From 2fcfb68587a34c1a2e817d5710f7eb13ae4c0c9b Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Tue, 6 Jan 2026 18:09:51 +0900 Subject: [PATCH 01/34] feat --- .github/workflows/docker-build-publish.yaml | 366 ++++++++++---------- 1 file changed, 183 insertions(+), 183 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index b3bb9a0..3fac6c8 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -7,7 +7,7 @@ name: Build and Publish Docker Image on: schedule: - - cron: '0 10 * * *' + - cron: '0 10 * * *' # If any commit message in your push or the HEAD commit of your PR contains the strings # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] # workflows triggered on the push or pull_request events will be skipped. @@ -24,7 +24,7 @@ on: branches: [ master ] env: - DOCKER_BUILDX_PLATFORM: linux/amd64 + DOCKER_BUILDX_PLATFORM: linux/amd64,linux/arm64 DOCKER_REGISTRY_ORG: athenz # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables @@ -46,184 +46,184 @@ jobs: statuses: none steps: - # A GitHub Action to expose useful environment variables. - # https://github.com/FranzDiebold/github-env-vars-action - - - name: GitHub Environment Variables Action - id: env - # uses: https://github.com/FranzDiebold/github-env-vars-action/tags - uses: FranzDiebold/github-env-vars-action@v2 - - # A GitHub Action to prepare default environment variables. - - - name: Set Default Environment Variables - id: default_env - run: | - # Use docker.io for Docker Hub if empty - [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_ORG }}" = "" ]] && echo "DOCKER_REGISTRY_ORG=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV - - # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. - # https://github.com/actions/checkout - - - name: Checkout repository - id: checkout - # You may pin to the exact commit or the version. - # uses: https://github.com/actions/checkout/tags - uses: actions/checkout@v4 - - # This action sets up a go environment for use in actions by: - # - Optionally downloading and caching a version of Go by version and adding to PATH. - # - Registering problem matchers for error output. - # https://github.com/actions/setup-go - - - name: Setup Golang - id: setup-go - # You may pin to the exact commit or the version. - # uses: https://github.com/actions/setup-go/tags - uses: actions/setup-go@v4 - with: - go-version: "stable" - go-version-file: './go.mod' - cache: true - - # A GitHub Action for golang tests - - - name: Golang Tests - id: go-tests - run: | - go version - rm -rf example - go test -v -race -covermode=atomic -coverprofile=coverage.out ./... - go tool cover -html=coverage.out -o coverage.html - - # https://github.com/apache/skywalking-eyes - # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 - - name: Check License Header - uses: apache/skywalking-eyes/header@main - with: - log: "info" # optional: set the log level. The default value is `info`. - config: ".licenserc.yaml" # optional: set the config file. The default value is `.licenserc.yaml`. - token: "" # optional: the token that license eye uses when it needs to comment on the pull request. Set to empty ("") to disable commenting on pull request. The default value is ${{ github.token }} - mode: "check" # optional: Which mode License-Eye should be run in. Choices are `check` or `fix`. The default value is `check`. - - # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) - # https://github.com/sysdiglabs/benchmark-dockerfile - - - name: Sysdig Benchmark Dockerfile - id: sysdig - # You may pin to the exact commit or the version. - # uses: https://github.com/sysdiglabs/benchmark-dockerfile/tags - uses: sysdiglabs/benchmark-dockerfile@v1.0.0 - with: - # Directory of dockerfiles (default "./") - directory: "./" - # list of disallowed packages separated by comma (default ") - #disallowedPackages: '' - # list of trusted base images separated by comma (default "", meaning trust any base image) - trustedBaseImages: "" - - # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) - # https://github.com/sysdiglabs/benchmark-dockerfile - # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed. - - - name: Post Sysdig Benchmark Dockerfile - id: postsysdig - run: | - echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ - jq -r . - echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ - jq -r '.cis_docker_benchmark_violation_report[] | select(.rule!="CIS 4.1 Create a user for the container") | .violations[]' | \ - wc -l | \ - xargs -I% test 0 -eq % - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - - name: Extract Docker metadata - id: meta - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/metadata-action/tags - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} - # for latest tag - # latest=auto for tagging latest only for "master" branch - flavor: | - latest=true - # eg. refs/heads/master - # eg. refs/pull/318/merge - # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) - tags: | - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} - type=ref,event=pr - type=semver,pattern=v{{version}} - type=schedule,pattern=nightly - - # GitHub Action to login against a Docker registry. - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - - name: Docker Login to registry ${{ env.DOCKER_REGISTRY_URL }} - id: login - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/login-action/tags - uses: docker/login-action@v3 - with: - # Server address of Docker registry. If not set then will default to Docker Hub - registry: ${{ env.DOCKER_REGISTRY_URL }} # optional - # Username used to log against the Docker registry - username: ${{ vars.DOCKER_REGISTRY_USER }} # optional - # Password or personal access token used to log against the Docker registry - password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional - # Log out from the Docker registry at the end of a job - logout: true # optional, default is true - - # GitHub Action to install QEMU static binaries. - # https://github.com/docker/setup-qemu-action - - - name: Set up QEMU - id: qemu - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/setup-qemu-action/tags - uses: docker/setup-qemu-action@v3 - - # GitHub Action to set up Docker Buildx. - # https://github.com/docker/setup-buildx-action - - - name: Set up Docker Buildx - id: buildx - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/setup-buildx-action/tags - uses: docker/setup-buildx-action@v3 - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - - name: Build and push Docker image - id: build_and_push - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/build-push-action/tags - uses: docker/build-push-action@v4 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - # push: true - # load: false - # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly - labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} - build-args: | - APP_VERSION=${{ steps.meta.outputs.version }} - - # Test Docker image - - - name: Test Docker image - id: test_docker - run: | - docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version + # A GitHub Action to expose useful environment variables. + # https://github.com/FranzDiebold/github-env-vars-action + + - name: GitHub Environment Variables Action + id: env + # uses: https://github.com/FranzDiebold/github-env-vars-action/tags + uses: FranzDiebold/github-env-vars-action@v2 + + # A GitHub Action to prepare default environment variables. + + - name: Set Default Environment Variables + id: default_env + run: | + # Use docker.io for Docker Hub if empty + [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_ORG }}" = "" ]] && echo "DOCKER_REGISTRY_ORG=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV + + # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. + # https://github.com/actions/checkout + + - name: Checkout repository + id: checkout + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/checkout/tags + uses: actions/checkout@v4 + + # This action sets up a go environment for use in actions by: + # - Optionally downloading and caching a version of Go by version and adding to PATH. + # - Registering problem matchers for error output. + # https://github.com/actions/setup-go + + - name: Setup Golang + id: setup-go + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/setup-go/tags + uses: actions/setup-go@v4 + with: + go-version: "stable" + go-version-file: './go.mod' + cache: true + + # A GitHub Action for golang tests + + - name: Golang Tests + id: go-tests + run: | + go version + rm -rf example + go test -v -race -covermode=atomic -coverprofile=coverage.out ./... + go tool cover -html=coverage.out -o coverage.html + + # https://github.com/apache/skywalking-eyes + # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 + - name: Check License Header + uses: apache/skywalking-eyes/header@main + with: + log: "info" # optional: set the log level. The default value is `info`. + config: ".licenserc.yaml" # optional: set the config file. The default value is `.licenserc.yaml`. + token: "" # optional: the token that license eye uses when it needs to comment on the pull request. Set to empty ("") to disable commenting on pull request. The default value is ${{ github.token }} + mode: "check" # optional: Which mode License-Eye should be run in. Choices are `check` or `fix`. The default value is `check`. + + # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) + # https://github.com/sysdiglabs/benchmark-dockerfile + + - name: Sysdig Benchmark Dockerfile + id: sysdig + # You may pin to the exact commit or the version. + # uses: https://github.com/sysdiglabs/benchmark-dockerfile/tags + uses: sysdiglabs/benchmark-dockerfile@v1.0.0 + with: + # Directory of dockerfiles (default "./") + directory: "./" + # list of disallowed packages separated by comma (default ") + #disallowedPackages: '' + # list of trusted base images separated by comma (default "", meaning trust any base image) + trustedBaseImages: "" + + # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) + # https://github.com/sysdiglabs/benchmark-dockerfile + # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed. + + - name: Post Sysdig Benchmark Dockerfile + id: postsysdig + run: | + echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ + jq -r . + echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ + jq -r '.cis_docker_benchmark_violation_report[] | select(.rule!="CIS 4.1 Create a user for the container") | .violations[]' | \ + wc -l | \ + xargs -I% test 0 -eq % + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + + - name: Extract Docker metadata + id: meta + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/metadata-action/tags + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} + # for latest tag + # latest=auto for tagging latest only for "master" branch + flavor: | + latest=true + # eg. refs/heads/master + # eg. refs/pull/318/merge + # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) + tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + type=ref,event=pr + type=semver,pattern=v{{version}} + type=schedule,pattern=nightly + + # GitHub Action to login against a Docker registry. + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + + - name: Docker Login to registry ${{ env.DOCKER_REGISTRY_URL }} + id: login + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/login-action/tags + uses: docker/login-action@v3 + with: + # Server address of Docker registry. If not set then will default to Docker Hub + registry: ${{ env.DOCKER_REGISTRY_URL }} # optional + # Username used to log against the Docker registry + username: ${{ vars.DOCKER_REGISTRY_USER }} # optional + # Password or personal access token used to log against the Docker registry + password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional + # Log out from the Docker registry at the end of a job + logout: true # optional, default is true + + # GitHub Action to install QEMU static binaries. + # https://github.com/docker/setup-qemu-action + + - name: Set up QEMU + id: qemu + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/setup-qemu-action/tags + uses: docker/setup-qemu-action@v3 + + # GitHub Action to set up Docker Buildx. + # https://github.com/docker/setup-buildx-action + + - name: Set up Docker Buildx + id: buildx + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/setup-buildx-action/tags + uses: docker/setup-buildx-action@v3 + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + + - name: Build and push Docker image + id: build_and_push + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/build-push-action/tags + uses: docker/build-push-action@v4 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + load: ${{ github.event_name == 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + # push: true + # load: false + # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} + build-args: | + APP_VERSION=${{ steps.meta.outputs.version }} + + # Test Docker image + + - name: Test Docker image + id: test_docker + run: | + docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version From 4c8b12e809eaf390242c8afba4d23d14e2f01f97 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 08:21:27 +0900 Subject: [PATCH 02/34] fix --- .github/workflows/docker-build-publish.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 3fac6c8..504c8cd 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -210,8 +210,10 @@ jobs: uses: docker/build-push-action@v4 with: context: . - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} + # push: ${{ github.event_name != 'pull_request' }} + push: true + # load: ${{ github.event_name == 'pull_request' }} + load: false tags: ${{ steps.meta.outputs.tags }} # push: true # load: false From f91edf55d64ad1dbe4d60ee46447fb7445cf598f Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 08:43:55 +0900 Subject: [PATCH 03/34] feat --- Dockerfile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9d39a2c..d5755dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,6 @@ RUN adduser -H -S ${APP_NAME} RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ && GO_VERSION=$(go version | cut -d" " -f3,4) \ && CGO_ENABLED=1 \ - CGO_CXXFLAGS="-g -Ofast -march=native" \ CGO_FFLAGS="-g -Ofast -march=native" \ CGO_LDFLAGS="-g -Ofast -march=native" \ GOOS=$(go env GOOS) \ @@ -32,6 +31,18 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ GOEXPERIMENT=noswissmap \ go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" +# RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ +# && GO_VERSION=$(go version | cut -d" " -f3,4) \ +# && CGO_ENABLED=1 \ +# CGO_CXXFLAGS="-g -Ofast -march=native" \ +# CGO_FFLAGS="-g -Ofast -march=native" \ +# CGO_LDFLAGS="-g -Ofast -march=native" \ +# GOOS=$(go env GOOS) \ +# GOARCH=$(go env GOARCH) \ +# GO111MODULE=on \ +# GOEXPERIMENT=noswissmap \ +# go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" + # confirm dependency libraries & cleanup RUN ldd "/usr/bin/${APP_NAME}"\ && apk del build-dependencies --purge \ From ab7a9c6414bdba3157846d51f8455c4b1ad28811 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 09:33:59 +0900 Subject: [PATCH 04/34] feat --- .github/workflows/docker-build-publish.yaml | 366 ++++++++++---------- 1 file changed, 182 insertions(+), 184 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 504c8cd..da73edf 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -7,7 +7,7 @@ name: Build and Publish Docker Image on: schedule: - - cron: '0 10 * * *' + - cron: '0 10 * * *' # If any commit message in your push or the HEAD commit of your PR contains the strings # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] # workflows triggered on the push or pull_request events will be skipped. @@ -46,186 +46,184 @@ jobs: statuses: none steps: - # A GitHub Action to expose useful environment variables. - # https://github.com/FranzDiebold/github-env-vars-action - - - name: GitHub Environment Variables Action - id: env - # uses: https://github.com/FranzDiebold/github-env-vars-action/tags - uses: FranzDiebold/github-env-vars-action@v2 - - # A GitHub Action to prepare default environment variables. - - - name: Set Default Environment Variables - id: default_env - run: | - # Use docker.io for Docker Hub if empty - [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_ORG }}" = "" ]] && echo "DOCKER_REGISTRY_ORG=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV - - # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. - # https://github.com/actions/checkout - - - name: Checkout repository - id: checkout - # You may pin to the exact commit or the version. - # uses: https://github.com/actions/checkout/tags - uses: actions/checkout@v4 - - # This action sets up a go environment for use in actions by: - # - Optionally downloading and caching a version of Go by version and adding to PATH. - # - Registering problem matchers for error output. - # https://github.com/actions/setup-go - - - name: Setup Golang - id: setup-go - # You may pin to the exact commit or the version. - # uses: https://github.com/actions/setup-go/tags - uses: actions/setup-go@v4 - with: - go-version: "stable" - go-version-file: './go.mod' - cache: true - - # A GitHub Action for golang tests - - - name: Golang Tests - id: go-tests - run: | - go version - rm -rf example - go test -v -race -covermode=atomic -coverprofile=coverage.out ./... - go tool cover -html=coverage.out -o coverage.html - - # https://github.com/apache/skywalking-eyes - # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 - - name: Check License Header - uses: apache/skywalking-eyes/header@main - with: - log: "info" # optional: set the log level. The default value is `info`. - config: ".licenserc.yaml" # optional: set the config file. The default value is `.licenserc.yaml`. - token: "" # optional: the token that license eye uses when it needs to comment on the pull request. Set to empty ("") to disable commenting on pull request. The default value is ${{ github.token }} - mode: "check" # optional: Which mode License-Eye should be run in. Choices are `check` or `fix`. The default value is `check`. - - # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) - # https://github.com/sysdiglabs/benchmark-dockerfile - - - name: Sysdig Benchmark Dockerfile - id: sysdig - # You may pin to the exact commit or the version. - # uses: https://github.com/sysdiglabs/benchmark-dockerfile/tags - uses: sysdiglabs/benchmark-dockerfile@v1.0.0 - with: - # Directory of dockerfiles (default "./") - directory: "./" - # list of disallowed packages separated by comma (default ") - #disallowedPackages: '' - # list of trusted base images separated by comma (default "", meaning trust any base image) - trustedBaseImages: "" - - # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) - # https://github.com/sysdiglabs/benchmark-dockerfile - # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed. - - - name: Post Sysdig Benchmark Dockerfile - id: postsysdig - run: | - echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ - jq -r . - echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ - jq -r '.cis_docker_benchmark_violation_report[] | select(.rule!