diff --git a/.gitea/workflows/itom-platform-auto-build.yml b/.gitea/workflows/itom-platform-auto-build.yml index 03432ad..653b116 100644 --- a/.gitea/workflows/itom-platform-auto-build.yml +++ b/.gitea/workflows/itom-platform-auto-build.yml @@ -10,51 +10,15 @@ permissions: contents: read packages: write -env: - # CI 触发模式:优先仓库变量,其次 Secrets(默认 dispatch) - CI_TRIGGER_MODE_VAR: ${{ vars.CI_TRIGGER_MODE }} - CI_TRIGGER_MODE_SECRET: ${{ secrets.CI_TRIGGER_MODE }} - jobs: build: runs-on: ubuntu-latest env: - # 使用 Docker Hub 作为镜像仓库 - REGISTRY: docker.io - # Docker Hub 个人命名空间(需与 DOCKER_USERNAME 一致) - IMAGE: docker.io/kim6789/chat-deploy - # Docker Hub 凭证来自仓库 Secrets - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + REGISTRY: git.imall.cloud + IMAGE: git.imall.cloud/itom-group/chat-deploy steps: - - name: Check trigger mode - shell: sh - run: | - set -eu - MODE="${CI_TRIGGER_MODE_VAR:-${CI_TRIGGER_MODE_SECRET:-dispatch}}" - EVENT="${GITHUB_EVENT_NAME:-${GITEA_EVENT_NAME:-}}" - ALLOW="false" - case "$EVENT" in - workflow_dispatch) - if [ "$MODE" = "dispatch" ] || [ "$MODE" = "both" ]; then - ALLOW="true" - fi - ;; - push) - if [ "$MODE" = "push" ] || [ "$MODE" = "both" ]; then - ALLOW="true" - fi - ;; - esac - echo "CI_TRIGGER_MODE=$MODE" >> "$GITHUB_ENV" - echo "CI_TRIGGER_ALLOWED=$ALLOW" >> "$GITHUB_ENV" - if [ "$ALLOW" != "true" ]; then - echo "Skip build: event=$EVENT mode=$MODE" - fi - - name: Install git - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh run: | set -eu @@ -63,7 +27,6 @@ jobs: fi - name: Checkout - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh env: GIT_USER: ${{ secrets.GIT_USER }} @@ -116,7 +79,6 @@ jobs: fi - name: Prepare tags - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh run: | set -eu @@ -131,7 +93,6 @@ jobs: echo "SHA_SHORT=$SHA_SHORT" >> "$GITHUB_ENV" - name: Resolve Dockerfile - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh run: | set -eu @@ -154,29 +115,82 @@ jobs: - name: Login registry - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh env: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + GIT_USER: ${{ secrets.GIT_USER }} + GIT_TOKEN: ${{ secrets.GIT_TOKEN }} + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + AUTO_REGISTRY_USER: ${{ env.DOCKER_USERNAME }} + AUTO_REGISTRY_PASS: ${{ env.DOCKER_PASSWORD }} + run: | set -eu - # 使用 Docker Hub 凭证登录 - if [ -z "${DOCKER_USERNAME:-}" ] || [ -z "${DOCKER_PASSWORD:-}" ]; then - echo "ERROR: 缺少 Docker Hub 凭证(DOCKER_USERNAME/DOCKER_PASSWORD)。" - exit 1 + login_try() { + local user="$1" + local pass="$2" + local label="$3" + if [ -z "$user" ] || [ -z "$pass" ]; then + return 1 + fi + if echo "$pass" | docker login "$REGISTRY" -u "$user" --password-stdin >/dev/null 2>&1; then + echo "Registry login ok ($label)" + return 0 + fi + return 1 + } + + if login_try "$REGISTRY_USER" "$REGISTRY_PASSWORD" "REGISTRY_USER"; then + exit 0 fi - echo "$DOCKER_PASSWORD" | docker login "$REGISTRY" -u "$DOCKER_USERNAME" --password-stdin + if login_try "$GIT_USER" "$GIT_TOKEN" "GIT_USER"; then + exit 0 + fi + if login_try "${AUTO_REGISTRY_USER:-}" "${AUTO_REGISTRY_PASS:-}" "AUTO_REGISTRY"; then + exit 0 + fi + + ACTOR="${GITEA_ACTOR:-${FORGEJO_ACTOR:-${GITHUB_ACTOR:-}}}" + JOB_TOKEN="${GITEA_TOKEN:-${FORGEJO_TOKEN:-${GITHUB_TOKEN:-}}}" + if login_try "$ACTOR" "$JOB_TOKEN" "JOB_TOKEN"; then + exit 0 + fi + + echo "ERROR: registry login failed. Provide REGISTRY_USER/REGISTRY_PASSWORD or GIT_USER/GIT_TOKEN with packages write permission." + exit 1 - name: Build and push images - if: ${{ env.CI_TRIGGER_ALLOWED == 'true' }} shell: sh + env: + GIT_USER: ${{ secrets.GIT_USER }} + GIT_TOKEN: ${{ secrets.GIT_TOKEN }} + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + AUTO_REGISTRY_USER: ${{ env.DOCKER_USERNAME }} + AUTO_REGISTRY_PASS: ${{ env.DOCKER_PASSWORD }} + run: | set -eu cd "${GITHUB_WORKSPACE:-/workspace}" IMAGE_BRANCH_TAG="$IMAGE:${BRANCH}" IMAGE_SHA_TAG="$IMAGE:sha-${SHA_SHORT}" - docker build -t "$IMAGE_BRANCH_TAG" -t "$IMAGE_SHA_TAG" -f "$DOCKERFILE_PATH" "$BUILD_CONTEXT" + git_user="${GIT_USER:-}" + git_token="${GIT_TOKEN:-}" + registry_user="${REGISTRY_USER:-}" + registry_pass="${REGISTRY_PASSWORD:-}" + if [ -z "$registry_user" ] && [ -n "${AUTO_REGISTRY_USER:-}" ]; then + registry_user="$AUTO_REGISTRY_USER" + registry_pass="${AUTO_REGISTRY_PASS:-}" + fi + set -- docker build + if [ -n "$git_user" ] && [ -n "$git_token" ]; then + set -- "$@" --build-arg "GIT_USER=$git_user" --build-arg "GIT_TOKEN=$git_token" + fi + if [ -n "$registry_user" ] && [ -n "$registry_pass" ]; then + set -- "$@" --build-arg "REGISTRY_USER=$registry_user" --build-arg "REGISTRY_PASSWORD=$registry_pass" + fi + set -- "$@" -t "$IMAGE_BRANCH_TAG" -t "$IMAGE_SHA_TAG" -f "$DOCKERFILE_PATH" "$BUILD_CONTEXT" + "$@" log_image() { local tag="$1"