ci: go eat ur fking shit tmp tags

.github/workflows/build-docker.yml

@@ -9,37 +9,51 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: krau/saveany-bot
 
+concurrency:
+  group: docker-build-${{ github.repository }}
+  cancel-in-progress: true
+
 jobs:
   prepare:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.vars.outputs.version }}
-      git_commit: ${{ steps.vars.outputs.git_commit }}
+      major_minor: ${{ steps.vars.outputs.major_minor }}
+      short_sha: ${{ steps.vars.outputs.short_sha }}
       build_time: ${{ steps.vars.outputs.build_time }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
-      - id: vars
+
+      - name: Extract Version Components
+        id: vars
         run: |
           VERSION=${GITHUB_REF#refs/tags/v}
+          MAJOR_MINOR=$(echo "$VERSION" | cut -d. -f1,2)
+          SHORT_SHA=$(git rev-parse --short HEAD)
+
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "git_commit=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+          echo "major_minor=$MAJOR_MINOR" >> "$GITHUB_OUTPUT"
+          echo "short_sha=$SHORT_SHA" >> "$GITHUB_OUTPUT"
           echo "build_time=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
 
   build:
     needs: prepare
+    permissions:
+      contents: read
+      packages: write
     strategy:
       matrix:
         arch: [amd64, arm64]
         type: [default, micro, pico]
       fail-fast: false
     runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || 'ubuntu-24.04-arm' }}
-    permissions:
+
-      contents: read
-      packages: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -51,24 +65,40 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push by arch
+      - name: Build and push by digest
         id: build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ matrix.type == 'default' && './Dockerfile' || format('./Dockerfile.{0}', matrix.type) }}
           platforms: ${{ matrix.arch == 'amd64' && 'linux/amd64' || 'linux/arm64' }}
-          push: true
+          # 关键修改：不再使用 tags，而是通过 image output 按摘要推送
-          tags: |
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.type }}-${{ matrix.arch }}
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.type }}-${{ needs.prepare.outputs.version }}-${{ matrix.arch }}
           build-args: |
             VERSION=${{ needs.prepare.outputs.version }}
-            GitCommit=${{ needs.prepare.outputs.git_commit }}
+            GitCommit=${{ needs.prepare.outputs.short_sha }}
             BuildTime=${{ needs.prepare.outputs.build_time }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name:
+          Export digest
+          # 将 digest 写入文件，供后续步骤读取
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+          echo "$digest" > /tmp/digests/digest
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digest-${{ matrix.type }}-${{ matrix.arch }}
+          path: /tmp/digests/digest
+          if-no-files-found: error
+          retention-days: 1
+
   create-manifest:
     needs: [prepare, build]
     runs-on: ubuntu-latest
@@ -85,24 +115,49 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create and push manifest group
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digest-${{ matrix.type }}-*
+          merge-multiple: false
+
+      - name: Create and push manifest lists
         run: |
-          TAG_PREFIX="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+          REPO="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
           VERSION="${{ needs.prepare.outputs.version }}"
+          MAJOR_MINOR="${{ needs.prepare.outputs.major_minor }}"
+          SHA="${{ needs.prepare.outputs.short_sha }}"
           TYPE="${{ matrix.type }}"
 
+          DIGEST_AMD64=$(cat /tmp/digests/digest-${TYPE}-amd64/digest)
+          DIGEST_ARM64=$(cat /tmp/digests/digest-${TYPE}-arm64/digest)
+
+          echo "Found digests for $TYPE:"
+          echo "AMD64: $DIGEST_AMD64"
+          echo "ARM64: $DIGEST_ARM64"
+
+          TAGS=()
+
           if [ "$TYPE" == "default" ]; then
-            TARGET_TAGS=("$TAG_PREFIX:latest" "$TAG_PREFIX:$VERSION")
+            TAGS+=("$REPO:latest")
+            TAGS+=("$REPO:$VERSION")
+            TAGS+=("$REPO:$MAJOR_MINOR")
+            TAGS+=("$REPO:sha-$SHA")
           else
-            TARGET_TAGS=("$TAG_PREFIX:$TYPE" "$TAG_PREFIX:$TYPE-latest" "$TAG_PREFIX:$TYPE-$VERSION")
+            TAGS+=("$REPO:$TYPE")
+            TAGS+=("$REPO:$TYPE-latest")
+            TAGS+=("$REPO:$TYPE-$VERSION")
           fi
 
-          for final_tag in "${TARGET_TAGS[@]}"; do
+          SRC_AMD64="${REPO}@${DIGEST_AMD64}"
-            docker buildx imagetools create -t "$final_tag" \
+          SRC_ARM64="${REPO}@${DIGEST_ARM64}"
-              "$TAG_PREFIX:$TYPE-amd64" \
-              "$TAG_PREFIX:$TYPE-arm64"
-          done
 
-      - name: Inspect manifest
+          echo "Creating manifest list with sources:"
-        run: |
+          echo "  $SRC_AMD64"
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.type }}
+          echo "  $SRC_ARM64"
+
+          for TAG in "${TAGS[@]}"; do
+            echo "Pushing tag: $TAG"
+            docker buildx imagetools create -t "$TAG" "$SRC_AMD64" "$SRC_ARM64"
+          done