="CIS 4.1 Create a user for the container") | .violations[]' | \ - wc -l | \ - xargs -I% test 0 -eq % - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - - name: Extract Docker metadata - id: meta - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/metadata-action/tags - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} - # for latest tag - # latest=auto for tagging latest only for "master" branch - flavor: | - latest=true - # eg. refs/heads/master - # eg. refs/pull/318/merge - # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) - tags: | - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} - type=ref,event=pr - type=semver,pattern=v{{version}} - type=schedule,pattern=nightly - - # GitHub Action to login against a Docker registry. - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - - name: Docker Login to registry ${{ env.DOCKER_REGISTRY_URL }} - id: login - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/login-action/tags - uses: docker/login-action@v3 - with: - # Server address of Docker registry. If not set then will default to Docker Hub - registry: ${{ env.DOCKER_REGISTRY_URL }} # optional - # Username used to log against the Docker registry - username: ${{ vars.DOCKER_REGISTRY_USER }} # optional - # Password or personal access token used to log against the Docker registry - password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional - # Log out from the Docker registry at the end of a job - logout: true # optional, default is true - - # GitHub Action to install QEMU static binaries. - # https://github.com/docker/setup-qemu-action - - - name: Set up QEMU - id: qemu - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/setup-qemu-action/tags - uses: docker/setup-qemu-action@v3 - - # GitHub Action to set up Docker Buildx. - # https://github.com/docker/setup-buildx-action - - - name: Set up Docker Buildx - id: buildx - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/setup-buildx-action/tags - uses: docker/setup-buildx-action@v3 - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - - name: Build and push Docker image - id: build_and_push - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/build-push-action/tags - uses: docker/build-push-action@v4 - with: - context: . - # push: ${{ github.event_name != 'pull_request' }} - push: true - # load: ${{ github.event_name == 'pull_request' }} - load: false - tags: ${{ steps.meta.outputs.tags }} - # push: true - # load: false - # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly - labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} - build-args: | - APP_VERSION=${{ steps.meta.outputs.version }} - - # Test Docker image - - - name: Test Docker image - id: test_docker - run: | - docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version + # A GitHub Action to expose useful environment variables. + # https://github.com/FranzDiebold/github-env-vars-action + - + name: GitHub Environment Variables Action + id: env + # uses: https://github.com/FranzDiebold/github-env-vars-action/tags + uses: FranzDiebold/github-env-vars-action@v2 + + # A GitHub Action to prepare default environment variables. + - + name: Set Default Environment Variables + id: default_env + run: | + # Use docker.io for Docker Hub if empty + [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_ORG }}" = "" ]] && echo "DOCKER_REGISTRY_ORG=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV + + # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. + # https://github.com/actions/checkout + - + name: Checkout repository + id: checkout + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/checkout/tags + uses: actions/checkout@v4 + + # This action sets up a go environment for use in actions by: + # - Optionally downloading and caching a version of Go by version and adding to PATH. + # - Registering problem matchers for error output. + # https://github.com/actions/setup-go + - + name: Setup Golang + id: setup-go + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/setup-go/tags + uses: actions/setup-go@v4 + with: + go-version: "stable" + go-version-file: './go.mod' + cache: true + + # A GitHub Action for golang tests + - + name: Golang Tests + id: go-tests + run: | + go version + rm -rf example + go test -v -race -covermode=atomic -coverprofile=coverage.out ./... + go tool cover -html=coverage.out -o coverage.html + + # https://github.com/apache/skywalking-eyes + # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 + - name: Check License Header + uses: apache/skywalking-eyes/header@main + with: + log: "info" # optional: set the log level. The default value is `info`. + config: ".licenserc.yaml" # optional: set the config file. The default value is `.licenserc.yaml`. + token: "" # optional: the token that license eye uses when it needs to comment on the pull request. Set to empty ("") to disable commenting on pull request. The default value is ${{ github.token }} + mode: "check" # optional: Which mode License-Eye should be run in. Choices are `check` or `fix`. The default value is `check`. + + # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) + # https://github.com/sysdiglabs/benchmark-dockerfile + - + name: Sysdig Benchmark Dockerfile + id: sysdig + # You may pin to the exact commit or the version. + # uses: https://github.com/sysdiglabs/benchmark-dockerfile/tags + uses: sysdiglabs/benchmark-dockerfile@v1.0.0 + with: + # Directory of dockerfiles (default "./") + directory: "./" + # list of disallowed packages separated by comma (default ") + #disallowedPackages: '' + # list of trusted base images separated by comma (default "", meaning trust any base image) + trustedBaseImages: "" + + # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) + # https://github.com/sysdiglabs/benchmark-dockerfile + # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed. + - + name: Post Sysdig Benchmark Dockerfile + id: postsysdig + run: | + echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ + jq -r . + echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ + jq -r '.cis_docker_benchmark_violation_report[] | select(.rule!="CIS 4.1 Create a user for the container") | .violations[]' | \ + wc -l | \ + xargs -I% test 0 -eq % + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - + name: Extract Docker metadata + id: meta + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/metadata-action/tags + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} + # for latest tag + # latest=auto for tagging latest only for "master" branch + flavor: | + latest=false # we want to make sure we only push latest tag from conditions defined ourselves + # eg. refs/heads/master + # eg. refs/pull/318/merge + # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) + tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + type=ref,event=pr + type=semver,pattern=v{{version}} + type=schedule,pattern=nightly + + # GitHub Action to login against a Docker registry. + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - + name: Docker Login to registry ${{ env.DOCKER_REGISTRY_URL }} + id: login + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/login-action/tags + uses: docker/login-action@v3 + with: + # Server address of Docker registry. If not set then will default to Docker Hub + registry: ${{ env.DOCKER_REGISTRY_URL }} # optional + # Username used to log against the Docker registry + username: ${{ vars.DOCKER_REGISTRY_USER }} # optional + # Password or personal access token used to log against the Docker registry + password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional + # Log out from the Docker registry at the end of a job + logout: true # optional, default is true + + # GitHub Action to install QEMU static binaries. + # https://github.com/docker/setup-qemu-action + - + name: Set up QEMU + id: qemu + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/setup-qemu-action/tags + uses: docker/setup-qemu-action@v3 + + # GitHub Action to set up Docker Buildx. + # https://github.com/docker/setup-buildx-action + - + name: Set up Docker Buildx + id: buildx + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/setup-buildx-action/tags + uses: docker/setup-buildx-action@v3 + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - + name: Build and push Docker image + id: build_and_push + # You may pin to the exact commit or the version. + # uses: https://github.com/docker/build-push-action/tags + uses: docker/build-push-action@v4 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + load: ${{ github.event_name == 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + # push: true + # load: false + # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} + build-args: | + APP_VERSION=${{ steps.meta.outputs.version }} + + # Test Docker image + - + name: Test Docker image + id: test_docker + run: | + docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version From df7b601def99ec0356532d368b81cefc297edfaa Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 09:40:46 +0900 Subject: [PATCH 05/34] feat --- .github/workflows/docker-build-publish.yaml | 15 +++++++++++---- Dockerfile | 4 +++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index da73edf..0fd0d11 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -156,11 +156,20 @@ jobs: # eg. refs/pull/318/merge # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) tags: | + # If branch is master, main or default branch, push the latest tag image: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + + # If the event is a official tag release starting with "v..."", push the latest tag image: + type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} + + # If it is PR version, push the pr- tag image: type=ref,event=pr + type=semver,pattern=v{{version}} + + # Any cron builds (scheduled workflows) push the nightly tag image: type=schedule,pattern=nightly # GitHub Action to login against a Docker registry. @@ -210,11 +219,9 @@ jobs: uses: docker/build-push-action@v4 with: context: . - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} + push: true # Always push, + load: false # Push any image, and pull from remote if needed for testing tags: ${{ steps.meta.outputs.tags }} - # push: true - # load: false # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly labels: ${{ steps.meta.outputs.labels }} platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} diff --git a/Dockerfile b/Dockerfile index d5755dd..39bbe87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,9 +20,11 @@ COPY . . RUN adduser -H -S ${APP_NAME} + + +# 11m 56s RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ && GO_VERSION=$(go version | cut -d" " -f3,4) \ - && CGO_ENABLED=1 \ CGO_FFLAGS="-g -Ofast -march=native" \ CGO_LDFLAGS="-g -Ofast -march=native" \ GOOS=$(go env GOOS) \ From e3f4f4157e617e060813cd66ce341f57ade86efb Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 09:42:51 +0900 Subject: [PATCH 06/34] feat --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 0fd0d11..bd27dfb 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -209,7 +209,7 @@ jobs: # uses: https://github.com/docker/setup-buildx-action/tags uses: docker/setup-buildx-action@v3 - # Build and push Docker image with Buildx (don't push on PR) + # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push Docker image From b79bf6a489e3a2d1816951f7658ebdd29cdac48d Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 10:04:54 +0900 Subject: [PATCH 07/34] fix: regex --- .github/workflows/docker-build-publish.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index bd27dfb..b432521 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -161,8 +161,9 @@ jobs: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} - # If the event is a official tag release starting with "v..."", push the latest tag image: - type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} + # If the event is a tag release following the semver regex, push the latest tag image: + # Semver official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string + type=match,value=latest,group=0,pattern=^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ # If it is PR version, push the pr- tag image: type=ref,event=pr From 4d4f1c5d6e74108f55a6d52a55b00182ffeeb725 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 10:07:28 +0900 Subject: [PATCH 08/34] fix --- .github/workflows/docker-build-publish.yaml | 2 +- Dockerfile | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index b432521..401812b 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -220,7 +220,7 @@ jobs: uses: docker/build-push-action@v4 with: context: . - push: true # Always push, + push: true # Always push load: false # Push any image, and pull from remote if needed for testing tags: ${{ steps.meta.outputs.tags }} # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly diff --git a/Dockerfile b/Dockerfile index 39bbe87..168bd4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,6 @@ RUN adduser -H -S ${APP_NAME} # 11m 56s RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ && GO_VERSION=$(go version | cut -d" " -f3,4) \ - CGO_FFLAGS="-g -Ofast -march=native" \ - CGO_LDFLAGS="-g -Ofast -march=native" \ GOOS=$(go env GOOS) \ GOARCH=$(go env GOARCH) \ GO111MODULE=on \ From 09faec81dd7fe1b00d1970a51dbe24c462fa6fa4 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 10:11:56 +0900 Subject: [PATCH 09/34] feat --- .github/workflows/docker-build-publish.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 401812b..dd7f9ca 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -173,6 +173,9 @@ jobs: # Any cron builds (scheduled workflows) push the nightly tag image: type=schedule,pattern=nightly + # TODO: Delete me: Push to nightly tag during the PR: + type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' }} + # GitHub Action to login against a Docker registry. # Login against a Docker registry except on PR # https://github.com/docker/login-action From 89b976e2c4383cee2572d8efb42808063060ea7d Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:04:09 +0900 Subject: [PATCH 10/34] feat --- .github/workflows/docker-build-publish.yaml | 97 ++++++++++++++++----- 1 file changed, 73 insertions(+), 24 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index dd7f9ca..7581252 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -24,14 +24,44 @@ on: branches: [ master ] env: - DOCKER_BUILDX_PLATFORM: linux/amd64,linux/arm64 DOCKER_REGISTRY_ORG: athenz # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables + TAGS_CONFIG: | + # If branch is master, main or default branch, push the latest tag image: + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + + # If the event is a tag release following the semver regex, push the latest tag image: + # Semver official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string + type=match,value=latest,group=0,pattern=^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + + # If it is PR version, push the pr- tag image: + type=ref,event=pr + + type=semver,pattern=v{{version}} + + # Any cron builds (scheduled workflows) push the nightly tag image: + type=schedule,pattern=nightly + + # TODO: Delete me: Push to nightly tag during the PR: + type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' }} jobs: build: - runs-on: ubuntu-latest + runs-on: ${{ matrix.runner }} + strategy: + fail-fast: false + matrix: + include: + # TODO: Give me image link + - platform: linux/amd64 + runner: ubuntu-latest + suffix: -amd64 + - platform: linux/arm64 + runner: ubuntu-24.04-arm + suffix: -arm64 permissions: actions: none checks: none @@ -152,29 +182,11 @@ jobs: # latest=auto for tagging latest only for "master" branch flavor: | latest=false # we want to make sure we only push latest tag from conditions defined ourselves + suffix=${{ matrix.suffix }} # make sure that every platform has its own suffix (we will merge them in later phase) # eg. refs/heads/master # eg. refs/pull/318/merge # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) - tags: | - # If branch is master, main or default branch, push the latest tag image: - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} - - # If the event is a tag release following the semver regex, push the latest tag image: - # Semver official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - type=match,value=latest,group=0,pattern=^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ - - # If it is PR version, push the pr- tag image: - type=ref,event=pr - - type=semver,pattern=v{{version}} - - # Any cron builds (scheduled workflows) push the nightly tag image: - type=schedule,pattern=nightly - - # TODO: Delete me: Push to nightly tag during the PR: - type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' }} + tags: ${{ env.TAGS_CONFIG }} # GitHub Action to login against a Docker registry. # Login against a Docker registry except on PR @@ -220,15 +232,16 @@ jobs: id: build_and_push # You may pin to the exact commit or the version. # uses: https://github.com/docker/build-push-action/tags + # TODO: Migrate me to v6! uses: docker/build-push-action@v4 with: context: . push: true # Always push load: false # Push any image, and pull from remote if needed for testing - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} + platforms: ${{ matrix.platform }} build-args: | APP_VERSION=${{ steps.meta.outputs.version }} @@ -238,3 +251,39 @@ jobs: id: test_docker run: | docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version + merge: + needs: build # Make sure each build of every platform defined in matrix is completed + runs-on: ubuntu-latest + steps: + - uses: docker/login-action@v3 + with: + # Server address of Docker registry. If not set then will default to Docker Hub + registry: ${{ env.DOCKER_REGISTRY_URL }} # optional + # Username used to log against the Docker registry + username: ${{ vars.DOCKER_REGISTRY_USER }} # optional + # Password or personal access token used to log against the Docker registry + password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional + # Log out from the Docker registry at the end of a job + logout: true # optional, default is true + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} + flavor: | + latest=false + # No suffix defined as this will be the merged one! + tags: ${{ env.TAGS_CONFIG }} + + - name: Create Manifest List + run: | + # i.e) TAGS=["latest", "master"] + TAGS="${{ steps.meta.outputs.tags }}" + + for tag in ${TAGS}; do + echo "Merging manifest for tag: $tag" + docker buildx imagetools create -t "$tag" \ + "${tag}-amd64" \ + "${tag}-arm64" + done \ No newline at end of file From b4b0abb1e287fc0ccc54b8dacda4ad16e234b813 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:09:40 +0900 Subject: [PATCH 11/34] feat --- .github/workflows/docker-build-publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 7581252..e4151a8 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -114,8 +114,9 @@ jobs: # uses: https://github.com/actions/setup-go/tags uses: actions/setup-go@v4 with: + # Fix the following warning: Both go-version and go-version-file inputs are specified, only go-version will be used go-version: "stable" - go-version-file: './go.mod' + # go-version-file: './go.mod' cache: true # A GitHub Action for golang tests From 39eb0f80e1cac7e15fb6a2acade809238b646b6c Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:10:54 +0900 Subject: [PATCH 12/34] feat --- .github/workflows/docker-build-publish.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index e4151a8..449a456 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -132,6 +132,7 @@ jobs: # https://github.com/apache/skywalking-eyes # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 - name: Check License Header + if: matrix.platform == 'linux/amd64' # Only in ARM as we only need to check license header from any platform uses: apache/skywalking-eyes/header@main with: log: "info" # optional: set the log level. The default value is `info`. From f3af9a431438e4ac281d2425e6b69d1f89875737 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:16:46 +0900 Subject: [PATCH 13/34] feat --- .github/workflows/docker-build-publish.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 449a456..10fc452 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -132,7 +132,7 @@ jobs: # https://github.com/apache/skywalking-eyes # issue: go version hard-coded: https://github.com/apache/skywalking-eyes/blob/5dfa68f93380a5e57259faaf95088b7f133b5778/header/action.yml#L47-L51 - name: Check License Header - if: matrix.platform == 'linux/amd64' # Only in ARM as we only need to check license header from any platform + if: matrix.platform == 'linux/amd64' # Only required once for any platform, and will do the most general amd64 uses: apache/skywalking-eyes/header@main with: log: "info" # optional: set the log level. The default value is `info`. @@ -145,6 +145,7 @@ jobs: - name: Sysdig Benchmark Dockerfile id: sysdig + if: matrix.platform == 'linux/amd64' # Only required once for any platform, and will do the most general amd64 # You may pin to the exact commit or the version. # uses: https://github.com/sysdiglabs/benchmark-dockerfile/tags uses: sysdiglabs/benchmark-dockerfile@v1.0.0 @@ -162,6 +163,7 @@ jobs: - name: Post Sysdig Benchmark Dockerfile id: postsysdig + if: matrix.platform == 'linux/amd64' # Only required once for any platform, and will do the most general amd64 run: | echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ jq -r . From 4328e895075cbf7be403d7d992ad2b344e7f2de0 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:37:54 +0900 Subject: [PATCH 14/34] feat --- Dockerfile | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 168bd4e..eabe180 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,26 +23,26 @@ RUN adduser -H -S ${APP_NAME} # 11m 56s -RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ - && GO_VERSION=$(go version | cut -d" " -f3,4) \ - GOOS=$(go env GOOS) \ - GOARCH=$(go env GOARCH) \ - GO111MODULE=on \ - GOEXPERIMENT=noswissmap \ - go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" - # RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ # && GO_VERSION=$(go version | cut -d" " -f3,4) \ -# && CGO_ENABLED=1 \ -# CGO_CXXFLAGS="-g -Ofast -march=native" \ -# CGO_FFLAGS="-g -Ofast -march=native" \ -# CGO_LDFLAGS="-g -Ofast -march=native" \ # GOOS=$(go env GOOS) \ # GOARCH=$(go env GOARCH) \ # GO111MODULE=on \ # GOEXPERIMENT=noswissmap \ # go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" +RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ + && GO_VERSION=$(go version | cut -d" " -f3,4) \ + && CGO_ENABLED=1 \ + CGO_CXXFLAGS="-g -Ofast -march=native" \ + CGO_FFLAGS="-g -Ofast -march=native" \ + CGO_LDFLAGS="-g -Ofast -march=native" \ + GOOS=$(go env GOOS) \ + GOARCH=$(go env GOARCH) \ + GO111MODULE=on \ + GOEXPERIMENT=noswissmap \ + go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" + # confirm dependency libraries & cleanup RUN ldd "/usr/bin/${APP_NAME}"\ && apk del build-dependencies --purge \ @@ -61,7 +61,8 @@ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /etc/passwd /etc/passwd # Copy our dynamic-linked executable and library COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME} -COPY --from=builder /lib/ld-musl-x86_64.so* /lib/ +# COPY --from=builder /lib/ld-musl-x86_64.so* /lib/ +COPY --from=builder /lib/ld-musl-*.so* /lib/ # Copy user COPY --from=builder /etc/passwd /etc/passwd From d62bd99c56e179f92debbfd57a65fc55c230e56b Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:41:45 +0900 Subject: [PATCH 15/34] fix: back --- Dockerfile | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index eabe180..a61108d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,17 +20,6 @@ COPY . . RUN adduser -H -S ${APP_NAME} - - -# 11m 56s -# RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ -# && GO_VERSION=$(go version | cut -d" " -f3,4) \ -# GOOS=$(go env GOOS) \ -# GOARCH=$(go env GOARCH) \ -# GO111MODULE=on \ -# GOEXPERIMENT=noswissmap \ -# go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}" - RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ && GO_VERSION=$(go version | cut -d" " -f3,4) \ && CGO_ENABLED=1 \ From a85647754715037761f6a5f303f6821c9b7f1c3c Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 15:50:22 +0900 Subject: [PATCH 16/34] chore: explicitly define Docker registry URL and image, removing dynamic environment variable setting. --- .github/workflows/docker-build-publish.yaml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 10fc452..f53cec8 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -24,7 +24,10 @@ on: branches: [ master ] env: + # https://hub.docker.com/r/athenz/authorization-proxy/tags + DOCKER_REGISTRY_URL: docker.io DOCKER_REGISTRY_ORG: athenz + DOCKER_REGISTRY_IMAGE: authorization-proxy # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables TAGS_CONFIG: | @@ -84,16 +87,6 @@ jobs: # uses: https://github.com/FranzDiebold/github-env-vars-action/tags uses: FranzDiebold/github-env-vars-action@v2 - # A GitHub Action to prepare default environment variables. - - - name: Set Default Environment Variables - id: default_env - run: | - # Use docker.io for Docker Hub if empty - [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_ORG }}" = "" ]] && echo "DOCKER_REGISTRY_ORG=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV - [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV - # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. # https://github.com/actions/checkout - From cc0666c50044ce4d284064827ff11af26324a233 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:00:35 +0900 Subject: [PATCH 17/34] feat --- .github/workflows/docker-build-publish.yaml | 40 ++++++++++++--------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index f53cec8..0b5ad1d 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -30,6 +30,13 @@ env: DOCKER_REGISTRY_IMAGE: authorization-proxy # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables + BUILD_MATRIX: | + { + "include": [ + { "platform": "linux/amd64", "runner": "ubuntu-latest", "suffix": "-amd64" }, + { "platform": "linux/arm64", "runner": "ubuntu-24.04-arm", "suffix": "-arm64" } + ] + } TAGS_CONFIG: | # If branch is master, main or default branch, push the latest tag image: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} @@ -56,15 +63,7 @@ jobs: runs-on: ${{ matrix.runner }} strategy: fail-fast: false - matrix: - include: - # TODO: Give me image link - - platform: linux/amd64 - runner: ubuntu-latest - suffix: -amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - suffix: -arm64 + matrix: ${{ fromJson(env.BUILD_MATRIX) }} permissions: actions: none checks: none @@ -275,12 +274,21 @@ jobs: - name: Create Manifest List run: | - # i.e) TAGS=["latest", "master"] - TAGS="${{ steps.meta.outputs.tags }}" + # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] + PLATFORM_SUFFIXES=$(echo '${{ env.BUILD_MATRIX }}' | jq -r '.include[].suffix' | xargs) - for tag in ${TAGS}; do + echo "Target Suffixes: $PLATFORM_SUFFIXES" + + # Handle all tags required: + echo "${{ steps.meta.outputs.tags }}" | while read -r tag; do echo "Merging manifest for tag: $tag" - docker buildx imagetools create -t "$tag" \ - "${tag}-amd64" \ - "${tag}-arm64" - done \ No newline at end of file + + # List sources to merge as one tag: + sources="" + for suffix in $PLATFORM_SUFFIXES; do + sources="$sources ${tag}${suffix}" + done + + # Finally merge: + docker buildx imagetools create -t "$tag" $sources + done From 714331dd080a593458888da4aed4badeb24ebca8 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:04:30 +0900 Subject: [PATCH 18/34] docs: Clarify `BUILD_MATRIX` and musl library copying with comments, and remove nightly tag push for PRs in Docker build workflow. --- .github/workflows/docker-build-publish.yaml | 3 +-- Dockerfile | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 0b5ad1d..f3fb6d0 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -30,6 +30,7 @@ env: DOCKER_REGISTRY_IMAGE: authorization-proxy # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables + # We define BUILD_MATRIX so that we have multiple platform supported, maybe Windows as well in the future: BUILD_MATRIX: | { "include": [ @@ -55,8 +56,6 @@ env: # Any cron builds (scheduled workflows) push the nightly tag image: type=schedule,pattern=nightly - # TODO: Delete me: Push to nightly tag during the PR: - type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' }} jobs: build: diff --git a/Dockerfile b/Dockerfile index a61108d..7c17944 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,7 +50,8 @@ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /etc/passwd /etc/passwd # Copy our dynamic-linked executable and library COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME} -# COPY --from=builder /lib/ld-musl-x86_64.so* /lib/ + +# Copy dynamic-linked libraries for musl, like /lib/ld-musl-x86_64.so* or /lib/ld-musl-arm64.so* etc: COPY --from=builder /lib/ld-musl-*.so* /lib/ # Copy user COPY --from=builder /etc/passwd /etc/passwd From fbd41c1cc10e0708792953f3741a6cc26f281787 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:09:42 +0900 Subject: [PATCH 19/34] feat: Extract Docker build matrix and platform suffixes into a dedicated configuration job. --- .github/workflows/docker-build-publish.yaml | 38 +++++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index f3fb6d0..50cbd89 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -30,14 +30,6 @@ env: DOCKER_REGISTRY_IMAGE: authorization-proxy # DOCKER_REGISTRY_USER: values for docker login is stored in repository variables # DOCKER_REGISTRY_TOKEN_NAME: values for docker login is stored in repository variables - # We define BUILD_MATRIX so that we have multiple platform supported, maybe Windows as well in the future: - BUILD_MATRIX: | - { - "include": [ - { "platform": "linux/amd64", "runner": "ubuntu-latest", "suffix": "-amd64" }, - { "platform": "linux/arm64", "runner": "ubuntu-24.04-arm", "suffix": "-arm64" } - ] - } TAGS_CONFIG: | # If branch is master, main or default branch, push the latest tag image: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} @@ -58,11 +50,35 @@ env: jobs: + set_config: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set.outputs.matrix }} + suffixes: ${{ steps.set.outputs.suffixes }} + steps: + - id: set + run: | + # We define BUILD_MATRIX so that we have multiple platform supported, + # maybe Windows as well in the future: + + MATRIX_JSON='{ + "include": [ + { "platform": "linux/amd64", "runner": "ubuntu-latest", "suffix": "-amd64" }, + { "platform": "linux/arm64", "runner": "ubuntu-24.04-arm", "suffix": "-arm64" } + ] + }' + + # Store JSON data: + echo "matrix=$(echo "$MATRIX_JSON" | jq -c .)" >> $GITHUB_OUTPUT + + # Store Suffix list: + echo "suffixes=$(echo "$MATRIX_JSON" | jq -r '.include[].suffix' | xargs)" >> $GITHUB_OUTPUT + build: runs-on: ${{ matrix.runner }} strategy: fail-fast: false - matrix: ${{ fromJson(env.BUILD_MATRIX) }} + matrix: ${{ fromJson(needs.config.outputs.matrix) }} permissions: actions: none checks: none @@ -272,10 +288,10 @@ jobs: tags: ${{ env.TAGS_CONFIG }} - name: Create Manifest List + env: + PLATFORM_SUFFIXES: ${{ needs.config.outputs.suffixes }} run: | # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] - PLATFORM_SUFFIXES=$(echo '${{ env.BUILD_MATRIX }}' | jq -r '.include[].suffix' | xargs) - echo "Target Suffixes: $PLATFORM_SUFFIXES" # Handle all tags required: From fee59f56f10e207e36b8fc13593a353850ff1557 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:17:14 +0900 Subject: [PATCH 20/34] feat --- .github/workflows/docker-build-publish.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 50cbd89..e0a9821 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -75,10 +75,11 @@ jobs: echo "suffixes=$(echo "$MATRIX_JSON" | jq -r '.include[].suffix' | xargs)" >> $GITHUB_OUTPUT build: + needs: set_config runs-on: ${{ matrix.runner }} strategy: fail-fast: false - matrix: ${{ fromJson(needs.config.outputs.matrix) }} + matrix: ${{ fromJson(needs.set_config.outputs.matrix) }} permissions: actions: none checks: none @@ -263,7 +264,9 @@ jobs: run: | docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version merge: - needs: build # Make sure each build of every platform defined in matrix is completed + needs: + - build # Make sure each build of every platform defined in matrix is completed + - set_config runs-on: ubuntu-latest steps: - uses: docker/login-action@v3 From cb625d28e99acfb749ccd87597a3d15ad1718933 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:19:02 +0900 Subject: [PATCH 21/34] feat --- .github/workflows/docker-build-publish.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index e0a9821..d09e104 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -50,7 +50,7 @@ env: jobs: - set_config: + set_matrix: runs-on: ubuntu-latest outputs: matrix: ${{ steps.set.outputs.matrix }} @@ -75,11 +75,11 @@ jobs: echo "suffixes=$(echo "$MATRIX_JSON" | jq -r '.include[].suffix' | xargs)" >> $GITHUB_OUTPUT build: - needs: set_config + needs: set_matrix runs-on: ${{ matrix.runner }} strategy: fail-fast: false - matrix: ${{ fromJson(needs.set_config.outputs.matrix) }} + matrix: ${{ fromJson(needs.set_matrix.outputs.matrix) }} permissions: actions: none checks: none @@ -266,7 +266,7 @@ jobs: merge: needs: - build # Make sure each build of every platform defined in matrix is completed - - set_config + - set_matrix runs-on: ubuntu-latest steps: - uses: docker/login-action@v3 From a2c9663e60b40b279958f9b3946b920e411eb088 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 7 Jan 2026 16:24:12 +0900 Subject: [PATCH 22/34] fix --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index d09e104..563745d 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -292,7 +292,7 @@ jobs: - name: Create Manifest List env: - PLATFORM_SUFFIXES: ${{ needs.config.outputs.suffixes }} + PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} run: | # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] echo "Target Suffixes: $PLATFORM_SUFFIXES" From 8f867bcaba9a23c6894298733d6aff2a1a3f04ad Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 08:30:23 +0900 Subject: [PATCH 23/34] build: Switch Docker build-push-action to load images local only --- .github/workflows/docker-build-publish.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 563745d..7c69f20 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -248,8 +248,9 @@ jobs: uses: docker/build-push-action@v4 with: context: . - push: true # Always push - load: false # Push any image, and pull from remote if needed for testing + # We will push images in the job "merge" section. All we need to do + push: false + load: true tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly labels: ${{ steps.meta.outputs.labels }} @@ -265,8 +266,8 @@ jobs: docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version merge: needs: - - build # Make sure each build of every platform defined in matrix is completed - set_matrix + - build # Make sure each build of every platform defined in matrix is completed runs-on: ubuntu-latest steps: - uses: docker/login-action@v3 From 94f00188613dc632d2e1d7ae25f2ad5366caa0f8 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 08:37:06 +0900 Subject: [PATCH 24/34] feat: Conditionally push Docker images and run merge job based on GitHub event type. --- .github/workflows/docker-build-publish.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 7c69f20..13f1689 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -242,15 +242,15 @@ jobs: - name: Build and push Docker image id: build_and_push - # You may pin to the exact commit or the version. + # You may pin to the exact commit or the version.