name: CI on: pull_request: push: branches: - "**" tags-ignore: - "**" permissions: contents: read jobs: security: name: Run security workflow uses: ./.github/workflows/security.yml tests: name: Run test workflow uses: ./.github/workflows/tests.yml lint: name: Run lint workflow uses: ./.github/workflows/lint.yml publish: name: Publish image runs-on: ubuntu-latest needs: - security - tests - lint if: github.event_name == 'push' permissions: contents: read packages: write steps: - name: Checkout repository uses: actions/checkout@v6 with: fetch-depth: 0 - name: Detect semver tag on current commit id: semver run: | SEMVER_TAG="$(git tag --points-at "$GITHUB_SHA" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n 1 || true)" if [ -n "$SEMVER_TAG" ]; then { echo "found=true" echo "raw_tag=$SEMVER_TAG" echo "version=${SEMVER_TAG#v}" } >> "$GITHUB_OUTPUT" else echo "found=false" >> "$GITHUB_OUTPUT" fi - name: Compute image name if: steps.semver.outputs.found == 'true' id: image run: echo "name=ghcr.io/$(echo "${GITHUB_REPOSITORY}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx if: steps.semver.outputs.found == 'true' uses: docker/setup-buildx-action@v3 - name: Login to GHCR if: steps.semver.outputs.found == 'true' uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and publish image if: steps.semver.outputs.found == 'true' uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile push: true tags: ${{ steps.image.outputs.name }}:${{ steps.semver.outputs.version }}