PocketMCP

name: Build and Release Docker Images on: push: tags: - 'v*.*.*' workflow_dispatch: inputs: tag: description: 'Tag to build and push' required: true default: 'latest' env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write # For COSIGN signing steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64,linux/arm64 - name: Log in to Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | # Tag with exact version (e.g., v1.2.3) type=ref,event=tag # Tag with major.minor (e.g., v1.2) type=semver,pattern={{major}}.{{minor}} # Tag with major (e.g., v1) type=semver,pattern={{major}} # Tag as latest for main releases type=raw,value=latest,enable={{is_default_branch}} # Tag with commit SHA for manual dispatch type=sha,prefix={{branch}}-,enable=${{ github.event_name == 'workflow_dispatch' }} labels: | org.opencontainers.image.title=PocketMCP org.opencontainers.image.description=Lightweight, local-first MCP server with semantic search org.opencontainers.image.vendor=${{ github.repository_owner }} org.opencontainers.image.licenses=MIT - name: Build and push Docker image id: build uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max sbom: true provenance: true - name: Install Cosign if: github.event_name != 'pull_request' && env.COSIGN_PRIVATE_KEY != '' uses: sigstore/cosign-installer@v3 env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - name: Sign container image if: github.event_name != 'pull_request' && env.COSIGN_PRIVATE_KEY != '' run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Create Release Summary if: github.event_name != 'pull_request' run: | echo "## 🚀 Docker Image Release" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "**Image:** \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY echo "**Digest:** \`${{ steps.build.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### 📦 Available Tags" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### 🏗️ Platforms" >> $GITHUB_STEP_SUMMARY echo "- linux/amd64" >> $GITHUB_STEP_SUMMARY echo "- linux/arm64" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### 📋 Pull Command" >> $GITHUB_STEP_SUMMARY echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY