base/.gitea/workflows/build-publish.yml

name: build-publish
on:
  push:
    branches: ["main"]
    tags: ["*"]
  pull_request:

# Envrionment required: REG
# Secrets required: REGISTRY_USER, REGISTRY_PASSWORD

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Load .env
        run: |
          set -a
          source .env
          set +a
          echo "REG=$REG" >> $GITHUB_ENV
          echo "NS=$NS" >> $GITHUB_ENV
          echo "IMG=$IMG" >> $GITHUB_ENV          

      - name: Compute repo and tag
        id: meta
        shell: bash
        run: |
          REPO="${REG}/${NS}/${IMG}"
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            TAG="${{ github.ref_name }}"
          else
            BR="${{ github.ref_name }}"
            SHA="$(git rev-parse --short HEAD)"
            TAG="${BR}-${SHA}"
          fi
          echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}"  >> "$GITHUB_OUTPUT"
          echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"          

      # Explicitly tell BuildKit the registry is HTTP/insecure
      - name: Write BuildKit config
        run: |
          cat > buildkitd.toml <<EOF
          [registry."${REG}"]
            http = true
            insecure = true
          EOF
          echo "BUILDKIT_CONFIG=$PWD/buildkitd.toml" >> "$GITHUB_ENV"          

      # qemu is only required for multi-arch builds
      #- uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
        with:
          driver-opts: |
            image=moby/buildkit:latest
            network=host            
          config: ${{ env.BUILDKIT_CONFIG }}

      - name: Log in
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REG }}
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build & Push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.repo }}:${{ steps.meta.outputs.tag }}
          labels: |
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.created=${{ steps.meta.outputs.build_date }}            
          build-args: |
            VERSION=${{ steps.meta.outputs.tag }}
            VCS_REF=${{ github.sha }}
            BUILD_DATE=${{ steps.meta.outputs.build_date }}            
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Also tag :latest (main only)
        if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' }}
        run: |
          docker build -t "${{ steps.meta.outputs.repo }}:latest" .
          docker push "${{ steps.meta.outputs.repo }}:latest"