`` # uses: https://github.com/docker/build-push-action/tags # TODO: Migrate me to v6! uses: docker/build-push-action@v4 with: context: . - # We will push images in the job "merge" section. All we need to do - push: false - load: true + # Please do not set push=true for PR build as it will push every PR tag to our official registry outside: + push: ${{ github.event_name != 'pull_request' }} + load: ${{ github.event_name == 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly labels: ${{ steps.meta.outputs.labels }} @@ -265,6 +265,7 @@ jobs: run: | docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version merge: + if: github.event_name != 'pull_request' needs: - set_matrix - build # Make sure each build of every platform defined in matrix is completed @@ -291,7 +292,7 @@ jobs: # No suffix defined as this will be the merged one! tags: ${{ env.TAGS_CONFIG }} - - name: Create Manifest List + - name: Merge and push multi-arch image env: PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} run: | From e58416770b36f6f318a66ce437d5ff113700de96 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 8 Jan 2026 08:42:47 +0900 Subject: [PATCH 25/34] Apply suggestion from @mlajkim Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- .github/workflows/docker-build-publish.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 13f1689..dd755a6 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -265,6 +265,7 @@ jobs: run: | docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version merge: + # Job "merge" requires images to be uploaded in target registry, and since PR images are not pushed, we can skip this job if: github.event_name != 'pull_request' needs: - set_matrix From 12353433c43037e9ff648e915cf9c8eb81f5dfad Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 09:38:32 +0900 Subject: [PATCH 26/34] feat: Build and push Docker images to GitHub Container Registry as an intermediate step before creating multi-arch manifests. --- .github/workflows/docker-build-publish.yaml | 107 +++++++++++++++----- 1 file changed, 79 insertions(+), 28 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index dd755a6..a6eaaef 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -87,7 +87,7 @@ jobs: deployments: none issues: none discussions: none - packages: none + packages: write # for ghcr read permission pull-requests: none repository-projects: none security-events: none @@ -239,31 +239,54 @@ jobs: # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - - - name: Build and push Docker image - id: build_and_push - # You may pin to the exact commit or the version.`` - # uses: https://github.com/docker/build-push-action/tags - # TODO: Migrate me to v6! + # - + # name: Build and push Docker image + # id: build_and_push + # # You may pin to the exact commit or the version.`` + # # uses: https://github.com/docker/build-push-action/tags + # # TODO: Migrate me to v6! + # uses: docker/build-push-action@v4 + # with: + # context: . + # # Please do not set push=true for PR build as it will push every PR tag to our official registry outside: + # push: ${{ github.event_name != 'pull_request' }} + # load: ${{ github.event_name == 'pull_request' }} + # tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix + # # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly + # labels: ${{ steps.meta.outputs.labels }} + # platforms: ${{ matrix.platform }} + # build-args: | + # APP_VERSION=${{ steps.meta.outputs.version }} + + - name: Login to Temporary Registry (GitHub Container Registry) + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase image id name to follow the docker name rule + run: | + IMAGE_ID=ghcr.io/${{ github.repository }} + echo "GHCR_IMAGE_ID=$(echo $IMAGE_ID | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV + + - name: Build and Push to GHCR (Staging) uses: docker/build-push-action@v4 with: context: . - # Please do not set push=true for PR build as it will push every PR tag to our official registry outside: - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix - # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly - labels: ${{ steps.meta.outputs.labels }} + push: true + # tag i.e) ghcr.io/athenz/authorization-proxy:sha-ck29d1-amd64 + tags: ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} platforms: ${{ matrix.platform }} - build-args: | - APP_VERSION=${{ steps.meta.outputs.version }} + cache-from: type=gha + cache-to: type=gha,mode=max # Test Docker image - name: Test Docker image id: test_docker run: | - docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version + docker run --rm ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} --version merge: # Job "merge" requires images to be uploaded in target registry, and since PR images are not pushed, we can skip this job if: github.event_name != 'pull_request' @@ -271,6 +294,8 @@ jobs: - set_matrix - build # Make sure each build of every platform defined in matrix is completed runs-on: ubuntu-latest + permissions: + packages: read steps: - uses: docker/login-action@v3 with: @@ -293,23 +318,49 @@ jobs: # No suffix defined as this will be the merged one! tags: ${{ env.TAGS_CONFIG }} - - name: Merge and push multi-arch image + # - name: Merge and push multi-arch image + # env: + # PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} + # run: | + # # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] + # echo "Target Suffixes: $PLATFORM_SUFFIXES" + + # # Handle all tags required: + # echo "${{ steps.meta.outputs.tags }}" | while read -r tag; do + # echo "Merging manifest for tag: $tag" + + # # List sources to merge as one tag: + # sources="" + # for suffix in $PLATFORM_SUFFIXES; do + # sources="$sources ${tag}${suffix}" + # done + + # # Finally merge: + # docker buildx imagetools create -t "$tag" $sources + # done + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set GHCR Image Name (Lowercase) + run: | + IMAGE_ID=ghcr.io/${{ github.repository }} + echo "GHCR_IMAGE_ID=$(echo $IMAGE_ID | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV + - name: Create Manifest and Push to Docker Hub env: PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} + SHA_TAG: ${{ github.sha }} run: | - # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] - echo "Target Suffixes: $PLATFORM_SUFFIXES" - - # Handle all tags required: - echo "${{ steps.meta.outputs.tags }}" | while read -r tag; do - echo "Merging manifest for tag: $tag" + echo "${{ steps.meta.outputs.tags }}" | while read -r docker_registry_tag; do + echo "Merging sources into final tag: $docker_registry_tag" - # List sources to merge as one tag: sources="" for suffix in $PLATFORM_SUFFIXES; do - sources="$sources ${tag}${suffix}" + # i.e) ghcr.io/athenz/authorization-proxy:sha-xxx-amd64 + sources="$sources ${{ env.GHCR_IMAGE_ID }}:${SHA_TAG}${suffix}" done - # Finally merge: - docker buildx imagetools create -t "$tag" $sources - done + docker buildx imagetools create -t "$docker_registry_tag" $sources + done \ No newline at end of file From 74226beb0a7a8a628f71be69bea1e28e5435b0fc Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 09:43:59 +0900 Subject: [PATCH 27/34] comment --- .github/workflows/docker-build-publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index a6eaaef..a779d1a 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -289,7 +289,8 @@ jobs: docker run --rm ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} --version merge: # Job "merge" requires images to be uploaded in target registry, and since PR images are not pushed, we can skip this job - if: github.event_name != 'pull_request' + # TODO: Test only for now + # if: github.event_name != 'pull_request' needs: - set_matrix - build # Make sure each build of every platform defined in matrix is completed From 1558b4ac7b6a7dee42b0259daa44535e2ef0a53f Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 09:49:31 +0900 Subject: [PATCH 28/34] feat: name for step --- .github/workflows/docker-build-publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index a779d1a..585828d 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -298,7 +298,8 @@ jobs: permissions: packages: read steps: - - uses: docker/login-action@v3 + - name: Login to Docker registry + uses: docker/login-action@v3 with: # Server address of Docker registry. If not set then will default to Docker Hub registry: ${{ env.DOCKER_REGISTRY_URL }} # optional From a608f94a1e77d2dccd2b49de5dd127cebe9e509f Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 09:53:07 +0900 Subject: [PATCH 29/34] feat --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 585828d..fed2f3b 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -296,7 +296,7 @@ jobs: - build # Make sure each build of every platform defined in matrix is completed runs-on: ubuntu-latest permissions: - packages: read + packages: write # Give read permission WITHOUT making the registry_visibility=Public steps: - name: Login to Docker registry uses: docker/login-action@v3 From cac68c56be0b1323f6f76f22507421e9302c30f9 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 10:11:14 +0900 Subject: [PATCH 30/34] feat Signed-off-by: Jeongwoo Kim - jekim --- .github/workflows/docker-build-publish.yaml | 94 ++------------------- 1 file changed, 6 insertions(+), 88 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index fed2f3b..2c52116 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -180,45 +180,6 @@ jobs: wc -l | \ xargs -I% test 0 -eq % - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - - name: Extract Docker metadata - id: meta - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/metadata-action/tags - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }} - # for latest tag - # latest=auto for tagging latest only for "master" branch - flavor: | - latest=false # we want to make sure we only push latest tag from conditions defined ourselves - suffix=${{ matrix.suffix }} # make sure that every platform has its own suffix (we will merge them in later phase) - # eg. refs/heads/master - # eg. refs/pull/318/merge - # shorthand for {{major}}.