mirror of
https://github.com/katanemo/plano.git
synced 2026-04-25 00:36:34 +02:00
1df43872a6
* Fix code scanning and dependabot security alerts Code scanning fixes (14 alerts): - Fix XSS in OG image route by validating request origin against allowlist - Fix incomplete URL sanitization in blog layout using exact hostname matching - Bind port-check socket to 127.0.0.1 instead of 0.0.0.0 - Add explicit permissions to 7 GitHub Actions workflows Dependabot fixes: - Update @isaacs/brace-expansion 5.0.0 -> 5.0.1 (CVE-2026-25547) - Update bytes 1.10.1 -> 1.11.1 (CVE-2026-25541) - Update time 0.3.41 -> 0.3.47 (CVE-2026-25727) - Update cryptography 45.0.7 -> 46.0.5 (CVE-2026-26007) - Update python-multipart 0.0.20 -> 0.0.22 (CVE-2026-24486) - Update urllib3 2.6.2 -> 2.6.3 in test lockfiles (CVE-2026-21441) - Update Werkzeug 3.1.4 -> 3.1.5 (CVE-2026-21860) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Address PR review feedback - Replace plano.katanemo.com with planoai.dev in allowed hosts - Add planoai.dev to OG route and blog layout allowlists - Revert socket bind to 0.0.0.0 (intentional for port-in-use check) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
98 lines
2.7 KiB
YAML
98 lines
2.7 KiB
YAML
name: Publish docker image (release)
|
|
|
|
env:
|
|
DOCKER_IMAGE: katanemo/plano
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
# Build ARM64 image on native ARM64 runner
|
|
build-arm64:
|
|
runs-on: [linux-arm64]
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.DOCKER_IMAGE }}
|
|
tags: |
|
|
type=raw,value={{tag}}
|
|
|
|
- name: Build and Push ARM64 Image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
platforms: linux/arm64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}-arm64
|
|
|
|
# Build AMD64 image on GitHub's AMD64 runner
|
|
build-amd64:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.DOCKER_IMAGE }}
|
|
tags: |
|
|
type=raw,value={{tag}}
|
|
|
|
- name: Build and Push AMD64 Image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}-amd64
|
|
|
|
# Combine ARM64 and AMD64 images into a multi-arch manifest
|
|
create-manifest:
|
|
runs-on: ubuntu-latest
|
|
needs: [build-arm64, build-amd64] # Wait for both builds
|
|
steps:
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.DOCKER_IMAGE }}
|
|
tags: |
|
|
type=raw,value={{tag}}
|
|
|
|
- name: Create Multi-Arch Manifest
|
|
run: |
|
|
# Combine the architecture-specific images into a single manifest
|
|
docker buildx imagetools create -t ${{ steps.meta.outputs.tags }} \
|
|
${{ steps.meta.outputs.tags }}-arm64 \
|
|
${{ steps.meta.outputs.tags }}-amd64
|