local_roborock_server/.github/workflows/docker-release.yml at main · Python-roborock/local_roborock_server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: docker-release

on:
  pull_request:
  release:
    types:
      - published
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

permissions:
  contents: read

concurrency:
  group: docker-release-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version-file: pyproject.toml

      - name: Install uv
        uses: astral-sh/setup-uv@v7
        with:
          enable-cache: true

      - name: Install project
        run: uv sync --locked --extra dev

      - name: Run tests
        run: uv run pytest -q

  docker-validate:
    needs: test
    if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Build Docker image
        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64
          push: false
          cache-from: type=gha
          cache-to: type=gha,mode=max

  docker-release:
    needs: test
    if: github.event_name == 'release'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version-file: pyproject.toml

      - name: Validate release tag matches package version
        shell: python
        run: |
          import re
          import tomllib
          from pathlib import Path

          tag = "${{ github.event.release.tag_name }}"
          pyproject = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8"))
          project_version = str(pyproject["project"]["version"]).strip()

          init_text = Path("src/roborock_local_server/__init__.py").read_text(encoding="utf-8")
          match = re.search(r'__version__\s*=\s*"([^"]+)"', init_text)
          if match is None:
              raise SystemExit("Could not find __version__ in src/roborock_local_server/__init__.py")

          module_version = match.group(1).strip()
          expected_tag = f"v{project_version}"
          if module_version != project_version:
              raise SystemExit(
                  f"Version mismatch: pyproject.toml={project_version}, __init__.py={module_version}"
              )
          if tag != expected_tag:
              raise SystemExit(f"Git tag {tag} does not match package version {expected_tag}")

      - name: Log in to GHCR
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          flavor: latest=false
          tags: |
            type=semver,pattern={{version}},value=${{ github.event.release.tag_name }}
            type=semver,pattern={{major}}.{{minor}},value=${{ github.event.release.tag_name }}
            type=semver,pattern={{major}},value=${{ github.event.release.tag_name }}
            type=raw,value=latest,enable=${{ startsWith(github.event.release.tag_name, 'v') && !contains(github.event.release.tag_name, '-') }}
            type=sha,prefix=sha-
          labels: |
            org.opencontainers.image.title=roborock-local-server
            org.opencontainers.image.description=Private Roborock HTTPS and MQTT stack you run on your own system.

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Generate artifact attestation
        uses: actions/attest@v4
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true