cd li # libtatsu # -------- -FROM build-base as build-libtatsu +FROM build-base AS build-libtatsu # Install dependencies COPY --from=build-libplist /build / @@ -58,7 +58,7 @@ RUN git clone https://github.com/libimobiledevice/libtatsu && cd libtatsu \ # libusbmuxd # ---------- -FROM build-base as build-libusbmuxd +FROM build-base AS build-libusbmuxd # Install dependencies COPY --from=build-libplist /build / @@ -72,7 +72,7 @@ RUN git clone https://github.com/libimobiledevice/libusbmuxd && cd libusbmuxd \ # libimobiledevice # ---------------- -FROM build-base as build-libimobiledevice +FROM build-base AS build-libimobiledevice # Install dependencies COPY --from=build-libplist /build / @@ -88,7 +88,7 @@ RUN git clone https://github.com/libimobiledevice/libimobiledevice && cd libimob # usbmuxd # ------- -FROM build-base as build-usbmuxd +FROM build-base AS build-usbmuxd # Install dependencies COPY --from=build-libplist /build / @@ -103,7 +103,7 @@ RUN git clone https://github.com/libimobiledevice/usbmuxd && cd usbmuxd \ # Create main image -FROM ubuntu:24.04 as main +FROM ubuntu:24.04 AS main LABEL org.opencontainers.image.url="https://mvt.re" LABEL org.opencontainers.image.documentation="https://docs.mvt.re" diff --git a/Dockerfile.android b/Dockerfile.android index 6056e45..1c82999 100644 --- a/Dockerfile.android +++ b/Dockerfile.android @@ -1,5 +1,5 @@ # Create main image -FROM python:3.10.14-alpine3.20 as main +FROM python:3.10.14-alpine3.20 AS main LABEL org.opencontainers.image.url="https://mvt.re" LABEL org.opencontainers.image.documentation="https://docs.mvt.re" diff --git a/Dockerfile.ios b/Dockerfile.ios index d5387fb..78c1967 100644 --- a/Dockerfile.ios +++ b/Dockerfile.ios @@ -1,6 +1,6 @@ # Base image for building libraries # --------------------------------- -FROM ubuntu:22.04 as build-base +FROM ubuntu:22.04 AS build-base ARG DEBIAN_FRONTEND=noninteractive @@ -22,7 +22,7 @@ RUN apt-get update \ # libplist # -------- -FROM build-base as build-libplist +FROM build-base AS build-libplist # Build RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \ @@ -32,7 +32,7 @@ RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \ # libimobiledevice-glue # --------------------- -FROM build-base as build-libimobiledevice-glue +FROM build-base AS build-libimobiledevice-glue # Install dependencies COPY --from=build-libplist /build / @@ -45,7 +45,7 @@ RUN git clone https://github.com/libimobiledevice/libimobiledevice-glue && cd li # libtatsu # -------- -FROM build-base as build-libtatsu +FROM build-base AS build-libtatsu # Install dependencies COPY --from=build-libplist /build / @@ -58,7 +58,7 @@ RUN git clone https://github.com/libimobiledevice/libtatsu && cd libtatsu \ # libusbmuxd # ---------- -FROM build-base as build-libusbmuxd +FROM build-base AS build-libusbmuxd # Install dependencies COPY --from=build-libplist /build / @@ -72,7 +72,7 @@ RUN git clone https://github.com/libimobiledevice/libusbmuxd && cd libusbmuxd \ # libimobiledevice # ---------------- -FROM build-base as build-libimobiledevice +FROM build-base AS build-libimobiledevice # Install dependencies COPY --from=build-libplist /build / @@ -88,7 +88,7 @@ RUN git clone https://github.com/libimobiledevice/libimobiledevice && cd libimob # usbmuxd # ------- -FROM build-base as build-usbmuxd +FROM build-base AS build-usbmuxd # Install dependencies COPY --from=build-libplist /build / @@ -104,7 +104,7 @@ RUN git clone https://github.com/libimobiledevice/usbmuxd && cd usbmuxd \ # Main image # ---------- -FROM python:3.10.14-alpine3.20 as main +FROM python:3.10.14-alpine3.20 AS main LABEL org.opencontainers.image.url="https://mvt.re" LABEL org.opencontainers.image.documentation="https://docs.mvt.re"