zhengchen.tao
acdbb5bfbe
runc 1.2.0 (2024-09) 引入 procfs 安全检查(CVE-2024-21626), 依赖 openat2 (kernel 5.6+) 与 fsmount/fscontext (kernel 5.2+)。 DSM 7 系列内核仍是 4.4.x,syscall 不存在,runc 启动 build container 时 报 "unsafe procfs detected" 直接失败。 钉 buildkit v0.13.2 自带 runc 1.1.12,绕开新检查。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
58 lines
1.7 KiB
YAML
58 lines
1.7 KiB
YAML
name: Build Docker Image
|
||
|
||
on:
|
||
workflow_dispatch:
|
||
inputs:
|
||
branch:
|
||
description: '要打包的分支'
|
||
required: true
|
||
default: 'custom'
|
||
tag:
|
||
description: '镜像 tag(留空则用 commit short hash)'
|
||
required: false
|
||
default: ''
|
||
|
||
jobs:
|
||
build:
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- name: Checkout target branch
|
||
uses: actions/checkout@v4
|
||
with:
|
||
ref: ${{ inputs.branch }}
|
||
fetch-depth: 0
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
with:
|
||
# 钉到 v0.13.2(自带 runc 1.1.x),避免 runc 1.2+ 的 procfs 安全检查
|
||
# 在 DSM 老内核(4.4.x)上撞 openat2/fsmount 不存在导致 build 失败
|
||
driver-opts: |
|
||
image=moby/buildkit:v0.13.2
|
||
|
||
- name: Login to Gitea Container Registry
|
||
uses: docker/login-action@v3
|
||
with:
|
||
registry: git.zhengchentao.win
|
||
username: ${{ gitea.actor }}
|
||
password: ${{ secrets.PACKAGES_TOKEN }}
|
||
|
||
- name: Determine image tag
|
||
id: meta
|
||
run: |
|
||
if [ -n "${{ inputs.tag }}" ]; then
|
||
IMAGE_TAG="${{ inputs.tag }}"
|
||
else
|
||
IMAGE_TAG="$(git rev-parse --short HEAD)"
|
||
fi
|
||
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
|
||
echo "==> Image tag: $IMAGE_TAG"
|
||
|
||
- name: Build and push
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
push: true
|
||
tags: |
|
||
git.zhengchentao.win/dev/ezbookkeeping:${{ steps.meta.outputs.image_tag }}
|
||
git.zhengchentao.win/dev/ezbookkeeping:latest |