Add Docker build/publish action

[Freddo3000]

Simply the docker-publish workflow taken directly from the github actions marketplace. Makes images available via ghcr.io, such as https://github.com/Freddo3000/panel/pkgs/container/panel

One might want to refine it in the future, but it is good enough to start with.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[Freddo3000]

I have read the CLA Document and I hereby sign the CLA

[Freddo3000]

Unrelated but could this project participate in Hacktoberfest?

[gOOvER]

Why you use not latest versions from:

• sigstore/cosign-installer
• docker/setup-buildx-action (very old version 3.0.0. lastet here would be 3.6.1)
• docker/login-action
• docker/metadata-action
• docker/build-push-action

[Freddo3000]

Why you use not latest versions from:

* sigstore/cosign-installer

* docker/setup-buildx-action (very old version 3.0.0. lastet here would be 3.6.1)

* docker/login-action

* docker/metadata-action

* docker/build-push-action

I simply used the "Publish Docker Container" workflow template with no modifications. Something more or less confirmed to just work. As mentioned, it might need to be refined to support release tagging and whatnot, but this will at least be a start to publish dev builds automatically.

[RMartinOscar]

Suggested change

	# This workflow uses actions that are not certified by GitHub.
	# They are provided by a third-party and are governed by
	# separate terms of service, privacy policy, and support
	# documentation.
	on:
	schedule:
	- cron: '33 5 * * *'
	push:
	branches: [ "main" ]
	# Publish semver tags as releases.
	tags: [ 'v*.*.*' ]
	pull_request:
	branches: [ "main" ]
	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	IMAGE_NAME: ${{ github.repository }}
	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	# Install the cosign tool except on PR
	# https://github.com/sigstore/cosign-installer
	- name: Install cosign
	if: github.event_name != 'pull_request'
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
	with:
	cosign-release: 'v2.2.4'
	# Set up BuildKit Docker container builder to be able to build
	# multi-platform images and export cache
	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
	# Login against a Docker registry except on PR
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	if: github.event_name != 'pull_request'
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata
	id: meta
	uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	# Build and push Docker image with Buildx (don't push on PR)
	# https://github.com/docker/build-push-action
	- name: Build and push Docker image
	id: build-and-push
	uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
	with:
	context: .
	push: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	# Sign the resulting Docker image digest except on PRs.
	# This will only write to the public Rekor transparency log when the Docker
	# repository is public to avoid leaking data. If you would like to publish
	# transparency data even for private images, pass --force to cosign below.
	# https://github.com/sigstore/cosign
	- name: Sign the published Docker image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
	TAGS: ${{ steps.meta.outputs.tags }}
	DIGEST: ${{ steps.build-and-push.outputs.digest }}
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
	on:
	push:
	branches:
	- main
	release:
	types:
	- published
	jobs:
	build-and-push:
	name: Build and Push
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	# Always run against a tag, even if the commit into the tag has [docker skip] within the commit message.
	if: "!contains(github.ref, 'main') || (!contains(github.event.head_commit.message, 'skip docker') && !contains(github.event.head_commit.message, 'docker skip'))"
	steps:
	- name: Code checkout
	uses: actions/checkout@v4
	- name: Docker metadata
	id: docker_meta
	uses: docker/metadata-action@v5
	with:
	images: ghcr.io/pelican-dev/panel
	flavor: |
	latest=false
	tags: |
	type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.action == 'published' && github.event.release.prerelease == false }}
	type=ref,event=tag
	type=ref,event=branch
	- name: Setup QEMU
	uses: docker/setup-qemu-action@v3
	- name: Setup Docker buildx
	uses: docker/setup-buildx-action@v3
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Get Build Information
	id: build_info
	run: |
	echo "version_tag=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_OUTPUT
	echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
	- name: Build and Push (tag)
	uses: docker/build-push-action@v5
	if: "github.event_name == 'release' && github.event.action == 'published'"
	with:
	context: .
	file: ./Dockerfile
	push: true
	platforms: linux/amd64,linux/arm64
	build-args: |
	VERSION=${{ steps.build_info.outputs.version_tag }}
	labels: ${{ steps.docker_meta.outputs.labels }}
	tags: ${{ steps.docker_meta.outputs.tags }}
	- name: Build and Push (main)
	uses: docker/build-push-action@v5
	if: "github.event_name == 'push' && contains(github.ref, 'main')"
	with:
	context: .
	file: ./Dockerfile
	push: ${{ github.event_name != 'pull_request' }}
	platforms: linux/amd64,linux/arm64
	build-args: |
	VERSION=dev-${{ steps.build_info.outputs.short_sha }}
	labels: ${{ steps.docker_meta.outputs.labels }}
	tags: ${{ steps.docker_meta.outputs.tags }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

[Freddo3000]

Feel free to commit changes

[RMartinOscar]

I feel like we should handle that like the Wings workflow

Also changed the cron to rebuild every week instead of every day at 05:33am since the php:8.3-fpm-alpine gets updated weekly

What do you think @parkervcp ?

[lancepioch]

Can you explain why there's a cron schedule for this?

[RMartinOscar]

For it to rebuild weekly so it stays up to date with the php:8.3-fpm-alpine docker image.
We don't have to do this for wings as it runs on distroless.

[lancepioch]

I'd rather it only build when we publish a tag/release instead.

[RMartinOscar]

Updated my review to not include cron