name: Release on: push: tags: - 'v[0-9]*' permissions: contents: write packages: write attestations: write id-token: write env: GHCR_IMAGE: ghcr.io/${{ github.repository }} DOCKERHUB_IMAGE: docker.io/${{ github.repository }} COSIGN_REPOSITORY: docker.io/${{ github.repository }}-signatures jobs: check-version: name: Check Version runs-on: ubuntu-latest outputs: prerelease: ${{ steps.version.outputs.prerelease && true || false }} steps: - name: Check version uses: madhead/semver-utils@v4 id: version with: version: ${{ github.ref_name }} lenient: false create-release: name: Create Release runs-on: ubuntu-latest needs: check-version steps: - name: Checkout repository uses: actions/checkout@v4 - name: Create release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh release create \ "$GITHUB_REF_NAME" \ ${{ needs.check-version.outputs.prerelease == 'true' && '--prerelease' || '' }} \ --notes "Directus $GITHUB_REF_NAME" publish-npm: name: Publish to NPM runs-on: ubuntu-latest needs: check-version permissions: actions: write attestations: write checks: write contents: write deployments: write discussions: write id-token: write issues: write models: read packages: write pages: write pull-requests: write security-events: write statuses: write steps: - name: Checkout repository uses: actions/checkout@v4 - name: Prepare uses: ./.github/actions/prepare with: registry: https://registry.npmjs.org - name: Publish packages to NPM env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true run: | pnpm --recursive publish \ --access=public \ --no-git-checks \ --tag ${{ needs.check-version.outputs.prerelease == 'true' && 'canary' || 'latest' }} build-images: name: Build Images runs-on: ubuntu-latest needs: check-version permissions: actions: write attestations: write checks: write contents: write deployments: write discussions: write id-token: write issues: write models: read packages: write pages: write pull-requests: write security-events: write statuses: write steps: - name: Checkout repository uses: actions/checkout@v4 - name: Setup QEMU uses: docker/setup-qemu-action@v3 - name: Install Cosign uses: sigstore/cosign-installer@v3 if: env.DOCKERHUB_IMAGE - name: Setup Docker Buildx uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} restore-keys: | ${{ runner.os }}-buildx- - name: Extract metadata for Docker image id: meta uses: docker/metadata-action@v5 with: images: | ${{ env.DOCKERHUB_IMAGE }} ${{ env.GHCR_IMAGE }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=raw,value=canary,enable=${{ needs.check-version.outputs.prerelease }} - name: Login to Docker Hub uses: docker/login-action@v3 if: env.DOCKERHUB_IMAGE with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Login to GHCR uses: docker/login-action@v3 if: env.GHCR_IMAGE with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push uses: docker/build-push-action@v6 id: build-and-push with: context: . file: ./Dockerfile tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 push: true cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Sign Docker Hub image with GitHub OIDC Token if: env.DOCKERHUB_IMAGE env: DIGEST: ${{ steps.build-and-push.outputs.digest }} run: cosign sign --yes --recursive ${DOCKERHUB_IMAGE}@${DIGEST} # Temp fix: # https://github.com/docker/build-push-action/issues/252 # https://github.com/moby/buildkit/issues/1896 - name: Move cache run: | rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache