ci: optimize Docker build process and enable SBOM generation

- Refactor the `build-args` in all Dockerfiles to include `VERSION` and `RELEASE` - Implement caching to a registry instead of Github action to avoid the capacity limit - Enable the generation of Software Bills of Materials (SBOM) and provenance information during the docker build process Signed-off-by: 陳鈞 <[email protected]>
jim60105 · May 5, 2024 · cc0dcf7 · cc0dcf7
1 parent 3517c13
commit cc0dcf7
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -41,8 +41,15 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache,mode=max
+          sbom: true
+          provenance: true
 
   docker-ubi:
     runs-on: ubuntu-latest
@@ -72,8 +79,15 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache,mode=max
+          sbom: true
+          provenance: true
 
   docker-distroless:
     runs-on: ubuntu-latest
@@ -103,5 +117,12 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/yt-dlp:cache,mode=max
+          sbom: true
+          provenance: true