{{minor}}.{{patch}} (can include pre-release) - tags: ${{ env.TAGS_CONFIG }} - - # GitHub Action to login against a Docker registry. - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - - name: Docker Login to registry ${{ env.DOCKER_REGISTRY_URL }} - id: login - # You may pin to the exact commit or the version. - # uses: https://github.com/docker/login-action/tags - uses: docker/login-action@v3 - with: - # Server address of Docker registry. If not set then will default to Docker Hub - registry: ${{ env.DOCKER_REGISTRY_URL }} # optional - # Username used to log against the Docker registry - username: ${{ vars.DOCKER_REGISTRY_USER }} # optional - # Password or personal access token used to log against the Docker registry - password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional - # Log out from the Docker registry at the end of a job - logout: true # optional, default is true - # GitHub Action to install QEMU static binaries. # https://github.com/docker/setup-qemu-action - @@ -237,27 +198,6 @@ jobs: # uses: https://github.com/docker/setup-buildx-action/tags uses: docker/setup-buildx-action@v3 - # Build and push Docker image with Buildx - # https://github.com/docker/build-push-action - # - - # name: Build and push Docker image - # id: build_and_push - # # You may pin to the exact commit or the version.`` - # # uses: https://github.com/docker/build-push-action/tags - # # TODO: Migrate me to v6! - # uses: docker/build-push-action@v4 - # with: - # context: . - # # Please do not set push=true for PR build as it will push every PR tag to our official registry outside: - # push: ${{ github.event_name != 'pull_request' }} - # load: ${{ github.event_name == 'pull_request' }} - # tags: ${{ steps.meta.outputs.tags }} # tags defined here will have its platform suffix - # # tags: ${{ env.DOCKER_REGISTRY_URL }}/${{ env.DOCKER_REGISTRY_ORG }}/${{ env.DOCKER_REGISTRY_IMAGE }}:nightly - # labels: ${{ steps.meta.outputs.labels }} - # platforms: ${{ matrix.platform }} - # build-args: | - # APP_VERSION=${{ steps.meta.outputs.version }} - - name: Login to Temporary Registry (GitHub Container Registry) uses: docker/login-action@v3 with: @@ -298,6 +238,12 @@ jobs: permissions: packages: write # Give read permission WITHOUT making the registry_visibility=Public steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker registry uses: docker/login-action@v3 with: @@ -309,7 +255,6 @@ jobs: password: ${{ secrets[vars.DOCKER_REGISTRY_TOKEN_NAME] }} # optional # Log out from the Docker registry at the end of a job logout: true # optional, default is true - - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 @@ -319,33 +264,6 @@ jobs: latest=false # No suffix defined as this will be the merged one! tags: ${{ env.TAGS_CONFIG }} - - # - name: Merge and push multi-arch image - # env: - # PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} - # run: | - # # i.e) PLATFORM_SUFFIXES=["-amd64", "-arm64"] - # echo "Target Suffixes: $PLATFORM_SUFFIXES" - - # # Handle all tags required: - # echo "${{ steps.meta.outputs.tags }}" | while read -r tag; do - # echo "Merging manifest for tag: $tag" - - # # List sources to merge as one tag: - # sources="" - # for suffix in $PLATFORM_SUFFIXES; do - # sources="$sources ${tag}${suffix}" - # done - - # # Finally merge: - # docker buildx imagetools create -t "$tag" $sources - # done - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - name: Set GHCR Image Name (Lowercase) run: | IMAGE_ID=ghcr.io/${{ github.repository }} From d73e18b4039b197d77646ddb9d59ac4227d342f0 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 10:33:09 +0900 Subject: [PATCH 31/34] feat: cleaner Signed-off-by: Jeongwoo Kim - jekim --- .github/workflows/docker-build-publish.yaml | 41 +++++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 2c52116..220574d 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -228,9 +228,7 @@ jobs: run: | docker run --rm ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} --version merge: - # Job "merge" requires images to be uploaded in target registry, and since PR images are not pushed, we can skip this job - # TODO: Test only for now - # if: github.event_name != 'pull_request' + # if: github.event_name != 'pull_request' # We do not need to push pr images to official registry (Docker.io) needs: - set_matrix - build # Make sure each build of every platform defined in matrix is completed @@ -283,4 +281,39 @@ jobs: done docker buildx imagetools create -t "$docker_registry_tag" $sources - done \ No newline at end of file + done + cleanup: + name: Cleanup Temporary Images from GitHub Container Registry + needs: [set_matrix, build, merge] + if: always() + runs-on: ubuntu-latest + permissions: + packages: write # Permission to delete images from GitHub Container Registry + steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Delete Temporary Images using Skopeo + env: + PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} + SHA_TAG: ${{ github.sha }} + run: | + echo "๐Ÿงน Starting cleanup for SHA: $SHA_TAG" + + # Get image URL: + RAW_IMAGE_ID=ghcr.io/${{ github.repository }} + GHCR_IMAGE_ID=$(echo $RAW_IMAGE_ID | tr '[:upper:]' '[:lower:]') + + # Loop and delete + for suffix in $PLATFORM_SUFFIXES; do + TARGET_IMAGE="docker://${GHCR_IMAGE_ID}:${SHA_TAG}${suffix}" + + echo "๐Ÿ—‘๏ธ Attempt to delete: $TARGET_IMAGE" + skopeo delete "$TARGET_IMAGE" || true + done + + echo "โœจ All temporary images cleaned up!" From 6170e00e3441806a215afabaf2d597d3a307d830 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 10:40:04 +0900 Subject: [PATCH 32/34] feat Signed-off-by: Jeongwoo Kim - jekim --- .github/workflows/docker-build-publish.yaml | 37 +++++++++++++-------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 220574d..c868a3a 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -299,21 +299,32 @@ jobs: - name: Delete Temporary Images using Skopeo env: - PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} + OWNER: ${{ github.repository_owner }} + PACKAGE_NAME: authorization-proxy SHA_TAG: ${{ github.sha }} + PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "๐Ÿงน Starting cleanup for SHA: $SHA_TAG" - - # Get image URL: - RAW_IMAGE_ID=ghcr.io/${{ github.repository }} - GHCR_IMAGE_ID=$(echo $RAW_IMAGE_ID | tr '[:upper:]' '[:lower:]') - - # Loop and delete + echo "๐Ÿงน Cleanup using GitHub API..." + for suffix in $PLATFORM_SUFFIXES; do - TARGET_IMAGE="docker://${GHCR_IMAGE_ID}:${SHA_TAG}${suffix}" + TAG_NAME="${SHA_TAG}${suffix}" + echo "๐Ÿ” Finding version ID for tag: $TAG_NAME" - echo "๐Ÿ—‘๏ธ Attempt to delete: $TARGET_IMAGE" - skopeo delete "$TARGET_IMAGE" || true + VERSION_ID=$(gh api "/orgs/$OWNER/packages/container/$PACKAGE_NAME/versions" \ + -H "Accept: application/vnd.github+json" \ + --jq ".[] | select(.metadata.container.tags[]? == \"$TAG_NAME\") | .id") + + if [ -z "$VERSION_ID" ]; then + echo "โš ๏ธ Tag $TAG_NAME not found (already deleted?)" + continue + fi + + echo "๐Ÿ—‘๏ธ Deleting Version ID: $VERSION_ID (Tag: $TAG_NAME)" + + # Delete based on ID: + gh api -X DELETE "/orgs/$OWNER/packages/container/$PACKAGE_NAME/versions/$VERSION_ID" \ + -H "Accept: application/vnd.github+json" || true done - - echo "โœจ All temporary images cleaned up!" + + echo "โœจ Cleanup finished!" From 7f605f09c717ef3ed3d2e60cf0449a14ef29b692 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 10:40:21 +0900 Subject: [PATCH 33/34] comment Signed-off-by: Jeongwoo Kim - jekim --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index c868a3a..1fd4125 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -297,7 +297,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Delete Temporary Images using Skopeo + - name: Delete Temporary Images using GitHub API env: OWNER: ${{ github.repository_owner }} PACKAGE_NAME: authorization-proxy From f91de38b0fbb5b807ad5549d594d0505a00ee1b2 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 8 Jan 2026 10:49:11 +0900 Subject: [PATCH 34/34] feat Signed-off-by: Jeongwoo Kim - jekim --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 1fd4125..155942c 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -228,7 +228,7 @@ jobs: run: | docker run --rm ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} --version merge: - # if: github.event_name != 'pull_request' # We do not need to push pr images to official registry (Docker.io) + if: github.event_name != 'pull_request' # We do not need to push pr images to official registry (Docker.io) needs: - set_matrix - build # Make sure each build of every platform defined in matrix is completed