name: Docker Build & Push
on:
push:
branches: [main]
release:
types: [created]
workflow_call:
inputs:
tag_name:
description: 'Release tag name (e.g., v0.7.0)'
required: true
type: string
permissions:
contents: read
jobs:
docker-build-push:
runs-on: ubuntu-latest
timeout-minutes: 30
environment: quay
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
ref: ${{ inputs.tag_name || github.ref }}
- name: Determine build context
id: context
run: |
if [ -n "${{ inputs.tag_name }}" ]; then
echo "is_release=true" >> $GITHUB_OUTPUT
echo "version=${{ inputs.tag_name }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" = "release" ]; then
echo "is_release=true" >> $GITHUB_OUTPUT
echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
else
echo "is_release=false" >> $GITHUB_OUTPUT
fi
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
- name: Log in to Quay.io
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f
with:
images: quay.io/crowdstrike/falcon-mcp
tags: |
type=raw,value=latest,enable=${{ steps.context.outputs.is_release != 'true' }}
type=semver,pattern={{version}},enable=${{ steps.context.outputs.is_release == 'true' }},value=${{ steps.context.outputs.version }}
flavor: |
latest=${{ steps.context.outputs.is_release != 'true' }}
labels: |
org.opencontainers.image.title=Falcon MCP Server
org.opencontainers.image.description=Model Context Protocol server for CrowdStrike Falcon
org.opencontainers.image.vendor=CrowdStrike
org.opencontainers.image.licenses=MIT
org.opencontainers.image.source=https://github.com/CrowdStrike/falcon-mcp
org.opencontainers.image.documentation=https://github.com/CrowdStrike/falcon-mcp/blob/main/README.md
- name: Build and push Docker image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate image summary
run: |
# Get generated tags and extract the actual tag for pull command
TAGS="${{ steps.meta.outputs.tags }}"
FULL_TAG=$(echo "$TAGS" | head -n1)
TAG_ONLY=$(echo "$FULL_TAG" | sed 's/.*://')
if [ "${{ steps.context.outputs.is_release }}" = "true" ]; then
EVENT_TYPE="Release"
else
EVENT_TYPE="Main Branch Push"
fi
echo "## 🐳 Docker Image Published" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Event:** $EVENT_TYPE" >> $GITHUB_STEP_SUMMARY
echo "**Registry:** quay.io/crowdstrike/falcon-mcp" >> $GITHUB_STEP_SUMMARY
echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "$TAGS" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Pull Command:**" >> $GITHUB_STEP_SUMMARY
echo '```bash' >> $GITHUB_STEP_SUMMARY
echo "docker pull quay.io/crowdstrike/falcon-mcp:$TAG_ONLY" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
