mirror of
https://github.com/Syngnat/GoNavi.git
synced 2026-07-18 03:12:16 +08:00
- 密码策略统一为至少六个可见字符,覆盖初始化与设置中心改密 - 支持 GONAVI_WEB_PASSWORD 启动同步并保留既有 2FA 与会话配置 - 设置中心识别环境托管状态并禁用临时改密 - Compose、env 示例及双语文档补充密码配置和容器重建说明 - 增加认证持久化、环境覆盖、前端状态与 Docker 登录回归校验
252 lines
9.3 KiB
YAML
252 lines
9.3 KiB
YAML
name: Docker Images
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- dev
|
|
tags:
|
|
- 'v*'
|
|
|
|
concurrency:
|
|
group: docker-images-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
jobs:
|
|
build:
|
|
name: Build ${{ matrix.image_name }} (${{ matrix.platform }})
|
|
runs-on: ${{ matrix.runner }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image_name:
|
|
- gonavi-mcp-server
|
|
- gonavi-web-server
|
|
- gonavi-build-env
|
|
platform:
|
|
- linux/amd64
|
|
- linux/arm64
|
|
include:
|
|
- image_name: gonavi-mcp-server
|
|
dockerfile: Dockerfile.mcp-server
|
|
description: GoNavi MCP Server container image
|
|
- image_name: gonavi-web-server
|
|
dockerfile: Dockerfile.web-server
|
|
description: GoNavi Web Server (browser UI) container image
|
|
- image_name: gonavi-build-env
|
|
dockerfile: Dockerfile.build-env
|
|
description: GoNavi Linux build environment image
|
|
- platform: linux/amd64
|
|
runner: ubuntu-latest
|
|
- platform: linux/arm64
|
|
runner: ubuntu-24.04-arm
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Validate runtime Dockerfiles
|
|
if: matrix.image_name == 'gonavi-web-server'
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
bash tools/validate-web-server-dockerfile.test.sh
|
|
env_file="$(mktemp)"
|
|
trap 'rm -f "$env_file"' EXIT
|
|
printf 'GONAVI_HOST_DATA_ROOT=%s\nGONAVI_WEB_PASSWORD=123456\n' "${RUNNER_TEMP}/gonavi-data" >"$env_file"
|
|
rendered="$(docker compose --env-file "$env_file" -f docker-compose.web-server.yml config)"
|
|
grep -Eq "GONAVI_WEB_PASSWORD: ['\"]?123456['\"]?$" <<<"$rendered"
|
|
|
|
- name: Prepare build variables
|
|
id: prep
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
echo "owner_lc=$(printf '%s' "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
|
|
echo "platform_pair=$(printf '%s' "${{ matrix.platform }}" | tr '/' '-')" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ghcr.io/${{ steps.prep.outputs.owner_lc }}/${{ matrix.image_name }}
|
|
labels: |
|
|
org.opencontainers.image.title=${{ matrix.image_name }}
|
|
org.opencontainers.image.description=${{ matrix.description }}
|
|
|
|
- name: Build smoke image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ${{ matrix.dockerfile }}
|
|
platforms: ${{ matrix.platform }}
|
|
load: true
|
|
tags: codex-smoke/${{ matrix.image_name }}:local
|
|
cache-from: type=gha,scope=${{ matrix.image_name }}-${{ steps.prep.outputs.platform_pair }}
|
|
|
|
- name: Smoke test MCP Server image
|
|
if: matrix.image_name == 'gonavi-mcp-server'
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cid="$(docker run -d -p 8765:8765 -e GONAVI_MCP_HTTP_TOKEN=smoke-token codex-smoke/${{ matrix.image_name }}:local http)"
|
|
trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
|
|
for _ in 1 2 3 4 5 6 7 8 9 10; do
|
|
if curl --fail --silent http://127.0.0.1:8765/healthz >/dev/null; then
|
|
exit 0
|
|
fi
|
|
sleep 1
|
|
done
|
|
docker logs "$cid"
|
|
echo "MCP Server image smoke test failed" >&2
|
|
exit 1
|
|
|
|
- name: Smoke test Web Server image
|
|
if: matrix.image_name == 'gonavi-web-server'
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cookie_jar="$(mktemp)"
|
|
cid=""
|
|
trap 'rm -f "$cookie_jar"; if [[ -n "$cid" ]]; then docker rm -f "$cid" >/dev/null 2>&1 || true; fi' EXIT
|
|
cid="$(docker run -d -p 34116:34116 -e GONAVI_WEB_ADDR=0.0.0.0:34116 -e GONAVI_WEB_PASSWORD=123456 codex-smoke/${{ matrix.image_name }}:local web-server)"
|
|
ready=false
|
|
for _ in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
|
|
