pnpm/.github/workflows/docker.yml

name: Docker

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      version:
        description: "pnpm version to build (without leading v)"
        required: true
      prerelease:
        description: "Treat as prerelease (skips mutable tags)"
        type: boolean
        default: false

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    env:
      IMAGE: ghcr.io/${{ github.repository_owner }}/pnpm
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - name: Resolve release metadata
        id: meta
        env:
          EVENT_NAME: ${{ github.event_name }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
          RELEASE_PRERELEASE: ${{ github.event.release.prerelease }}
          INPUT_VERSION: ${{ inputs.version }}
          INPUT_PRERELEASE: ${{ inputs.prerelease }}
        run: |
          set -eu
          if [ "$EVENT_NAME" = "release" ]; then
            version="${RELEASE_TAG#v}"
            prerelease="$RELEASE_PRERELEASE"
          else
            version="${INPUT_VERSION#v}"
            prerelease="$INPUT_PRERELEASE"
          fi
          case "$version" in
            *[!0-9A-Za-z.+-]*) echo "invalid version: $version" >&2; exit 1 ;;
            [0-9]*.[0-9]*.[0-9]*) ;;
            *) echo "invalid version: $version" >&2; exit 1 ;;
          esac
          major="${version%%.*}"
          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "major=$major" >> "$GITHUB_OUTPUT"
          echo "prerelease=$prerelease" >> "$GITHUB_OUTPUT"

      - name: Compute image tags
        id: tags
        env:
          VERSION: ${{ steps.meta.outputs.version }}
          MAJOR: ${{ steps.meta.outputs.major }}
          PRERELEASE: ${{ steps.meta.outputs.prerelease }}
        run: |
          set -eu
          tags="${IMAGE}:${VERSION}"
          if [ "$PRERELEASE" != "true" ]; then
            tags="${tags},${IMAGE}:${MAJOR},${IMAGE}:latest"
          fi
          echo "tags=$tags" >> "$GITHUB_OUTPUT"

      - name: Compute pnpm tarball checksums
        id: checksums
        env:
          VERSION: ${{ steps.meta.outputs.version }}
        run: |
          set -eu
          base="https://github.com/pnpm/pnpm/releases/download/v${VERSION}"
          for pair in amd64:x64 arm64:arm64; do
            key="${pair%:*}"
            name="${pair#*:}"
            sha="$(curl -fsSL --retry 3 --retry-delay 2 "${base}/pnpm-linux-${name}.tar.gz" \
                   | sha256sum | awk '{print $1}')"
            echo "sha_${key}=${sha}" >> "$GITHUB_OUTPUT"
          done

      - name: Set up QEMU
        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

      - name: Login to GHCR
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: ./docker
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.tags.outputs.tags }}
          build-args: |
            PNPM_VERSION=${{ steps.meta.outputs.version }}
            PNPM_SHA256_AMD64=${{ steps.checksums.outputs.sha_amd64 }}
            PNPM_SHA256_ARM64=${{ steps.checksums.outputs.sha_arm64 }}
          provenance: mode=max
          sbom: true