# QA-MCP Release Pipeline
# Builds and publishes multi-arch Docker images to Docker Hub
# Triggered on version tags (v*.*.*)
name: Release
on:
push:
tags:
- 'v*.*.*'
env:
REGISTRY: docker.io
IMAGE_NAME: atakanemre/qa-mcp
jobs:
# ==========================================================================
# Build and Push Multi-Arch Docker Image
# ==========================================================================
docker-publish:
name: Build & Push Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # For SBOM signing
steps:
- uses: actions/checkout@v4
- name: Set up QEMU (for multi-arch)
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
# Semantic versioning tags
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# Latest tag for newest release
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push multi-arch image
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# SBOM and provenance for supply chain security
sbom: true
provenance: mode=max
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
format: spdx-json
output-file: sbom.spdx.json
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json
# ==========================================================================
# Create GitHub Release
# ==========================================================================
github-release:
name: Create GitHub Release
needs: docker-publish
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Download SBOM
uses: actions/download-artifact@v4
with:
name: sbom
- name: Extract version from tag
id: version
run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
- name: Create Release
uses: softprops/action-gh-release@v1
with:
name: QA-MCP v${{ steps.version.outputs.VERSION }}
body: |
## QA-MCP v${{ steps.version.outputs.VERSION }}
### Docker Image
```bash
docker pull qamcp/qa-mcp:${{ steps.version.outputs.VERSION }}
```
### Multi-arch Support
- `linux/amd64` (Intel/AMD)
- `linux/arm64` (Apple Silicon, ARM servers)
### Changelog
See [CHANGELOG.md](CHANGELOG.md) for details.
### Supply Chain Security
- SBOM included (SPDX format)
- Provenance attestation enabled
files: |
sbom.spdx.json
generate_release_notes: true
# ==========================================================================
# Publish to PyPI (optional)
# ==========================================================================
pypi-publish:
name: Publish to PyPI
needs: docker-publish
runs-on: ubuntu-latest
permissions:
id-token: write # For trusted publishing
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install build tools
run: |
python -m pip install --upgrade pip
pip install build twine
- name: Build package
run: python -m build
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