if curl --fail --silent http://127.0.0.1:34116/__gonavi/healthz >/dev/null; then
|
|
ready=true
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
if [[ "$ready" != "true" ]]; then
|
|
docker logs "$cid"
|
|
echo "Web Server image smoke test failed" >&2
|
|
exit 1
|
|
fi
|
|
status="$(curl --fail --silent --show-error http://127.0.0.1:34116/__gonavi/auth/status)"
|
|
grep -Fq '"configured":true' <<<"$status"
|
|
login="$(curl --fail --silent --show-error -c "$cookie_jar" -H 'Content-Type: application/json' -d '{"password":"123456","code":""}' http://127.0.0.1:34116/__gonavi/auth/login)"
|
|
grep -Fq '"success":true' <<<"$login"
|
|
app_status="$(curl --silent --show-error -o /dev/null -w '%{http_code}' -b "$cookie_jar" http://127.0.0.1:34116/)"
|
|
[[ "$app_status" == "200" ]]
|
|
|
|
- name: Smoke test build environment image
|
|
if: matrix.image_name == 'gonavi-build-env'
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
docker run --rm codex-smoke/${{ matrix.image_name }}:local \
|
|
bash -lc 'go version && node -v && npm -v && wails version'
|
|
|
|
- name: Push by digest
|
|
id: push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ${{ matrix.dockerfile }}
|
|
platforms: ${{ matrix.platform }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
tags: ghcr.io/${{ steps.prep.outputs.owner_lc }}/${{ matrix.image_name }}
|
|
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
|
|
cache-from: type=gha,scope=${{ matrix.image_name }}-${{ steps.prep.outputs.platform_pair }}
|
|
cache-to: type=gha,mode=max,scope=${{ matrix.image_name }}-${{ steps.prep.outputs.platform_pair }}
|
|
|
|
- name: Export digest
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
mkdir -p "${{ runner.temp }}/digests"
|
|
digest="${{ steps.push.outputs.digest }}"
|
|
touch "${{ runner.temp }}/digests/${digest#sha256:}"
|
|
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: digests-${{ matrix.image_name }}-${{ steps.prep.outputs.platform_pair }}
|
|
path: ${{ runner.temp }}/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
merge:
|
|
name: Publish ${{ matrix.image_name }}
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- image_name: gonavi-mcp-server
|
|
description: GoNavi MCP Server container image
|
|
- image_name: gonavi-web-server
|
|
description: GoNavi Web Server (browser UI) container image
|
|
- image_name: gonavi-build-env
|
|
description: GoNavi Linux build environment image
|
|
steps:
|
|
- name: Normalize image namespace
|
|
id: vars
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
echo "owner_lc=$(printf '%s' "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Download digests
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
path: ${{ runner.temp }}/digests
|
|
pattern: digests-${{ matrix.image_name }}-*
|
|
merge-multiple: true
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ghcr.io/${{ steps.vars.outputs.owner_lc }}/${{ matrix.image_name }}
|
|
flavor: |
|
|
latest=false
|
|
tags: |
|
|
type=raw,value=dev-latest,enable=${{ github.ref == 'refs/heads/dev' }}
|
|
type=sha,format=short,prefix=dev-,enable=${{ github.ref == 'refs/heads/dev' }}
|
|
type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
labels: |
|
|
org.opencontainers.image.title=${{ matrix.image_name }}
|
|
org.opencontainers.image.description=${{ matrix.description }}
|
|
|
|
- name: Create manifest list and push
|
|
working-directory: ${{ runner.temp }}/digests
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
docker buildx imagetools create \
|
|
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
|
$(printf 'ghcr.io/${{ steps.vars.outputs.owner_lc }}/${{ matrix.image_name }}@sha256:%s ' *)
|
|
|
|
- name: Inspect image
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
docker buildx imagetools inspect "ghcr.io/${{ steps.vars.outputs.owner_lc }}/${{ matrix.image_name }}:${{ steps.meta.outputs.version }}"
|